[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal 0.8.1 and Sun Java GSSAPI
On Mon, 2 Jul 2007, Love Hörnquist Åstrand wrote:
>> it seems something has changet in GSSAPI implemented by Heimdal somewhere
>> between 0.7.2 and 0.8.1 versions. My java based webapp cannot use gssapi
>> anymore (Sun Java 6). The error is:
>>
>> Message stream modified (41)
>>
>> Is it a known issue ? How to resolve it ? Is it safe to downgrade heimdal
>> to 0.7.2 in the case this is not resolved yet ?
>
> Its not a known issue.
>
> What version of java are you running?
> What enctypes do you have on the principals?
> What end is failing, kinit, client, server or message transfer ?
Sun Java SE 6, update 1 and update 2beta - both the same behaviour, WinXP
SP2 CZ, Redhat Linux 4 ES (the same problem on both these OSes). Using
JAAS.
# kadmin -l
kadmin> get mylogin
Principal: mylogin@DOMAIN.CZ
Principal expires: never
Password expires: 2007-09-15 23:59:59 UTC
Last password change: never
Max ticket life: 2 hours
Max renewable life: unlimited
Kvno: 150
Mkvno: 0
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2007-05-15 10:36:45 UTC
Modifier: myadmin/admin@DOMAIN.CZ
Attributes:
Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt),
arcfour-hmac-md5(pw-salt), des3-cbc-sha1(pw-salt), des-cbc-md5(pw-salt()),
des-cbc-md4(pw-salt()), des-cbc-crc(pw-salt())
/etc/krb5.conf on the KDC side:
[logging]
default = FILE:/var/heimdal/krb5libs.log
kdc = FILE:/var/heimdal/krb5kdc.log
admin_server = FILE:/var/heimdal/kadmind.log
[ktutil]
dns_lookup_realm = false
dns_lookup_kdc = false
[libdefaults]
default_realm = DOMAIN.CZ
dns_lookup_realm = false
dns_lookup_kdc = false
ktype_is_etype = true
encrypt = yes
forward = yes
srv_lookup = no
srv_try_txt = no
srv_try_rfc2052 = no
clockskew = 300
forwardable = true
[realms]
DOMAIN.CZ = {
kdc = kdc2.domain.cz:88 kdc.domain.cz:88
admin_server = kdc.domain.cz:749
krb525_server = kdc.domain.cz
kpasswd_server = kdc.domain.cz
default-domain = domain.cz
}
[domain_realm]
.domain.cz = DOMAIN.CZ
domain.cz = DOMAIN.CZ
[appdefaults]
ticket_lifetime = 1 hour
renew_lifetime = unlimited
krb5.conf on the client side (JAAS+GSSAPI):
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.CZ
dns_lookup_realm = no
dns_lookup_kdc = no
ktype_is_etype = yes
encrypt=yes
forward=yes
srv_lookup = no
srv_try_txt = no
srv_try_rfc2052 = no
clockskew = 300
forwardable = true
## following three lines do not work with java
## default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
## default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
## permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
## no explicitly defined enctypes do not work with java, so I really need the following three lines
default_tgs_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
## noaddresses = no
[realms]
DOMAIN.CZ = {
kdc = kdc2.domain.cz:88
admin_server = kdc.domain.cz:749
krb525_server = kdc.domain.cz
kpasswd_server = kdc.domain.cz
default_domain = domain.cz
## explicitly named enctypes needed here for java
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
kdc_supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
}
[domain_realm]
.domain.cz = DOMAIN.CZ
domain.cz = DOMAIN.CZ
[kdc]
[appdefaults]
pam = {
debug = true
forwardable = true
krb4_convert = false
ticket_lifetime = 1 hour
renew_lifetime = unlimited
}
I think, client or transfer is failing, because on the kdc side, logs are
saying the ticket was issued:
2007-07-02T13:40:57 AS-REQ mylogin@DOMAIN.CZ from IPv4:10.10.6.15 for krbtgt/DOMAIN.CZ@DOMAIN.CZ
2007-07-02T13:40:57 No preauth found, returning PREAUTH-REQUIRED -- komanek@DOMAIN.CZ
2007-07-02T13:40:57 sending 700 bytes to IPv4:10.10.6.15
2007-07-02T13:40:57 AS-REQ mylogin@DOMAIN.CZ from IPv4:10.10.6.15 for krbtgt/DOMAIN.CZ@DOMAIN.CZ
2007-07-02T13:40:57 Client sent patypes: encrypted-timestamp
2007-07-02T13:40:57 Looking for PKINIT pa-data -- mylogin@DOMAIN.CZ
2007-07-02T13:40:57 Looking for ENC-TS pa-data -- mylogin@DOMAIN.CZ
2007-07-02T13:40:57 ENC-TS Pre-authentication succeeded -- mylogin@DOMAIN.CZ using arcfour-hmac-md5
2007-07-02T13:40:57 Client supported enctypes: arcfour-hmac-md5
2007-07-02T13:40:57 Using arcfour-hmac-md5/des3-cbc-sha1
2007-07-02T13:40:57 Requested flags: forwardable
2007-07-02T13:40:57 AS-REQ authtime: 2007-07-02T13:40:57 starttime: unset endtime: 2007-07-02T15:40:57 renew till: unset
2007-07-02T13:40:57 sending 659 bytes to IPv4:10.10.6.15
kinit, klist, ssh (after aplying gssapi patch pro heimdal 0.8), .... all
this works fine, the only problem I have for now is with java. My
colleague has reported to me some GSSAPI related issue with openldap, but
i still didn't have time to investigate it further, hopefully it can be
the same problem as with java ....
Thank you for your assistance,
David