Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

some windows user fail

38 views
Skip to first unread message

Gsandtner Michael

unread,
Jan 21, 2013, 5:47:39 AM1/21/13
to kerb...@mit.edu
We want to access a LDAP Directory Server:
Directory Server: Sun-Directory-Server/11.1.1.5.0 B2011.0517.2353 (64-bit) on Red Hat Enterprise Linux Server release 5.8 (Tikanga)
KDC: Active Directory 2003 on Windows Server 2003 SP2
Client Jxplorer v3.3.02 on Red Hat Enterprise Linux ES release 4 (Nahant Update 9)

Most of the domain user work, however some do not, e.g.:

# kinit admadvgsa
# JXOPTS="-Dsun.security.krb5.debug=true" ./jxplorer.sh console
starting JXplorer...
java -Dsun.security.krb5.debug=true -Dfile.encoding=utf-8 -cp .:jars/*:jasper/lib/* com.ca.directory.jxplorer.JXplorer
Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXplorer printTime
INFO: main start
TIME: Mon Jan 21 11:10:31 CET 2013 (133)

Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java from: /usr/lib/jvm/java-1.6.0-sun-1.6.0.31/jre
Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java version 1.6.0_31
Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXConfig setupLogger
INFO: setting up logger
XXX logging initially level WARNING with 0 parents=true
Jan 21, 2013 11:10:31 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
/data1/jxplorer/search_filters.txt
Jan 21, 2013 11:10:31 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
bookmarks.txt
Jan 21, 2013 11:10:31 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
quicksearch.txt
>>>KinitOptions cache name is /tmp/krb5cc_0
>>>DEBUG <CCacheInputStream> client principal is adma...@MAGWIEN.GV.AT
>>>DEBUG <CCacheInputStream> server principal is krbtgt/MAGWIE...@MAGWIEN.GV.AT
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Mon Jan 21 10:51:20 CET 2013
>>>DEBUG <CCacheInputStream> start time: Mon Jan 21 10:51:18 CET 2013
>>>DEBUG <CCacheInputStream> end time: Mon Jan 21 20:51:20 CET 2013
>>>DEBUG <CCacheInputStream> renew_till time: Tue Jan 22 10:51:18 CET 2013
>>> CCacheInputStream: readFlags() FORWARDABLE; PROXIABLE; RENEWABLE; INITIAL; PRE_AUTH;
Config name: /etc/krb5.conf
Found ticket for adma...@MAGWIEN.GV.AT to go to krbtgt/MAGWIE...@MAGWIEN.GV.AT expiring on Mon Jan 21 20:51:20 CET 2013
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for adma...@MAGWIEN.GV.AT to go to krbtgt/MAGWIE...@MAGWIEN.GV.AT expiring on Mon Jan 21 20:51:20 CET 2013
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
>>> KdcAccessibility: reset
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=master.magwien.gv.at UDP:88, timeout=30000, number of retries =3, #bytes=1340
>>> KDCCommunication: kdc=master.magwien.gv.at UDP:88, timeout=30000,Attempt =1, #bytes=1340
>>> KrbKdcReq send: #bytes read=1322
>>> KrbKdcReq send: #bytes read=1322
>>> KdcAccessibility: remove master.magwien.gv.at
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 658059415
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 04 D9 30 82 04 D5 A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 03 ................
0020: FD 61 82 03 F9 30 82 03 F5 A0 03 02 01 05 A1 0F .a...0..........
0030: 1B 0D 4D 41 47 57 49 45 4E 2E 47 56 2E 41 54 A2 ..MAGWIEN.GV.AT.
0040: 2F 30 2D A0 03 02 01 00 A1 26 30 24 1B 04 6C 64 /0-......&0$..ld
0050: 61 70 1B 1C 76 6D 6C 78 65 6E 74 77 33 2E 68 6F ap..vmlxentw3.ho
0060: 73 74 2E 6D 61 67 77 69 65 6E 2E 67 76 2E 61 74 st.magwien.gv.at
0070: A3 82 03 AA 30 82 03 A6 A0 03 02 01 17 A1 03 02 ....0...........
0080: 01 0B A2 82 03 98 04 82 03 94 58 E1 92 B9 23 06 ..........X...#.
0090: 24 AD 18 87 FE FF C3 D3 D1 16 DF B2 A8 17 7F 3E $..............>
00A0: D5 06 B1 B1 82 6B EB F7 ED 4A 6A 61 00 C5 5D F9 .....k...Jja..].
00B0: CC A8 FA EF 0B 62 2F 20 62 94 05 15 AD B0 5D 7E .....b/ b.....].
00C0: 89 F1 0B 48 1B A6 1F A9 9C 9B 64 C2 BA BE 9F 5C ...H......d....\
00D0: 57 D5 81 A4 FF 40 D7 9E 9D 08 54 4A A6 42 7D 4C W....@....TJ.B.L
00E0: 39 B5 BA 51 37 D3 0F CF 9B 7A 68 B9 C4 12 5D 9B 9..Q7....zh...].
00F0: 9C 9E 66 55 D2 5E 39 65 AF DB AF A0 3A 69 9B 92 ..fU.^9e....:i..
0100: 87 E7 FE 52 0C A2 F4 B3 D9 07 81 F2 C8 58 E4 CD ...R.........X..
0110: 50 1C 6A 59 6A 80 F1 89 AC 46 FB 96 5E 5C 2D 4D P.jYj....F..^\-M
0120: DE 8B 52 53 F2 F4 9D F4 EC F2 98 5D EE 60 6F F1 ..RS.......].`o.
0130: C9 E0 AB 9A 24 CA BF C2 02 E6 C0 9D 31 69 40 AC ....$.......1i@.
0140: 76 0D A4 41 3C 46 01 AA FC 5A 81 61 0E BE 0A 6A v..A<F...Z.a...j
0150: 7D F3 7B 18 A4 9E 50 BF 6D 55 15 62 B5 13 B5 B1 ......P.mU.b....
0160: 7E 18 52 4F 3D D3 3C B7 DE 88 8D 48 EC B4 F7 F4 ..RO=.<....H....
0170: F1 3E 0F A2 EC 48 CE 39 B4 F2 32 5F 14 36 32 05 .>...H.9..2_.62.
0180: D7 72 27 51 DD AA 55 2D 15 50 DC 2A EF BF F3 4F .r'Q..U-.P.*...O
0190: AA 7F 20 79 F1 D4 77 71 09 77 86 CB B9 41 11 B9 .. y..wq.w...A..
01A0: AE E3 7E BA 77 56 DD 99 6D 75 F1 F5 02 5B 95 70 ....wV..mu...[.p
01B0: A6 9C 7C C1 41 DB 87 D4 5C C9 46 AF C9 A3 55 75 ....A...\.F...Uu
01C0: 96 F9 18 1D 1B 0A DF BD 9B AD 01 59 83 21 BA 52 ...........Y.!.R
01D0: 89 8F 20 76 C7 68 82 85 AF A0 FC F1 ED 91 15 50 .. v.h.........P
01E0: CB 1B 1A B5 37 C7 83 98 D8 6C 96 75 55 A5 68 A9 ....7....l.uU.h.
01F0: 6C 64 A3 1B F6 33 F3 61 B6 C7 A4 C0 FF F4 73 D2 ld...3.a......s.
0200: FE 56 04 4E 84 35 3F 31 16 1A 2E 0E E0 A6 0B D3 .V.N.5?1........
0210: 47 B9 E9 0C B8 92 5B 39 F6 30 AE 37 88 04 4E 10 G.....[9.0.7..N.
0220: 45 8F 59 E5 90 B2 2A B7 93 B8 68 10 BF 1C 14 37 E.Y...*...h....7
0230: EA B3 CF F3 0C CD B6 42 9D 29 31 50 12 7C 3F 7D .......B.)1P..?.
0240: 01 0B 02 DD 83 FA 05 0D E7 86 8E 23 F2 EA 77 D8 ...........#..w.
0250: 60 C8 1E 61 F9 8F 64 0E 58 88 EB BF 8B 8C 96 2C `..a..d.X......,
0260: 89 FF 18 9E 23 A8 75 C3 E9 08 ED DA 92 DC 54 AA ....#.u.......T.
0270: B1 44 8B 1C 0F 24 3A F1 16 D7 D6 87 8E 91 63 88 .D...$:.......c.
0280: 45 1B 21 AF F5 39 84 C0 DE 3C F5 E5 83 84 78 F7 E.!..9...<....x.
0290: A2 20 F4 11 5E FC 68 4C 1B B3 23 0B 94 A6 7A E6 . ..^.hL..#...z.
02A0: 9E 52 D4 CA 4D 41 89 1D 51 E7 6E 0E 6D 7B 70 95 .R..MA..Q.n.m.p.
02B0: E7 70 88 D9 98 B3 21 90 92 4D 3A FA 94 28 B0 44 .p....!..M:..(.D
02C0: 54 56 A0 98 0A 21 2F C8 97 AD E8 44 F9 EE B4 78 TV...!/....D...x
02D0: AC D5 A0 88 FE 3D 51 E4 AA 9D 86 4E 84 C1 56 EF .....=Q....N..V.
02E0: 6F 8E BD 3D 7E F0 B6 E2 75 2D 80 0A 81 03 37 6E o..=....u-....7n
02F0: 6F C4 3D 15 C0 C5 9F 58 12 0E 7E 3C C7 80 31 27 o.=....X...<..1'
0300: 06 65 3D 18 47 D7 0E 4A B8 C0 47 EF 63 4D A4 A4 .e=.G..J..G.cM..
0310: 11 08 C0 D2 6D F9 BF 51 17 5A BA FC BB 61 25 FB ....m..Q.Z...a%.
0320: 25 17 4F CD 01 A5 96 97 3F 36 FF 17 79 6E BD 2F %.O.....?6..yn./
0330: F2 1C 9C 41 7B C5 04 9C F5 95 57 8A 80 DE 9D 4B ...A......W....K
0340: 38 DA BA B7 8B 8D 07 B6 DF D4 20 D4 2B 73 D3 6A 8......... .+s.j
0350: A5 25 A0 A1 8A DF 90 60 E8 D8 0E 6A 34 5D 30 EF .%.....`...j4]0.
0360: 3C 58 22 92 3A 4E E9 E3 BE 90 59 65 48 E8 80 32 <X".:N....YeH..2
0370: A9 84 1A 6C F2 A7 C1 31 9D A0 AE 96 96 24 09 DB ...l...1.....$..
0380: 36 22 C0 D7 9F C4 CC 92 AB B4 16 3B 09 28 E2 4A 6".........;.(.J
0390: A9 09 93 32 B5 F5 5B A9 E5 0E 31 40 B1 41 97 D8 ...2..[...1@.A..
03A0: 08 EB 0A 50 C5 0A 41 58 92 77 D0 D3 86 35 B4 93 ...P..AX.w...5..
03B0: 49 0F 40 DF 8C 80 4C F6 10 34 8C CE 2A 68 D9 A8 I.@...L..4..*h..
03C0: D9 92 CE 27 92 AB B1 E2 6B C6 23 21 E0 34 12 4C ...'....k.#!.4.L
03D0: 54 77 56 12 CA 0A 98 14 86 6A F9 5E E9 81 B8 F8 TwV......j.^....
03E0: E1 62 66 AC 58 AD 08 76 B3 4E 7C B3 AD 62 F8 CA .bf.X..v.N...b..
03F0: E5 62 3C 07 E4 1D 69 7F 7E 12 2D BA BE DF B0 E3 .b<...i...-.....
0400: 9C 0B 84 C7 A1 28 0D 4B B2 C7 A9 5D 9C AA E9 E8 .....(.K...]....
0410: 99 FB 08 A5 F1 9B 80 2F E9 F3 AB 03 64 D7 A4 81 ......./....d...
0420: BE 30 81 BB A0 03 02 01 03 A2 81 B3 04 81 B0 13 .0..............
0430: 12 96 5D 04 04 7B 87 4E C9 D7 F2 2A 64 0D D1 82 ..]....N...*d...
0440: 14 B3 77 87 F9 BB 0D 91 1C 09 C0 4A 9B 40 46 78 ..w........J.@Fx
0450: 97 CA 90 73 A8 81 D1 A7 C3 04 1E E9 14 CD 52 13 ...s..........R.
0460: A4 19 4A 7A F5 B6 85 79 A0 0A 34 F6 2D 84 B4 2E ..Jz...y..4.-...
0470: 7B 2E 22 79 F7 1B 05 2E 1C 32 47 63 7B 79 2C 34 .."y.....2Gc.y,4
0480: 3F C3 33 42 D6 4D EA F6 A7 62 E2 9D 1B 6C 76 BF ?.3B.M...b...lv.
0490: 6B 27 0B D4 AF DB 92 AE 0A 12 28 FC 1F 7A A7 5A k'........(..z.Z
04A0: CA 49 01 E9 14 9F 3F 0D 74 B5 A5 E4 DF BE BB D2 .I....?.t.......
04B0: 05 CA 19 C6 4B 01 6A F8 40 95 D8 03 82 D8 30 9C ....K.j.@.....0.
04C0: C6 DE 0F 9D 79 DE 4D 82 D9 34 E7 FB 7A 1E F1 6F ....y.M..4..z..o
04D0: A3 23 82 0F 5C DC E8 45 42 4E AD F0 82 CE 45 .#..\..EBN....E

Krb5Context.unwrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff ab 5d a3 37 f1 5b 52 40 89 83 e9 c1 aa b0 c3 11 ec ed b4 ae 39 30 59 d4 07 00 ff ff 04 04 04 04 ]
Krb5Context.unwrap: data=[07 00 ff ff ]
Krb5Context.wrap: data=[04 01 00 00 ]
Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 65 a0 a3 31 dd 7c 9f fc bf 0b 7c 66 74 05 df 5c 27 cc 38 99 14 f1 a9 86 04 01 00 00 04 04 04 04 ]
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3067)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2815)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2729)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at com.ca.commons.jndi.JndiAction.run(JndiAction.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:160)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Thread.java:662)
Jan 21, 2013 11:10:39 AM com.ca.directory.jxplorer.broker.JNDIDataBroker openConnection
WARNING: initial receipt of exception by jndi broker a problem with GSSAPI occurred - couldn't create a GSSAPI directory context
javax.naming.NamingException: a problem with GSSAPI occurred - couldn't create a GSSAPI directory context
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:165)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Thread.java:662)
Jan 21, 2013 11:10:44 AM com.ca.directory.jxplorer.JXOpenConWin dataReady
WARNING: Error opening connection
javax.naming.NamingException: a problem with GSSAPI occurred - couldn't create a GSSAPI directory context
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:165)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Thread.java:662)
Jan 21, 2013 11:10:48 AM com.ca.directory.jxplorer.JXplorer shutdown
WARNING: shutting down

Any hints welcome.

Mit freundlichen Gr��en
Michael Gsandtner
Magistrat Wien, MA 14
E michael....@wien.gv.at



Benjamin Kaduk

unread,
Jan 23, 2013, 10:29:28 PM1/23/13
to Gsandtner Michael, kerb...@mit.edu
On Mon, 21 Jan 2013, Gsandtner Michael wrote:

> We want to access a LDAP Directory Server:
> Directory Server: Sun-Directory-Server/11.1.1.5.0 B2011.0517.2353 (64-bit) on Red Hat Enterprise Linux Server release 5.8 (Tikanga)
> KDC: Active Directory 2003 on Windows Server 2003 SP2
> Client Jxplorer v3.3.02 on Red Hat Enterprise Linux ES release 4 (Nahant Update 9)
>
> Most of the domain user work, however some do not, e.g.:

It is a bit hard to tell what the failing behavior is from the verbose log
without a success case to compare to, but:

> # kinit admadvgsa
> # JXOPTS="-Dsun.security.krb5.debug=true" ./jxplorer.sh console
> starting JXplorer...
> java -Dsun.security.krb5.debug=true -Dfile.encoding=utf-8 -cp .:jars/*:jasper/lib/* com.ca.directory.jxplorer.JXplorer
> Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXplorer printTime

> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbKdcReq send: kdc=master.magwien.gv.at UDP:88, timeout=30000, number of retries =3, #bytes=1340
>>>> KDCCommunication: kdc=master.magwien.gv.at UDP:88, timeout=30000,Attempt =1, #bytes=1340
>>>> KrbKdcReq send: #bytes read=1322
>>>> KrbKdcReq send: #bytes read=1322
>>>> KdcAccessibility: remove master.magwien.gv.at
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

Are these three EType lines different for a successful case?

-Ben Kaduk

Gsandtner Michael

unread,
Jan 24, 2013, 2:59:29 AM1/24/13
to Benjamin Kaduk *EXTERN*, kerb...@mit.edu
Here is a successfull log:

starting JXplorer...
java -Dsun.security.krb5.debug=true -Dfile.encoding=utf-8 -cp .:jars/*:jasper/lib/* com.ca.directory.jxplorer.JXplorer
Jan 24, 2013 8:49:13 AM com.ca.directory.jxplorer.JXplorer printTime
INFO: main start
TIME: Thu Jan 24 08:49:13 CET 2013 (377)

Jan 24, 2013 8:49:13 AM com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java from: /usr/lib/jvm/java-1.6.0-sun-1.6.0.31/jre
Jan 24, 2013 8:49:13 AM com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java version 1.6.0_31
Jan 24, 2013 8:49:13 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 24, 2013 8:49:13 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 24, 2013 8:49:13 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 24, 2013 8:49:13 AM com.ca.directory.jxplorer.JXConfig setupLogger
INFO: setting up logger
XXX logging initially level WARNING with 0 parents=true
Jan 24, 2013 8:49:13 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
/data1/jxplorer/search_filters.txt
Jan 24, 2013 8:49:14 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
bookmarks.txt
Jan 24, 2013 8:49:14 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
quicksearch.txt
>>>KinitOptions cache name is /tmp/krb5cc_0
>>>DEBUG <CCacheInputStream> client principal is lana...@MAGWIEN.GV.AT
>>>DEBUG <CCacheInputStream> server principal is krbtgt/MAGWIE...@MAGWIEN.GV.AT
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Thu Jan 24 08:47:58 CET 2013
>>>DEBUG <CCacheInputStream> start time: Thu Jan 24 08:47:55 CET 2013
>>>DEBUG <CCacheInputStream> end time: Thu Jan 24 18:47:58 CET 2013
>>>DEBUG <CCacheInputStream> renew_till time: Fri Jan 25 08:47:55 CET 2013
>>> CCacheInputStream: readFlags() FORWARDABLE; PROXIABLE; RENEWABLE; INITIAL; PRE_AUTH;
Config name: /etc/krb5.conf
Found ticket for lana...@MAGWIEN.GV.AT to go to krbtgt/MAGWIE...@MAGWIEN.GV.AT expiring on Thu Jan 24 18:47:58 CET 2013
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for lana...@MAGWIEN.GV.AT to go to krbtgt/MAGWIE...@MAGWIEN.GV.AT expiring on Thu Jan 24 18:47:58 CET 2013
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
>>> KdcAccessibility: reset
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=master.magwien.gv.at UDP:88, timeout=30000, number of retries =3, #bytes=1596
>>> KDCCommunication: kdc=master.magwien.gv.at UDP:88, timeout=30000,Attempt =1, #bytes=1596
>>> KrbKdcReq send: #bytes read=111
>>> KrbKdcReq send: #bytes read=111
>>> KdcAccessibility: remove master.magwien.gv.at
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Jan 24 08:49:01 CET 2013 1359013741000
suSec is 217950
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is MAGWIEN.GV.AT
sname is ldap/vmlxentw3.host.magwien.gv.at
msgType is 30
>>> KrbKdcReq send: kdc=master.magwien.gv.at TCP:88, timeout=30000, number of retries =3, #bytes=1596
>>> KDCCommunication: kdc=master.magwien.gv.at TCP:88, #bytes=1596
>>>DEBUG: TCPClient reading 1538 bytes
>>> KrbKdcReq send: #bytes read=1538
>>> KrbKdcReq send: #bytes read=1538
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 159520043
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 05 B1 30 82 05 AD A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 04 ................
0020: D5 61 82 04 D1 30 82 04 CD A0 03 02 01 05 A1 0F .a...0..........
0030: 1B 0D 4D 41 47 57 49 45 4E 2E 47 56 2E 41 54 A2 ..MAGWIEN.GV.AT.
0040: 2F 30 2D A0 03 02 01 00 A1 26 30 24 1B 04 6C 64 /0-......&0$..ld
0050: 61 70 1B 1C 76 6D 6C 78 65 6E 74 77 33 2E 68 6F ap..vmlxentw3.ho
0060: 73 74 2E 6D 61 67 77 69 65 6E 2E 67 76 2E 61 74 st.magwien.gv.at
0070: A3 82 04 82 30 82 04 7E A0 03 02 01 17 A1 03 02 ....0...........
0080: 01 0B A2 82 04 70 04 82 04 6C 15 A6 39 18 AC 2F .....p...l..9../
0090: 48 61 AB 43 82 8C C0 72 FB A4 04 C6 B7 FC 6E CB Ha.C...r......n.
00A0: C3 A2 13 74 93 52 95 A7 CC C6 A4 40 33 1C 51 01 ...t.R.....@3.Q.
00B0: 65 BF 67 5A AD 59 F6 B5 A1 BA A7 63 95 FE D3 92 e.gZ.Y.....c....
00C0: 41 9B 99 D1 FD 88 C4 20 64 04 AC 4B D5 BD 31 59 A...... d..K..1Y
00D0: 93 1C 9D 3B F3 48 8C AF A8 9B 07 86 9A C6 E1 6E ...;.H.........n
00E0: 31 76 56 04 65 AC AA 0B 78 9B 9F F7 E7 F8 09 38 1vV.e...x......8
00F0: B4 40 E3 F1 27 83 DD 54 FB 21 21 4B CF 6A 7A CE .@..'..T.!!K.jz.
0100: 32 C6 93 20 B5 3A 18 99 2D A4 3C E8 2A 8C 9E 43 2.. .:..-.<.*..C
0110: D2 3B 74 52 CB C5 D1 9D BE 88 B2 92 E0 D8 18 64 .;tR...........d
0120: 6A 37 54 80 1E 24 8F 1B A8 C5 C8 6B A9 6C A4 BF j7T..$.....k.l..
0130: F6 A1 69 DD FC 89 F2 D0 9C F1 9A F8 4E B2 C6 F0 ..i.........N...
0140: 32 BD 23 2C 21 BB DF EC 6A 3B BB 8A 8C 15 D1 2F 2.#,!...j;...../
0150: 08 03 5C 28 FA 40 E8 C8 1B AD 2A DE C3 41 8F A6 ..\(.@....*..A..
0160: 83 6E D4 BE 45 CB 0D 69 E8 EF F7 68 24 68 33 F1 .n..E..i...h$h3.
0170: 35 11 7B 98 7C 87 6F 35 F0 E7 28 F5 BF 50 68 F2 5.....o5..(..Ph.
0180: C2 79 80 0F 63 9E F1 22 91 22 54 67 F0 2D 21 BE .y..c.."."Tg.-!.
0190: 41 E6 D9 27 52 9A 44 7D D9 5E 75 A6 7A D5 30 ED A..'R.D..^u.z.0.
01A0: 17 9A 1E 8C 28 3D 2C 17 03 4C 6C 60 70 13 86 CD ....(=,..Ll`p...
01B0: 77 B9 69 25 D3 09 28 6C 67 C9 45 C1 E3 87 53 B9 w.i%..(lg.E...S.
01C0: DA 6C 87 FC 0A F1 17 B3 40 5F 6A 6C AF 4A 35 79 .l......@_jl.J5y
01D0: 42 4E 6A 48 CE F0 C0 EA 78 FC 08 7E 91 72 94 07 BNjH....x....r..
01E0: 77 3D 86 66 5E 81 1A C7 0F A4 DF 0D 1B 02 54 60 w=.f^.........T`
01F0: 49 FF D4 DC 3A 3C 92 9F 58 58 29 8B 68 A1 4F 27 I...:<..XX).h.O'
0200: 85 7C 1E 8F 42 A3 F2 C9 14 08 3E 68 D9 42 E6 9A ....B.....>h.B..
0210: 5D 69 14 50 9E 62 C1 CC 02 65 17 2F 66 97 64 BC ]i.P.b...e./f.d.
0220: 31 30 B3 CB 46 22 8A 8A 78 29 C6 D8 E2 7E 12 48 10..F"..x).....H
0230: 21 38 36 2E 81 33 11 87 D5 A1 A6 D8 07 AA 3E 36 !86..3........>6
0240: EE 95 9A E1 B5 7D F2 02 8B 9B 18 F9 82 D6 74 72 ..............tr
0250: 02 3B BF 3D 94 3C 1A 27 0D FF AD 29 C1 68 6B 50 .;.=.<.'...).hkP
0260: 2B 39 51 69 04 DA 57 92 4C BE A9 5E 74 55 9C 06 +9Qi..W.L..^tU..
0270: E7 8B 68 A1 5A F1 5B 24 0E 81 B0 77 A2 A1 84 2A ..h.Z.[$...w...*
0280: 30 4D D4 C4 98 57 65 CE 09 7E F9 D5 54 A8 C4 52 0M...We.....T..R
0290: 0E 06 6F 8B 85 89 58 42 5F EA 3D 72 3C B0 4A FC ..o...XB_.=r<.J.
02A0: 3C 75 B3 65 64 13 68 9D 93 DD 43 B7 4A 86 C2 B1 <u.ed.h...C.J...
02B0: 99 08 C6 1A B4 DA 1C 35 9D EE 11 E8 E5 11 F4 4E .......5.......N
02C0: 08 AB ED 4F C1 CD C6 D6 71 18 88 9D 2E 17 42 44 ...O....q.....BD
02D0: 81 38 C9 7F B7 8E 61 12 68 A0 0C CA 5A F8 B2 71 .8....a.h...Z..q
02E0: 00 3D 80 90 2B 83 5D 04 62 BC 96 7B 57 3E 85 42 .=..+.].b...W>.B
02F0: A4 E2 F2 6F 73 93 82 94 8B E2 10 BE 8A 02 2D EA ...os.........-.
0300: 27 01 B8 69 79 DF E7 CB 11 8D 01 1F E7 96 E5 77 '..iy..........w
0310: 0C 3F CC E7 3C F3 35 90 28 FA 8C 04 DE 70 C3 13 .?..<.5.(....p..
0320: E4 C0 33 B2 48 A1 1F E5 54 A2 9F DA DF 4B D0 51 ..3.H...T....K.Q
0330: 25 58 1A 76 19 DD 9B 7E C6 F0 91 28 BC 63 AB 66 %X.v.......(.c.f
0340: BB 00 E7 00 7A BD C4 C8 1A C6 76 B1 83 FB D9 03 ....z.....v.....
0350: 7E AE 42 CF 9E 76 55 25 CB F8 75 B2 D8 6F 87 84 ..B..vU%..u..o..
0360: 73 76 80 01 C8 1A 4E 97 34 68 82 EB 46 82 06 7A sv....N.4h..F..z
0370: B5 43 CF B6 11 AC 9A A2 A8 EF 63 9B E1 1B 8F C3 .C........c.....
0380: F4 99 BC 2A 90 9C 2E 68 B3 B3 29 6C 74 AD 39 AC ...*...h..)lt.9.
0390: 8F 3D D5 58 48 7F B7 8C 50 DF 5D 47 8D A0 06 E4 .=.XH...P.]G....
03A0: 63 21 C0 88 89 E8 0A D8 CA 5B 2A 96 65 B5 F6 91 c!.......[*.e...
03B0: 88 88 47 9A 64 46 6D 40 BB 59 75 4F 39 02 95 6C ..G.dFm@.YuO9..l
03C0: B9 63 58 DB 8B 63 68 CE 42 38 07 C0 E3 C8 07 68 .cX..ch.B8.....h
03D0: 9E 62 98 26 25 DA 5B 0A 8D 6D 7C C1 C7 B1 17 00 .b.&%.[..m......
03E0: 5F 67 44 5F 60 7A 19 7E 86 6B C5 DB 73 6F 15 EF _gD_`z...k..so..
03F0: 2B C5 0F 41 12 CD 2A 2E D2 BD 60 0F CD 91 5A 9D +..A..*...`...Z.
0400: F8 61 91 6B 21 2A 5A CD 35 46 29 41 51 6C 3C FA .a.k!*Z.5F)AQl<.
0410: E9 2E C8 CD 69 45 FE 4C 67 C3 0B 05 C0 DD 96 7E ....iE.Lg.......
0420: 90 FB CA 9D 13 5D E2 9F 98 7E B0 37 5F BA B8 55 .....].....7_..U
0430: 34 43 67 D1 26 4A 62 C9 F8 33 AE A6 35 09 26 DA 4Cg.&Jb..3..5.&.
0440: 52 FF 02 74 DF 7D F5 EF F7 C6 44 3C 55 67 60 74 R..t......D<Ug`t
0450: C7 EA 27 84 4C 23 4A 62 6F 60 50 AA 65 DA 80 A9 ..'.L#Jbo`P.e...
0460: E0 D7 32 1C DD F0 3E 31 8B 0F F9 68 3E 35 7E 79 ..2...>1...h>5.y
0470: 8C A8 F7 58 E3 9B 8E A2 2A EA 4F CA 46 63 90 AA ...X....*.O.Fc..
0480: EB 5E 31 93 0E 97 74 91 91 8E 8C 3B A9 EF 08 53 .^1...t....;...S
0490: 6B E1 61 35 8A 09 33 9C 05 CC 59 61 E6 31 4F C4 k.a5..3...Ya.1O.
04A0: 86 8A 54 72 7E 77 E2 14 06 AA D1 DA B7 A5 D5 4A ..Tr.w.........J
04B0: 0D 70 07 15 0F 42 AF 83 3D B3 AE 55 FD 72 0F B6 .p...B..=..U.r..
04C0: BC C1 20 0A B8 59 61 B9 A1 28 CD 71 28 54 27 51 .. ..Ya..(.q(T'Q
04D0: 72 CE 6B 55 A7 93 42 FC 77 68 44 79 09 15 81 6F r.kU..B.whDy...o
04E0: 65 A6 75 E2 72 0A 59 22 34 97 07 42 4D 55 B9 24 e.u.r.Y"4..BMU.$
04F0: 58 4F BE D3 28 6B A4 81 BE 30 81 BB A0 03 02 01 XO..(k...0......
0500: 03 A2 81 B3 04 81 B0 1F 91 D2 33 2F DA 95 BC 73 ..........3/...s
0510: 3C 32 83 4E 4E 7C 0A 67 62 24 44 05 67 ED 4F F7 <2.NN..gb$D.g.O.
0520: 64 1F 22 7B 3B 8F 73 D5 E1 CB 1D 1D 5B 18 3C DA d.".;.s.....[.<.
0530: 77 97 8D 79 97 66 1A 49 8F 96 16 3D E7 FB E9 9A w..y.f.I...=....
0540: EC CF 92 AE A7 DF C6 AE F7 59 25 2B F3 DD 3D 28 .........Y%+..=(
0550: 44 7F 06 91 51 CB 11 9A 97 18 00 CC E8 F1 28 A8 D...Q.........(.
0560: E2 38 93 47 4F A3 7E 83 B2 4A 2B 9F A5 E0 BD 0C .8.GO....J+.....
0570: 84 78 05 15 FF 5D 3C 07 CA E2 E0 8A 9E 97 73 52 .x...]<.......sR
0580: FD F9 2A 3C FD 24 A6 58 1A 26 A3 BA D7 7F 5F E1 ..*<.$.X.&...._.
0590: 2B 6D 5B 42 3D F0 76 DB 1F 3B A6 EF 9D 26 82 0D +m[B=.v..;...&..
05A0: 42 19 92 37 BD 55 7E 79 E7 EC 0C 90 DA A5 32 A6 B..7.U.y......2.
05B0: BC 6D A9 15 74 67 43 .m..tgC

I hope you can find a difference, I cannot.

--Michael Gsandtner

-----Urspr�ngliche Nachricht-----
Von: Benjamin Kaduk *EXTERN* [mailto:ka...@MIT.EDU]
Gesendet: Donnerstag, 24. J�nner 2013 04:29
An: Gsandtner Michael
Cc: 'kerb...@mit.edu'
Betreff: Re: some windows user fail

Roland C. Dowdeswell

unread,
Jan 24, 2013, 3:24:10 AM1/24/13
to Gsandtner Michael, kerb...@mit.edu
On Thu, Jan 24, 2013 at 07:59:29AM +0000, Gsandtner Michael wrote:
>

> >>> KrbKdcReq send: kdc=master.magwien.gv.at UDP:88, timeout=30000, number of retries =3, #bytes=1596
> >>> KDCCommunication: kdc=master.magwien.gv.at UDP:88, timeout=30000,Attempt =1, #bytes=1596
> >>> KrbKdcReq send: #bytes read=111
> >>> KrbKdcReq send: #bytes read=111
> >>> KdcAccessibility: remove master.magwien.gv.at
> >>> KDCRep: init() encoding tag is 126 req type is 13
> >>>KRBError:
> sTime is Thu Jan 24 08:49:01 CET 2013 1359013741000
> suSec is 217950
> error code is 52
> error Message is Response too big for UDP, retry with TCP
> realm is MAGWIEN.GV.AT
> sname is ldap/vmlxentw3.host.magwien.gv.at
> msgType is 30
> >>> KrbKdcReq send: kdc=master.magwien.gv.at TCP:88, timeout=30000, number of retries =3, #bytes=1596
> >>> KDCCommunication: kdc=master.magwien.gv.at TCP:88, #bytes=1596
> >>>DEBUG: TCPClient reading 1538 bytes
> >>> KrbKdcReq send: #bytes read=1538
> >>> KrbKdcReq send: #bytes read=1538
> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
> >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

> I hope you can find a difference, I cannot.

Well, there's at least one difference which is that in your successful
example, the client is failing over to TCP rather than using UDP.
It might be worth experimenting with udp_preference_limit = 500 in
your krb5.conf or some lower number to see if that makes a difference
and if it does that would suggest a path to debugging the issue.

Also, I note that your timeouts are 30 seconds. If you are seriously
using the Java JGSS libraries, then it's a good idea to set the
timeouts rather lower than that. I can't remember what the setting
is but many JGSS implementations have absurdly high defaults for
this which can result in applications experiencing 90 second delays
during KDC maintenance windows. The 90s comes from the fact that
the JGSS implemenations that I've played with will try the same
KDC three times in a row before failing over to the next one (a
behaviour that one might argue is suboptimal and if said argument
were made I would have to not quite reluctantly agree.)

Many JGSS implementations will also not try TCP with packets of
any size until either the udp_preference_limit is exceeded or the
KDC replies with ``Message is Response too big for UDP''. All of
the implementations that I have seen will always use UDP unless
you specify a udp_prefence_limit---the default is no limit rather
than 1491 as with the MIT krb5 libs. It's a good idea to set one
even if it is the MIT default if you are using JGSS. If your
network is in a habit of dropping UDP for any reason, you'll likely
do better to try to convince the Java libraries to go straight to
TCP as they'll never try TCP just because the UDP packets are lost.

--
Roland Dowdeswell http://Imrryr.ORG/~elric/

Gsandtner Michael

unread,
Jan 24, 2013, 5:49:36 AM1/24/13
to Roland C. Dowdeswell *EXTERN*, kerb...@mit.edu
Using TCP unfortunately does not solve the problem:

starting JXplorer...
java -Dsun.security.krb5.debug=true -Dfile.encoding=utf-8 -cp .:jars/*:jasper/lib/* com.ca.directory.jxplorer.JXplorer
Jan 24, 2013 11:40:46 AM com.ca.directory.jxplorer.JXplorer printTime
INFO: main start
TIME: Thu Jan 24 11:40:46 CET 2013 (375)

Jan 24, 2013 11:40:46 AM com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java from: /usr/lib/jvm/java-1.6.0-sun-1.6.0.31/jre
Jan 24, 2013 11:40:46 AM com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java version 1.6.0_31
Jan 24, 2013 11:40:46 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 24, 2013 11:40:46 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 24, 2013 11:40:46 AM com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNING: JX using configDirectory: /data1/jxplorer/
Jan 24, 2013 11:40:46 AM com.ca.directory.jxplorer.JXConfig setupLogger
INFO: setting up logger
XXX logging initially level WARNING with 0 parents=true
Jan 24, 2013 11:40:47 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
/data1/jxplorer/search_filters.txt
Jan 24, 2013 11:40:47 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
bookmarks.txt
Jan 24, 2013 11:40:47 AM com.ca.commons.cbutil.CBUtility readPropertyFile
WARNING: No property list:
quicksearch.txt
>>>KinitOptions cache name is /tmp/krb5cc_0
>>>DEBUG <CCacheInputStream> client principal is adma...@MAGWIEN.GV.AT
>>>DEBUG <CCacheInputStream> server principal is krbtgt/MAGWIE...@MAGWIEN.GV.AT
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Thu Jan 24 11:40:23 CET 2013
>>>DEBUG <CCacheInputStream> start time: Thu Jan 24 11:40:20 CET 2013
>>>DEBUG <CCacheInputStream> end time: Thu Jan 24 21:40:23 CET 2013
>>>DEBUG <CCacheInputStream> renew_till time: Fri Jan 25 11:40:20 CET 2013
>>> CCacheInputStream: readFlags() FORWARDABLE; PROXIABLE; RENEWABLE; INITIAL; PRE_AUTH;
Config name: /etc/krb5.conf
Found ticket for adma...@MAGWIEN.GV.AT to go to krbtgt/MAGWIE...@MAGWIEN.GV.AT expiring on Thu Jan 24 21:40:23 CET 2013
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for adma...@MAGWIEN.GV.AT to go to krbtgt/MAGWIE...@MAGWIEN.GV.AT expiring on Thu Jan 24 21:40:23 CET 2013
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
>>> KdcAccessibility: reset
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=master.magwien.gv.at TCP:88, timeout=30000, number of retries =3, #bytes=1339
>>> KDCCommunication: kdc=master.magwien.gv.at TCP:88, #bytes=1339
>>>DEBUG: TCPClient reading 1322 bytes
>>> KrbKdcReq send: #bytes read=1322
>>> KrbKdcReq send: #bytes read=1322
>>> KdcAccessibility: remove master.magwien.gv.at
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 134695191
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 04 D9 30 82 04 D5 A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 03 ................
0020: FD 61 82 03 F9 30 82 03 F5 A0 03 02 01 05 A1 0F .a...0..........
0030: 1B 0D 4D 41 47 57 49 45 4E 2E 47 56 2E 41 54 A2 ..MAGWIEN.GV.AT.
0040: 2F 30 2D A0 03 02 01 00 A1 26 30 24 1B 04 6C 64 /0-......&0$..ld
0050: 61 70 1B 1C 76 6D 6C 78 65 6E 74 77 33 2E 68 6F ap..vmlxentw3.ho
0060: 73 74 2E 6D 61 67 77 69 65 6E 2E 67 76 2E 61 74 st.magwien.gv.at
0070: A3 82 03 AA 30 82 03 A6 A0 03 02 01 17 A1 03 02 ....0...........
0080: 01 0B A2 82 03 98 04 82 03 94 4F E5 D7 AB C1 A4 ..........O.....
0090: C3 CE 24 2D 66 AB F3 28 F6 53 63 C2 73 E0 76 65 ..$-f..(.Sc.s.ve
00A0: B9 CE EB 41 1A 37 E7 74 AF B0 B8 AB C6 33 64 42 ...A.7.t.....3dB
00B0: 6D 08 46 67 12 55 65 45 6A 32 EE 23 32 1B 67 B5 m.Fg.UeEj2.#2.g.
00C0: 70 BA 30 10 CB 1B 02 90 0A A0 B9 49 7F 47 6F 87 p.0........I.Go.
00D0: 0C 5B 33 3C CD F6 A7 CF D3 C9 3C 5D DC F1 2A C9 .[3<......<]..*.
00E0: AD EB 11 C1 61 9D 97 08 28 4B 6A D6 00 C3 E7 4B ....a...(Kj....K
00F0: E5 66 6C 30 9D C5 37 F8 E4 3A DC F8 CD F1 F1 FA .fl0..7..:......
0100: DA 12 AA CD B7 83 B7 63 A2 FD 49 35 FD E0 5C EA .......c..I5..\.
0110: FA 45 C8 0E 19 91 03 56 CD 52 D5 A9 61 8E 70 73 .E.....V.R..a.ps
0120: F9 4E AD 21 02 34 11 43 B6 9C 32 9A 15 F0 A4 5A .N.!.4.C..2....Z
0130: 81 BF B2 7D 6E B1 BF D1 C1 98 A5 DB F0 20 B8 52 ....n........ .R
0140: 42 35 FC 60 58 4D 56 D7 88 46 14 64 F3 0D C6 9A B5.`XMV..F.d....
0150: 54 9E 95 97 D1 9A C7 6E 6F 00 76 0C 96 52 2B 5D T......no.v..R+]
0160: 8F 7B 9C BF 94 2F 73 17 9E AD 4C B1 14 A7 25 8B ...../s...L...%.
0170: 5C 05 FE ED 89 A6 B1 5D 59 67 38 BB 8D 5D 5D E7 \......]Yg8..]].
0180: 4C 50 C7 0E EB 46 04 70 A0 EF F0 13 87 16 51 E9 LP...F.p......Q.
0190: 94 30 3E C9 74 16 27 45 F4 EA 95 2E DD 2D 2D 5B .0>.t.'E.....--[
01A0: DD 75 F9 E4 BD 02 75 F6 94 D6 4D 6C 00 34 74 C7 .u....u...Ml.4t.
01B0: C6 85 4D 55 0B C1 2C 8A EE CB 6F 75 05 16 A6 F6 ..MU..,...ou....
01C0: 82 E8 26 8D 16 E2 45 00 7A 37 B0 FF 56 52 9A 25 ..&...E.z7..VR.%
01D0: FC 64 30 53 77 B8 1B 14 64 06 C8 B8 70 B7 CB 2D .d0Sw...d...p..-
01E0: F7 15 59 B1 18 90 FE 34 08 10 2D 73 7A 93 28 BF ..Y....4..-sz.(.
01F0: A7 B3 4C 34 2F 8D A5 E4 5C AF 7C A2 80 B0 65 AD ..L4/...\.....e.
0200: D9 1E 3F A7 06 54 29 59 63 68 5E 04 09 D5 E0 3D ..?..T)Ych^....=
0210: CC 0A 5F 11 5C EA 56 6D C9 1B D7 36 AF 0F 2E 31 .._.\.Vm...6...1
0220: 4D 07 53 08 50 CB E4 0F BD CF 28 03 30 BB 18 B2 M.S.P.....(.0...
0230: 70 5E A7 1C 1F 04 BA F9 77 B7 B7 D2 3F 4D AF 0E p^......w...?M..
0240: E5 78 7B 08 AD 37 A4 D4 AD 61 FF 53 A8 DC A5 12 .x...7...a.S....
0250: 17 17 1C 7C 4B FB 7C 45 66 DE B0 57 12 6A DD 53 ....K..Ef..W.j.S
0260: 07 17 EB 81 27 59 DA 28 09 A9 C7 3A 5F 76 BA 2F ....'Y.(...:_v./
0270: 02 CA 6C 7F B5 B5 97 09 52 1B 0C 68 09 D5 9A 8C ..l.....R..h....
0280: FF C7 BF 9D 6D 64 45 6C 04 DC FA E1 C5 7C 80 53 ....mdEl.......S
0290: 5D 97 6D E0 0F EB A5 0F 5F 35 5A C9 DF FF E3 DD ].m....._5Z.....
02A0: 3A 5A 6A 43 AF EA EF 6D EA 9E F5 5A D9 73 69 1D :ZjC...m...Z.si.
02B0: 8F 01 CC 72 97 37 0C 2A FB 8D B1 44 52 F8 9D 2A ...r.7.*...DR..*
02C0: 77 87 E2 B5 0E AC F5 24 C7 39 2C 00 4F 96 1D 95 w......$.9,.O...
02D0: 63 29 56 42 7A 2B 2D 42 B1 DE 1B 74 00 33 3A 1D c)VBz+-B...t.3:.
02E0: 0A 33 DB 1A 11 15 72 3F 6C 07 9F 62 29 5A FE 84 .3....r?l..b)Z..
02F0: 2D 33 70 96 FD 39 9B 8C DF 5F 5F 10 B6 88 69 C3 -3p..9...__...i.
0300: 7A ED 9B 7D FC 92 BB 7E 2E F9 13 B5 E3 78 F7 16 z............x..
0310: F6 88 77 BD F5 06 57 B8 E1 D3 35 6E 7D 89 69 BF ..w...W...5n..i.
0320: F9 AF AA EB 52 CC 92 BD B7 F9 DA B2 31 15 7D 0C ....R.......1...
0330: 95 8A 67 10 DE F8 E2 65 F5 9F 56 CE 41 09 08 08 ..g....e..V.A...
0340: FE F9 4D 4F 52 9A E5 A5 2B E4 B2 C4 C1 D0 A4 3C ..MOR...+......<
0350: 06 D2 10 D7 63 26 95 25 0F 8A 0C 31 C5 C8 BA E8 ....c&.%...1....
0360: 26 45 A5 FA 21 C6 8F 6D D2 9D E5 C2 93 E7 6A 66 &E..!..m......jf
0370: F0 41 E3 FF D1 66 AF D9 AB 28 A4 80 C1 3A BD F6 .A...f...(...:..
0380: BF 6F E3 D4 82 08 33 44 B4 AD 5A 91 20 3D E3 CF .o....3D..Z. =..
0390: FD 06 1A 6C A7 1D 91 BA 91 94 2A 30 E3 A2 E5 3B ...l......*0...;
03A0: 43 1D DB 3E D1 A7 FF F6 98 8D A3 BC 64 16 71 41 C..>........d.qA
03B0: 70 7D 5A AF 51 AB 44 9E E5 0F 76 85 AA 24 C7 CF p.Z.Q.D...v..$..
03C0: B3 79 98 EE 03 D4 1E A8 58 D3 7D FB 1B 0D 9F 56 .y......X......V
03D0: 23 30 70 D1 9A AD 30 5B C7 F1 31 84 54 15 C2 0B #0p...0[..1.T...
03E0: DF 34 06 5C D4 3A F6 AD C3 B3 F9 99 DE 8A 08 E0 .4.\.:..........
03F0: 55 F5 96 02 06 1B 6F 4E 58 57 DE 0E 7E 74 80 A9 U.....oNXW...t..
0400: 1D EE C2 0A 79 7C BD E5 46 82 61 26 32 BA 81 95 ....y...F.a&2...
0410: C3 E2 01 0B 03 6E B3 B8 28 E4 A3 9C 0C 48 A4 81 .....n..(....H..
0420: BE 30 81 BB A0 03 02 01 03 A2 81 B3 04 81 B0 E6 .0..............
0430: 0A D8 D0 D4 CF 2B A1 FC 83 B4 EF A9 49 01 0C 7B .....+......I...
0440: 5F CD 4E FA 7F 02 86 95 DB 55 7A 81 BC DC 92 77 _.N......Uz....w
0450: F7 20 B9 9D 69 D4 85 E0 86 30 D8 31 74 78 B0 67 . ..i....0.1tx.g
0460: F1 79 41 37 86 9D B5 C2 87 8E 14 11 3F 8F B4 2E .yA7........?...
0470: 4F CB F1 27 DD F2 1C 1C E5 A8 8A 27 13 2A 4F E9 O..'.......'.*O.
0480: A4 8C 69 D9 E6 28 99 6D 3A CF 25 95 C8 77 65 59 ..i..(.m:.%..weY
0490: 83 B7 4D 5E 9C 2E 77 84 CF BC A9 1E EB D8 F2 28 ..M^..w........(
04A0: 78 0B 51 33 67 68 40 B9 B4 F9 E0 D6 10 C9 ED E3 x.Q3gh@.........
04B0: 3C 9B 28 24 F1 E9 AE 6E 6A 2F 54 D0 02 25 D7 DA <.($...nj/T..%..
04C0: E3 3C 5C 7A BE 10 AD 4B EB 57 A0 69 EC AE E7 32 .<\z...K.W.i...2
04D0: 2A 3C 3E 49 36 56 09 76 BC 27 43 A8 1D D1 6E *<>I6V.v.'C...n

Krb5Context.unwrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 89 d7 3b 67 9e 15 a4 1c ec 4b 95 23 16 6d c7 b7 69 6d 58 5a 4c 25 a0 a2 07 00 ff ff 04 04 04 04 ]
Krb5Context.unwrap: data=[07 00 ff ff ]
Krb5Context.wrap: data=[04 01 00 00 ]
Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff a3 4c d7 a4 c1 63 65 f8 3f ae 33 37 e7 05 1d c8 f4 ef 7d 66 18 5a 7f aa 04 01 00 00 04 04 04 04 ]
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

--Michael Gsandtner


Gsandtner Michael

unread,
Feb 14, 2013, 1:57:34 AM2/14/13
to Benjamin Kaduk *EXTERN*, kerb...@mit.edu
It turned out to be a problem in the Oracle Directory Server documentation about configuring GSSAPI (one should use "dsMatching-pattern: ${Principal}" instead of " dsMatching-pattern: \${Principal} " in the identityMapping)

Now all users work as expected.

--Michael Gsandtner

-----Urspr�ngliche Nachricht-----
Von: Benjamin Kaduk *EXTERN* [mailto:ka...@MIT.EDU]
Gesendet: Donnerstag, 24. J�nner 2013 04:29
An: Gsandtner Michael
Cc: 'kerb...@mit.edu'
Betreff: Re: some windows user fail

On Mon, 21 Jan 2013, Gsandtner Michael wrote:

> We want to access a LDAP Directory Server:
> Directory Server: Sun-Directory-Server/11.1.1.5.0 B2011.0517.2353 (64-bit) on Red Hat Enterprise Linux Server release 5.8 (Tikanga)
> KDC: Active Directory 2003 on Windows Server 2003 SP2
> Client Jxplorer v3.3.02 on Red Hat Enterprise Linux ES release 4 (Nahant Update 9)
>
> Most of the domain user work, however some do not, e.g.:

It is a bit hard to tell what the failing behavior is from the verbose log
without a success case to compare to, but:

> # kinit admadvgsa
> # JXOPTS="-Dsun.security.krb5.debug=true" ./jxplorer.sh console
> starting JXplorer...
> java -Dsun.security.krb5.debug=true -Dfile.encoding=utf-8 -cp .:jars/*:jasper/lib/* com.ca.directory.jxplorer.JXplorer
> Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXplorer printTime

> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbKdcReq send: kdc=master.magwien.gv.at UDP:88, timeout=30000, number of retries =3, #bytes=1340
>>>> KDCCommunication: kdc=master.magwien.gv.at UDP:88, timeout=30000,Attempt =1, #bytes=1340
>>>> KrbKdcReq send: #bytes read=1322
>>>> KrbKdcReq send: #bytes read=1322
>>>> KdcAccessibility: remove master.magwien.gv.at
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

Are these three EType lines different for a successful case?

-Ben Kaduk

> Krb5Context setting mySeqNumber to: 658059415
0 new messages