Hello,
I've tried Sun's jGSS examples (SampleClient and SampleServer) on Windows 2k pro and Windows XP.
It seems that the client-side Krb5LoginModule behaviour between Windows 2k pro and windows XP is completely different :
Windows 2k :
------------
When I set the useTicketCache to true, I can use the system ticket cache to obtain my TGT. The system cache (LSA) is accessed through w2k_lsa_auth.dll that is shipped with the java sdk (JAVA_HOME\jre\bin).
Example :
KinitOptions cache name is C:\Documents and Settings\user\krb5cc_user
Obtained TGT from LSA: Credentials:
client=user
server=krbtgt/DOMAIN.COM
authTime=20030825142627Z
startTime=20030825142627Z
endTime=20030826002548Z
renewTill=20030901142548Z
flags: FORWARDABLE;RENEWABLE;PRE-AUTHENT
EType (int): 3
Principal is user
Commit Succeeded
Found ticket for user@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Tue Aug 26 01:25:48 CEST 2003
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Credentials acquireServiceCreds: same realm
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbKdcReq send: kdc=10.180.128.201 UDP:88, timeout=30000, number of retries=3, #bytes=1337
KDCCommunication: kdc=10.180.128.201 UDP:88, timeout=30000,Attempt =1, #bytes=1337
KrbKdcReq send: #bytes read=1281
KrbKdcReq send: #bytes read=1281
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbKdcReq send: kdc=10.180.128.201 UDP:88, timeout=30000, number of retries=3, #bytes=1345
KDCCommunication: kdc=10.180.128.201 UDP:88, timeout=30000,Attempt =1, #bytes=1345
Now, If I rename the w2k_lsa_auth.dll on Widnwos 2k, my client program crashes (expected behaviour). You can see in the stack trace, that the load of w2k_lsa_auth library has failed :
KinitOptions cache name is C:\Documents andSettings\user\krb5cc_user
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Unknown S
ource)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown S
ource)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at SampleClient.main(SampleClient.java:159)
Caused by: javax.security.auth.login.LoginException: java.lang.UnsatisfiedLinkEr
ror: no w2k_lsa_auth in java.library.path
at java.lang.ClassLoader.loadLibrary(Unknown Source)
at java.lang.Runtime.loadLibrary0(Unknown Source)
at java.lang.System.loadLibrary(Unknown Source)
at sun.security.krb5.Credentials$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.Credentials.a(Unknown Source)
at sun.security.krb5.Credentials.acquireDefaultCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireTGTFromCache(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
known Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.LoginUtility.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Unknown S
ource)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown S
ource)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at SampleClient.main(SampleClient.java:159)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.LoginUtility.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 11 more
Exception in thread "main" GSSException: No valid credentials provided
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at SampleClient.main(SampleClient.java:159)
Windows XP :
------------
I tried the same example on my XP machine and it seems that the w2k_lsa_auth.dll is never used and I'm asked to enter my password every time I want to pre-authenticate myself (obtain the TGT from the KDC). I'm pretty sure that the dll is never used because I've even rename it to confirm my thoughts...
KinitOptions cache name is C:\Documents and Settings\user\krb5cc_user
Principal is null
null credentials from Ticket Cache
Nom d'utilisateur Kerberos [user] :
Mot de pass� Kerberos pour user : xxxx
[Krb5LoginModule] user entered username: user
principal is user@DOMAIN.COM
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 3 1
KrbKdcReq send: kdc=10.180.128.201 UDP:88, timeout=30000, number of retries
=3, #bytes=218
KDCCommunication: kdc=10.180.128.201 UDP:88, timeout=30000,Attempt =1, #byte
s=218
KrbKdcReq send: #bytes read=1363
KrbKdcReq send: #bytes read=1363
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply soudovtsev
Commit Succeeded
Found ticket for user@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Tue Aug 26 03:10:24 CEST 2003
etc...
If I rename this dll, the example is stiil working (asking to enter the username and the password).
I think that jdk treats differently Windows 2k and XP, but why ? I've done tests with 1.4.0, 1.4.1 and 1.4.2 with the same results...
Is it an expected behaviour or a bug ?
Thank you,
Anton.