Java Security

Hi there,

When multiple intermediate realms are involved, the [capaths] configuration that worked for me is different from those illustrated in [krb5.conf man page|http://docs.sun.com/app/docs/doc/816-0219/6m6njqb94?a=view] . I�m wondering if this is by design or a bug.

The difference comes from the order that the multiple intermediate realms are listed. In krb5.conf man page, The [capath] section of the configuration file used on NERSC.GOV systems is:

[capaths]
NERSC.GOV = {
ANL.GOV = ES.NET
TEST.ANL.GOV = ES.NET
TEST.ANL.GOV = ANL.GOV
PNL.GOV = ES.NET
ES.NET = .
}

My understanding is that, for clients in NERSC.GOV to authenticate with servers in TEST.ANL.GOV, it needs to go through ES.NET first, then ANL.GOV - so realm closer to client is listed first. But this order doesn�t work for me. I have to reverse this order in order to make it work.

Here is the trust relationship between all the domains in my environment:

BOBJTEST3.COM <--> BOBJTEST.COM <--> BOBJTEST2.COM
         ^
         |
         V
CHILDTEST4.BOBJTEST3.COM

Clients in CHILDTEST4.BOBJTEST3.COM need to authenticate with servers in BOBJTEST2.COM. The following is the [capaths] I initially used that's consistent with krb5.conf man page and the error it generated (JDK 1.5.0_12 was used).

[capaths]
CHILDTEST4.BOBJTEST3.COM = {
BOBJTEST3.COM = .
BOBJTEST2.COM = BOBJTEST3.COM
BOBJTEST2.COM = BOBJTEST.COM
}

Realm doInitialParse: cRealm=[CHILDTEST4.BOBJTEST3.COM], sRealm=[BOBJTEST2.COM]
Realm parseCapaths: loop 1: target=BOBJTEST2.COM
Realm parseCapaths: loop 1: intermediaries=[BOBJTEST3.COM BOBJTEST.COM]
Realm parseCapaths: loop 1: pushed realm on to stack: BOBJTEST3.COM
Realm parseCapaths: loop 1: pushed realm on to stack: BOBJTEST.COM
Realm parseCapaths: loop 1: added intermediary to list: BOBJTEST.COM
Realm parseCapaths: loop 2: target=BOBJTEST.COM
Realm parseCapaths: loop 2: no intermediaries
Realm parseCapaths: loop 2: added intermediary to list: BOBJTEST3.COM
Realm parseCapaths: loop 3: target=BOBJTEST3.COM
Realm parseCapaths: loop 3: no intermediaries
Realm parseCapaths [0]=CHILDTEST4.BOBJTEST3.COM
Realm parseCapaths [1]=BOBJTEST.COM
Realm parseCapaths [2]=BOBJTEST3.COM
Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/BOBJTEST2.COM@CHILDTEST4.BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=vanpgvmbobj08 UDP:88, timeout=120000, number of retries =3, #bytes=1309
KDCCommunication: kdc=vanpgvmbobj08 UDP:88, timeout=120000,Attempt =1, #bytes=1309
KrbKdcReq send: #bytes read=1269
KrbKdcReq send: #bytes read=1269
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: no tgt; searching backwards
Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/BOBJTEST3.COM@CHILDTEST4.BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=vanpgvmbobj08 UDP:88, timeout=120000, number of retries =3, #bytes=1309
KDCCommunication: kdc=vanpgvmbobj08 UDP:88, timeout=120000,Attempt =1, #bytes=1309
KrbKdcReq send: #bytes read=1269
KrbKdcReq send: #bytes read=1269
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: got tgt
Credentials acquireServiceCreds: continuing with main loop counter reset to 2
Credentials acquireServiceCreds: main loop: [2] tempService=krbtgt/BOBJTEST2.COM@BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=VANPGVMBOBJ07 UDP:88, timeout=120000, number of retries =3, #bytes=1282
KDCCommunication: kdc=VANPGVMBOBJ07 UDP:88, timeout=120000,Attempt =1, #bytes=1282
KrbKdcReq send: #bytes read=1245
KrbKdcReq send: #bytes read=1245
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: no tgt; searching backwards
Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:279)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)

The following is the working [capaths] after I reversed the order and the trace it generated:

[capaths]
CHILDTEST4.BOBJTEST3.COM = {
BOBJTEST3.COM = .
BOBJTEST2.COM = BOBJTEST.COM
BOBJTEST2.COM = BOBJTEST3.COM
}

Realm doInitialParse: cRealm=[CHILDTEST4.BOBJTEST3.COM], sRealm=[BOBJTEST2.COM]
Realm parseCapaths: loop 1: target=BOBJTEST2.COM
Realm parseCapaths: loop 1: intermediaries=[BOBJTEST.COM BOBJTEST3.COM]
Realm parseCapaths: loop 1: pushed realm on to stack: BOBJTEST.COM
Realm parseCapaths: loop 1: pushed realm on to stack: BOBJTEST3.COM
Realm parseCapaths: loop 1: added intermediary to list: BOBJTEST3.COM
Realm parseCapaths: loop 2: target=BOBJTEST3.COM
Realm parseCapaths: loop 2: no intermediaries
Realm parseCapaths: loop 2: added intermediary to list: BOBJTEST.COM
Realm parseCapaths: loop 3: target=BOBJTEST.COM
Realm parseCapaths: loop 3: no intermediaries
Realm parseCapaths [0]=CHILDTEST4.BOBJTEST3.COM
Realm parseCapaths [1]=BOBJTEST3.COM
Realm parseCapaths [2]=BOBJTEST.COM
Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/BOBJTEST2.COM@CHILDTEST4.BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=vanpgvmbobj08 UDP:88, timeout=120000, number of retries =3, #bytes=1309
KDCCommunication: kdc=vanpgvmbobj08 UDP:88, timeout=120000,Attempt =1, #bytes=1309
KrbKdcReq send: #bytes read=1269
KrbKdcReq send: #bytes read=1269
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: no tgt; searching backwards
Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/BOBJTEST.COM@CHILDTEST4.BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=vanpgvmbobj08 UDP:88, timeout=120000, number of retries =3, #bytes=1308
KDCCommunication: kdc=vanpgvmbobj08 UDP:88, timeout=120000,Attempt =1, #bytes=1308
KrbKdcReq send: #bytes read=1269
KrbKdcReq send: #bytes read=1269
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/BOBJTEST3.COM@CHILDTEST4.BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=vanpgvmbobj08 UDP:88, timeout=120000, number of retries =3, #bytes=1309
KDCCommunication: kdc=vanpgvmbobj08 UDP:88, timeout=120000,Attempt =1, #bytes=1309
KrbKdcReq send: #bytes read=1269
KrbKdcReq send: #bytes read=1269
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: got tgt
Credentials acquireServiceCreds: continuing with main loop counter reset to 1
Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/BOBJTEST2.COM@BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=VANPGVMBOBJ07 UDP:88, timeout=120000, number of retries =3, #bytes=1282
KDCCommunication: kdc=VANPGVMBOBJ07 UDP:88, timeout=120000,Attempt =1, #bytes=1282
KrbKdcReq send: #bytes read=1245
KrbKdcReq send: #bytes read=1245
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: no tgt; searching backwards
Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/BOBJTEST.COM@BOBJTEST3.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=VANPGVMBOBJ07 UDP:88, timeout=120000, number of retries =3, #bytes=1281
KDCCommunication: kdc=VANPGVMBOBJ07 UDP:88, timeout=120000,Attempt =1, #bytes=1281
KrbKdcReq send: #bytes read=1245
KrbKdcReq send: #bytes read=1245
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: got tgt
Credentials acquireServiceCreds: continuing with main loop counter reset to 2
Credentials acquireServiceCreds: main loop: [2] tempService=krbtgt/BOBJTEST2.COM@BOBJTEST.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=VANPGVMBOBJ01 UDP:88, timeout=120000, number of retries =3, #bytes=1269
KDCCommunication: kdc=VANPGVMBOBJ01 UDP:88, timeout=120000,Attempt =1, #bytes=1269
KrbKdcReq send: #bytes read=1258
KrbKdcReq send: #bytes read=1258
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: got tgt
Credentials acquireServiceCreds: got right tgt
Credentials acquireServiceCreds: obtaining service creds for yyuBOE/bobjtest2.com@BOBJTEST2.COM
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=VANPGVMBOBJ05 UDP:88, timeout=120000, number of retries =3, #bytes=1283
KDCCommunication: kdc=VANPGVMBOBJ05 UDP:88, timeout=120000,Attempt =1, #bytes=1283
KrbKdcReq send: #bytes read=1265
KrbKdcReq send: #bytes read=1265
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: returning creds:
DEBUG: ----Credentials----
client: yyu_b3c4@CHILDTEST4.BOBJTEST3.COM
server: yyuBOE/bobjtest2.com@BOBJTEST2.COM
ticket: realm: BOBJTEST2.COM
sname: yyuBOE/bobjtest2.com@BOBJTEST2.COM
startTime: 1214606278000
endTime: 1214642278000
----Credentials end----

Any clarification will be appreciated.

Thanks,
Yang