Problem with Java (j2sdk1.4.2_03 on a Windows XP client) and

Rouiller Claude claude.rouiller at rtc.ch
Wed Jun 2 03:35:58 EDT 2004


It seems now that Krb5LoginModule from java works (with TCP as fallback, as
Ram says), but kinit only works with UDP. kinit from Java 1.4.2 seems to
suffer from a bug when it has to use TCP.

Can anyone confirm (or deny)?
Claude

-----Original Message-----
From: ram marti [mailto:r.marti at comcast.net] 
Sent: Tuesday, June 01, 2004 9:24 PM
To: kerberos at MIT.EDU
Subject: Re: Problem with Java (j2sdk1.4.2_03 on a Windows XP client) and



Not quite correct. In 1.4.2, TCP should be used as a fall back when the 
message size is large and the error code KRB_ERR_RESPONSE_TOO_BIG is 
returned.



See:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html

"Support TCP for Kerberos Key Distribution Center Transport

Sun's implementation of Kerberos implements Kerberos version 5 according 
to RFC 1510 and uses UDP transport for ticket requests. A new Internet 
draft updates this RFC. One of the added features is required support 
for TCP as a transport in addition to UDP. As a result, in cases where 
Kerberos tickets exceed the UDP packet size limit, the KDC would return 
an error code indicating that the request should be resent over TCP.

In the current 1.4.2 release, Sun's implementation of Kerberos now 
supports automatic fallback to TCP. Therefore, if the Kerberos ticket 
request using UDP fails and the KDC returns the error code 
KRB_ERR_RESPONSE_TOO_BIG, TCP is automatically the default transport.

..."

If the error  KRB_ERR_RESPONSE_TOO_BIG is returned, TCP will be used.

Thanks
                = Ram Marti


Jeffrey Altman wrote:
> Apparently Java's Kerberos implementation does not
> support using TCP connections to obtain Kerberos tickets.
> This is required when using Windows 2003 Active Directory
> as the KDC because the Kerberos tickets must include all
> of the Windows ACL data.  The Kerberos tickets are therefore
> larger then the maximum size of a UDP packet.
> 
> Jeffrey Altman
> 
> 
> Rouiller Claude wrote:
> 
>> When I start (java-) kinit I get the following output:
>>
>> C:\DEV\OioTutorial>java -Dsun.security.krb5.debug=true
>> sun.security.krb5.internal.tools.Kinit sso_testuser
>> Config name: c:\winnt\krb5.ini
>>
>>>>> KinitOptions cache name is C:\Documents and
>>
>>
>> Settings\sso_testadmin\krb5cc_sso_testadmin
>> Principal is sso_testuser at SSOTEST.RTC.CH
>> Password for sso_testuser at SSOTEST.RTC.CH:123
>>
>>>>> Kinit console input 123
>>>>> Kinit realm name is SSOTEST.RTC.CH
>>>>> Creating KrbAsReq
>>>>> KrbKdcReq local addresses for pcc2079 are:
>>
>>
>>
>>         pcc2079/159.29.193.35
>>
>>>>> KrbAsReq salt is SSOTEST.RTC.CHsso_testuser
>>>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>>>> KrbAsReq calling createMessage
>>>>> KrbAsReq in createMessage
>>>>> KrbAsReq etypes are: 3 1
>>>>> Kinit: sending as_req to realm SSOTEST.RTC.CH
>>>>> KrbKdcReq send: kdc=rtcnt978.ssotest.rtc.ch UDP:88, timeout=30000,
>>
>>
>> number of retries =3, #bytes=251
>>
>>>>> KDCCommunication: kdc=rtcnt978.ssotest.rtc.ch UDP:88,
>>
>>
>> timeout=30000,Attempt =1, #bytes=251
>>
>>>>> KrbKdcReq send: #bytes read=100
>>>>> KrbKdcReq send: #bytes read=100
>>>>> reading response from kdc
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>>
>>
>>          sTime is Tue Jun 01 11:17:27 CEST 2004 1086081447000
>>          suSec is 511665
>>          error code is 52
>>          error Message is Response too big for UDP, retry with TCP
>>          realm is SSOTEST.RTC.CH
>>          sname is krbtgt/SSOTEST.RTC.CH
>> Exception in thread "main" java.lang.IllegalAccessError: tried to access
>> class sun.security.krb5.KrbKdcReq from class
>> sun.security.krb5.internal.tools.Kinit
>>         at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
>>         at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
>>
>> Do you have any idea why i get this exception?
>>
>> Thanks in advance
>> Claude
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list