Error calling function protocol status: 1312

Douglas E. Engert deengert at anl.gov
Fri Oct 23 10:04:50 EDT 2009 

Looks like NIM is getting a TGT with AES256 (enctype 18).
And your KDC supports it too.

It looks like your java is  version 5 See:
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html


   >>>DEBUG <CCacheInputStream>
   >>> KrbCreds found the default ticket granting ticket in credential cache.
   >>> unsupported key type found the default TGT: 18
   >> Acquire default native Credentials
   >>> Found no TGT's in LSA


Looks like the Java obtained TGT is using DES.
   >>>KinitOptions cache name is C:\Documents and Settings\santi\krb5cc_santi
   >>>DEBUG <CCacheInputStream>  client principal is santi at ZIGIA.ORG
   >>>DEBUG <CCacheInputStream> server principal is krbtgt/ZIGIA.ORG at ZIGIA.ORG
   >>>DEBUG <CCacheInputStream> key type: 1

But the Java version you are running supports DES, DES, RC4, 3DES and 3DES
   >>> Credentials acquireServiceCreds: same realm
   Using builtin default etypes for default_tgs_enctypes
   default etypes for default_tgs_enctypes: 3 1 23 16 17.


Santiago Rivas wrote:
> Ooops, it seems that rar attachment didin't work. I re-send the txt files...
> 
> 2009/10/23 Santiago Rivas <sanribu at gmail.com <mailto:sanribu at gmail.com>>
> 
>     Hi,
>      
>     The application runs from the command line. Yesterday I ran it with
>     the option you recommended (-Dsun.security.krb5.debug=true) and here
>     you are the different outputs.
>      
>     /jvm.rar/ includes both the credentials cache generated with JVM
>     (kinit) and the output I get when I use them to run the Client.
>      
>     /nim.rar/ includes both the credentials cache generated with NIM and
>     the output I get when I use them to run the Client (one specifiyng
>     the principal in the jaas.conf and another without doing it).
>      
>     Regards,
>     Santi
> 
>      
>     2009/10/22 Max (Weijun) Wang <Weijun.Wang at sun.com
>     <mailto:Weijun.Wang at sun.com>>
> 
>         Hi Santiago
> 
>         Java is coded to support type 4 ccache, it just hasn't made use
>         of the tags inside. Can you send me a copy of your ccache?
> 
>         It seems you've only specified debug=true in the JAAS config
>         file. Please also add the system property
>         sun.security.krb5.debug=true. I don't know how you launch the
>         program. For the command line, it looks like  ---
> 
>            java -Dsun.security.krb5.debug=true YourApp
> 
>         BTW, You mentioned the program works fine with kinit.exe from
>         JDK. Can you show what the output in that case is?
> 
>         Thanks
>         Max
> 
> 
>         On Oct 22, 2009, at 4:22 AM, Douglas E. Engert wrote:
> 
> 
> 
>             Santiago Rivas wrote:
> 
>                 After enabling debug mode, this is what I've got:
>                 Case 1: No principal is specified in jaas.conf
>                 *Debug is  true storeKey false useTicketCache true
>                 useKeyTab false
>                 doNotPrompt fa
>                 lse ticketCache is null isInitiator true KeyTab is null
>                 refreshKrb5Config is
>                 fal
>                 se principal is null tryFirstPass is false useFirstPass
>                 is false storePass
>                 is fa
>                 lse clearPass is false
>                 Acquire TGT from Cache
>                 Error calling function Protocol status: 1312
>                 A specified logon session does not exist. It may already
>                 have been
>                 terminated
>                 Principal is null
>                 null credentials from Ticket Cache
>                 Username for Kerberos [santi]:*
> 
>         ...
> 
>                 IMHO, it seems like JVM is not able to parse the
>                 credentials file generated
>                 by NIM. Referring to the credentials cache, is there any
>                 "known
>                 incompatibility" between NIM and JVM which I should be
>                 aware of?
>                 Thanks again!
> 
>             This could be an issue of the cache version. NIM looks like
>             it is writing
>             a type 4 cache. (First two bytes in the file are 0x05 0x04.
>             The 0x04 is the
>             version.) It could be Java only knows how to handle versions
>             up to 3.
> 
>             In the MIT krb5.conf used by NIM, try adding to
>             [libdefaults] sectiom:
>             ccache_type = 3
> 
>             NIM will then write a type 3 cache.
> 
>             (This is not the only Kerberos feature that Java is way
>             behind on either.
>             Using dns_lookup_kdc = 1 to use the DNS SRV records is a
>             major one
>             especially on Windows...)
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list