Error calling function protocol status: 1312

Santiago Rivas sanribu at gmail.com
Sun Oct 25 15:16:14 EDT 2009 

Ok, thank you all!


2009/10/23 Max (Weijun) Wang <Weijun.Wang at sun.com>

> Java does not support AES256 out of box due to some export control reasons.
> You need to apply the "Java Cryptography Extension (JCE) Unlimited Strength
> Jurisdiction Policy File". The file can be download from the following page:
>
>   http://java.sun.com/javase/downloads/index.jsp
>
> Scroll down the page and it's the last download link.
>
> Thanks
> Max
>
>
> On Oct 23, 2009, at 10:04 PM, Douglas E. Engert wrote:
>
> Looks like NIM is getting a TGT with AES256 (enctype 18).
>> And your KDC supports it too.
>>
>> It looks like your java is  version 5 See:
>>
>> http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
>>
>>
>>  >>>DEBUG <CCacheInputStream>
>>  >>> KrbCreds found the default ticket granting ticket in credential
>> cache.
>>  >>> unsupported key type found the default TGT: 18
>>  >> Acquire default native Credentials
>>  >>> Found no TGT's in LSA
>>
>>
>> Looks like the Java obtained TGT is using DES.
>>  >>>KinitOptions cache name is C:\Documents and
>> Settings\santi\krb5cc_santi
>>  >>>DEBUG <CCacheInputStream>  client principal is santi at ZIGIA.ORG
>>  >>>DEBUG <CCacheInputStream> server principal is krbtgt/ZIGIA.ORG<http://zigia.org/>
>> @ZIGIA.ORG <http://zigia.org/>
>>  >>>DEBUG <CCacheInputStream> key type: 1
>>
>> But the Java version you are running supports DES, DES, RC4, 3DES and 3DES
>>  >>> Credentials acquireServiceCreds: same realm
>>  Using builtin default etypes for default_tgs_enctypes
>>  default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>
>>
>> Santiago Rivas wrote:
>>
>>> Ooops, it seems that rar attachment didin't work. I re-send the txt
>>> files...
>>> 2009/10/23 Santiago Rivas <sanribu at gmail.com <mailto:sanribu at gmail.com>>
>>>   Hi,
>>>        The application runs from the command line. Yesterday I ran it
>>> with
>>>   the option you recommended (-Dsun.security.krb5.debug=true) and here
>>>   you are the different outputs.
>>>        /jvm.rar/ includes both the credentials cache generated with JVM
>>>   (kinit) and the output I get when I use them to run the Client.
>>>        /nim.rar/ includes both the credentials cache generated with NIM
>>> and
>>>   the output I get when I use them to run the Client (one specifiyng
>>>   the principal in the jaas.conf and another without doing it).
>>>        Regards,
>>>   Santi
>>>        2009/10/22 Max (Weijun) Wang <Weijun.Wang at sun.com
>>>   <mailto:Weijun.Wang at sun.com>>
>>>       Hi Santiago
>>>       Java is coded to support type 4 ccache, it just hasn't made use
>>>       of the tags inside. Can you send me a copy of your ccache?
>>>       It seems you've only specified debug=true in the JAAS config
>>>       file. Please also add the system property
>>>       sun.security.krb5.debug=true. I don't know how you launch the
>>>       program. For the command line, it looks like  ---
>>>          java -Dsun.security.krb5.debug=true YourApp
>>>       BTW, You mentioned the program works fine with kinit.exe from
>>>       JDK. Can you show what the output in that case is?
>>>       Thanks
>>>       Max
>>>       On Oct 22, 2009, at 4:22 AM, Douglas E. Engert wrote:
>>>           Santiago Rivas wrote:
>>>               After enabling debug mode, this is what I've got:
>>>               Case 1: No principal is specified in jaas.conf
>>>               *Debug is  true storeKey false useTicketCache true
>>>               useKeyTab false
>>>               doNotPrompt fa
>>>               lse ticketCache is null isInitiator true KeyTab is null
>>>               refreshKrb5Config is
>>>               fal
>>>               se principal is null tryFirstPass is false useFirstPass
>>>               is false storePass
>>>               is fa
>>>               lse clearPass is false
>>>               Acquire TGT from Cache
>>>               Error calling function Protocol status: 1312
>>>               A specified logon session does not exist. It may already
>>>               have been
>>>               terminated
>>>               Principal is null
>>>               null credentials from Ticket Cache
>>>               Username for Kerberos [santi]:*
>>>       ...
>>>               IMHO, it seems like JVM is not able to parse the
>>>               credentials file generated
>>>               by NIM. Referring to the credentials cache, is there any
>>>               "known
>>>               incompatibility" between NIM and JVM which I should be
>>>               aware of?
>>>               Thanks again!
>>>           This could be an issue of the cache version. NIM looks like
>>>           it is writing
>>>           a type 4 cache. (First two bytes in the file are 0x05 0x04.
>>>           The 0x04 is the
>>>           version.) It could be Java only knows how to handle versions
>>>           up to 3.
>>>           In the MIT krb5.conf used by NIM, try adding to
>>>           [libdefaults] sectiom:
>>>           ccache_type = 3
>>>           NIM will then write a type 3 cache.
>>>           (This is not the only Kerberos feature that Java is way
>>>           behind on either.
>>>           Using dns_lookup_kdc = 1 to use the DNS SRV records is a
>>>           major one
>>>           especially on Windows...)
>>>
>>
>> --
>>
>> Douglas E. Engert  <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois  60439
>> (630) 252-5444
>>
>
>

More information about the krbdev mailing list