Untitled

K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/localhost@EXAMPLE.COM
kiprop/localhost@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user1/admin@EXAMPLE.COM
user1/user@EXAMPLE.COM

package kerby;

import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

public class Client {

  static Oid krb5Oid;

  public static void main( String[] args) {

    // Oid mechanism = use Kerberos V5 as the security mechanism.
    try {
      krb5Oid = new Oid( "1.2.840.113554.1.2.2");
    }
    catch (GSSException e) {
      System.err.println("Client: Error obtaining Kerberos V5 OID: " + e);
      e.printStackTrace();
      System.exit(-1);
    }

    // 1. Set up Kerberos properties.
    Properties props = new Properties();
    try {
      props.load( new FileInputStream("client.properties"));
    }
    catch (IOException e) {
      System.err.println("Client: Error opening properties file '"+props+"': " + e);
      e.printStackTrace();
      System.exit(-1);
    }

    System.setProperty( "sun.security.krb5.debug", "true");
    System.setProperty( "java.security.auth.login.config", "./jaas.config");
    System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true");
    System.setProperty("java.security.krb5.conf", "krb5.ini");
    String username = props.getProperty( "client.principal.name");
    String password = props.getProperty( "client.password");

    // 2. Authenticate against the KDC using JAAS and return the Subject.
    LoginContext loginCtx = null;
    // "Client" references the corresponding JAAS configuration section in the jaas.conf file.
    try {
      loginCtx = new LoginContext("Client", new Krb5CallbackHandler(username, password));
      loginCtx.login();
    }
    catch ( LoginException e) {
      System.err.println("Client: There was an error during the JAAS login: " + e);
      e.printStackTrace();
      System.exit( -1);
    }

    Subject subject = loginCtx.getSubject();

    // 3. Connect to service.
    String hostName = "127.0.0.1";
    int port = 88;
    Socket socket = null;
    try {
      socket = new Socket(hostName,port);
    }
    catch (UnknownHostException e) {
        e.printStackTrace();
        System.err.println("Client: There was an error connecting to the server: hostname " + hostName + " not found.");
        System.exit( -1);
    }
    catch (IOException e) {
        e.printStackTrace();
        System.err.println("Client: There was an error connecting to the server: " + e);
        System.exit( -1);
    }

    final DataInputStream inStream;
    final DataOutputStream outStream;

    try {
      inStream = new DataInputStream(socket.getInputStream());
      outStream = new DataOutputStream(socket.getOutputStream());

      // 4. Authenticate with service.
      String servicePrincipalName = props.getProperty("service.principal.name");
      GSSManager manager = GSSManager.getInstance();
      GSSName serverName = null;

      try {
        serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE);
      }
      catch (GSSException e) {
        e.printStackTrace();
        System.err.println("Client: There was an error in creating a name for the host-based service that we want to connect to.");
        System.exit(-1);
      }

      System.out.println("Client: Initiating security context with serverName " + serverName);

      try {
        final GSSContext context = manager.createContext( serverName,
                                                          krb5Oid,
                                                          null,
                                                          GSSContext.DEFAULT_LIFETIME);

        // The GSS context initiation has to be performed as a privileged action.
        GSSContext serviceTicket = Subject.doAs( subject, new PrivilegedAction<GSSContext>() {
            public GSSContext run() {
              try {
                context.requestMutualAuth( false);
                context.requestCredDeleg( false);

                int retval;
                while(!context.isEstablished()) {
                  context.initSecContext(inStream,outStream);
                }
                return context;
              }
              catch (GSSException e) {
                e.printStackTrace();
                return null;
              }
            }
          });

        if (serviceTicket != null) {
          System.out.println("Client obtained service ticket for service : " + servicePrincipalName);
        }
        else {
          System.out.println("Client failed to obtain service ticket for service : " + servicePrincipalName);
          System.exit(-1);
        }
      }
      catch (GSSException e) {
        e.printStackTrace();
        System.exit(-1);
      }
    }
    catch ( IOException e) {
      e.printStackTrace();
      System.err.println( "Client: There was an IO error");
      System.exit( -1);
    }
  }

}

realm=EXAMPLE.COM
kdc=10.10.21.28
client.principal.name=user1/user@EXAMPLE.COM
client.password=user1
service.principal.name=user1

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  debug=true
  useTicketCache=true
  ticketCache="/tmp/krb5cc_0";
};

[libdefaults]
         default_realm = EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         forwardable = true
         udp_preference_limit = 1000000
         default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
         default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
         permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
        EXAMPLE.COM = {
             kdc = 10.10.21.28
             admin_server = 10.10.21.28
             default_domain = example.com
         }

[domain_realm]
         .example.com = EXAMPLE.COM
         example.com = EXAMPLE.COM


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE=/var/log/kadm5.log

Debug is  true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is /tmp/krb5cc_0 isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
Java config name: krb5.ini
Loaded from Java config
Looking for keys for: user1/user@EXAMPLE.COM
Key for the principal user1/user@EXAMPLE.COM not available in default key tab
        [Krb5LoginModule] user entered username: user1/user@EXAMPLE.COM

>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 16.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=10.10.21.28 UDP:88, timeout=30000, number of retries =3, #bytes=138
>>> KDCCommunication: kdc=10.10.21.28 UDP:88, timeout=30000,Attempt =1, #bytes=138
>>> KrbKdcReq send: #bytes read=745
>>> KdcAccessibility: remove 10.10.21.28
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsRep cons in KrbAsReq.getReply user1/user
principal is user1/user@EXAMPLE.COM
Commit Succeeded

Found ticket for user1/user@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Tue Sep 19 14:11:17 CEST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user1/user@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Tue Sep 19 14:11:17 CEST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 16.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbKdcReq send: kdc=10.10.21.28 UDP:88, timeout=30000, number of retries =3, #bytes=655
>>> KDCCommunication: kdc=10.10.21.28 UDP:88, timeout=30000,Attempt =1, #bytes=655
>>> KrbKdcReq send: #bytes read=175
>>> KdcAccessibility: remove 10.10.21.28
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
     cTime is Mon Nov 17 18:35:19 CET 2031 1952703319000
     sTime is Mon Sep 18 14:11:18 CEST 2017 1505736678000
     suSec is 62666
     error code is 7
     error Message is Server not found in Kerberos database
     cname is user1/user@EXAMPLE.COM
     sname is user1/port-maier@EXAMPLE.COM
     msgType is 30
KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
    at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at kerby.Clientkdc$1.run(Clientkdc.java:110)
    at kerby.Clientkdc$1.run(Clientkdc.java:1)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:360)
    at kerby.Clientkdc.initiateSecurityContext(Clientkdc.java:103)
    at kerby.Clientkdc.main(Clientkdc.java:53)
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
    at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
    ... 14 more
GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at kerby.Clientkdc$1.run(Clientkdc.java:110)
    at kerby.Clientkdc$1.run(Clientkdc.java:1)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:360)
    at kerby.Clientkdc.initiateSecurityContext(Clientkdc.java:103)
    at kerby.Clientkdc.main(Clientkdc.java:53)
Caused by: KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
    at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
    ... 8 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
    at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
    ... 14 more
Exception in thread "main" java.lang.NullPointerException
    at java.io.ByteArrayInputStream.<init>(ByteArrayInputStream.java:106)
    at sun.misc.CharacterEncoder.encode(CharacterEncoder.java:188)
    at kerby.Clientkdc.encodeAndWriteTicketToDisk(Clientkdc.java:126)
    at kerby.Clientkdc.main(Clientkdc.java:55)