Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- K/M@EXAMPLE.COM
- kadmin/admin@EXAMPLE.COM
- kadmin/changepw@EXAMPLE.COM
- kadmin/localhost@EXAMPLE.COM
- kiprop/localhost@EXAMPLE.COM
- krbtgt/EXAMPLE.COM@EXAMPLE.COM
- user1/admin@EXAMPLE.COM
- user1/user@EXAMPLE.COM
- package kerby;
- import java.io.DataInputStream;
- import java.io.DataOutputStream;
- import java.io.File;
- import java.io.FileInputStream;
- import java.io.IOException;
- import java.net.Socket;
- import java.net.UnknownHostException;
- import java.security.PrivilegedAction;
- import java.util.Properties;
- import javax.security.auth.Subject;
- import javax.security.auth.login.LoginContext;
- import javax.security.auth.login.LoginException;
- import org.ietf.jgss.GSSContext;
- import org.ietf.jgss.GSSException;
- import org.ietf.jgss.GSSManager;
- import org.ietf.jgss.GSSName;
- import org.ietf.jgss.Oid;
- public class Client {
- static Oid krb5Oid;
- public static void main( String[] args) {
- // Oid mechanism = use Kerberos V5 as the security mechanism.
- try {
- krb5Oid = new Oid( "1.2.840.113554.1.2.2");
- }
- catch (GSSException e) {
- System.err.println("Client: Error obtaining Kerberos V5 OID: " + e);
- e.printStackTrace();
- System.exit(-1);
- }
- // 1. Set up Kerberos properties.
- Properties props = new Properties();
- try {
- props.load( new FileInputStream("client.properties"));
- }
- catch (IOException e) {
- System.err.println("Client: Error opening properties file '"+props+"': " + e);
- e.printStackTrace();
- System.exit(-1);
- }
- System.setProperty( "sun.security.krb5.debug", "true");
- System.setProperty( "java.security.auth.login.config", "./jaas.config");
- System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true");
- System.setProperty("java.security.krb5.conf", "krb5.ini");
- String username = props.getProperty( "client.principal.name");
- String password = props.getProperty( "client.password");
- // 2. Authenticate against the KDC using JAAS and return the Subject.
- LoginContext loginCtx = null;
- // "Client" references the corresponding JAAS configuration section in the jaas.conf file.
- try {
- loginCtx = new LoginContext("Client", new Krb5CallbackHandler(username, password));
- loginCtx.login();
- }
- catch ( LoginException e) {
- System.err.println("Client: There was an error during the JAAS login: " + e);
- e.printStackTrace();
- System.exit( -1);
- }
- Subject subject = loginCtx.getSubject();
- // 3. Connect to service.
- String hostName = "127.0.0.1";
- int port = 88;
- Socket socket = null;
- try {
- socket = new Socket(hostName,port);
- }
- catch (UnknownHostException e) {
- e.printStackTrace();
- System.err.println("Client: There was an error connecting to the server: hostname " + hostName + " not found.");
- System.exit( -1);
- }
- catch (IOException e) {
- e.printStackTrace();
- System.err.println("Client: There was an error connecting to the server: " + e);
- System.exit( -1);
- }
- final DataInputStream inStream;
- final DataOutputStream outStream;
- try {
- inStream = new DataInputStream(socket.getInputStream());
- outStream = new DataOutputStream(socket.getOutputStream());
- // 4. Authenticate with service.
- String servicePrincipalName = props.getProperty("service.principal.name");
- GSSManager manager = GSSManager.getInstance();
- GSSName serverName = null;
- try {
- serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE);
- }
- catch (GSSException e) {
- e.printStackTrace();
- System.err.println("Client: There was an error in creating a name for the host-based service that we want to connect to.");
- System.exit(-1);
- }
- System.out.println("Client: Initiating security context with serverName " + serverName);
- try {
- final GSSContext context = manager.createContext( serverName,
- krb5Oid,
- null,
- GSSContext.DEFAULT_LIFETIME);
- // The GSS context initiation has to be performed as a privileged action.
- GSSContext serviceTicket = Subject.doAs( subject, new PrivilegedAction<GSSContext>() {
- public GSSContext run() {
- try {
- context.requestMutualAuth( false);
- context.requestCredDeleg( false);
- int retval;
- while(!context.isEstablished()) {
- context.initSecContext(inStream,outStream);
- }
- return context;
- }
- catch (GSSException e) {
- e.printStackTrace();
- return null;
- }
- }
- });
- if (serviceTicket != null) {
- System.out.println("Client obtained service ticket for service : " + servicePrincipalName);
- }
- else {
- System.out.println("Client failed to obtain service ticket for service : " + servicePrincipalName);
- System.exit(-1);
- }
- }
- catch (GSSException e) {
- e.printStackTrace();
- System.exit(-1);
- }
- }
- catch ( IOException e) {
- e.printStackTrace();
- System.err.println( "Client: There was an IO error");
- System.exit( -1);
- }
- }
- }
- realm=EXAMPLE.COM
- kdc=10.10.21.28
- client.principal.name=user1/user@EXAMPLE.COM
- client.password=user1
- service.principal.name=user1
- Client {
- com.sun.security.auth.module.Krb5LoginModule required
- useKeyTab=true
- debug=true
- useTicketCache=true
- ticketCache="/tmp/krb5cc_0";
- };
- [libdefaults]
- default_realm = EXAMPLE.COM
- dns_lookup_realm = false
- dns_lookup_kdc = true
- ticket_lifetime = 24h
- forwardable = true
- udp_preference_limit = 1000000
- default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
- default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
- permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
- [realms]
- EXAMPLE.COM = {
- kdc = 10.10.21.28
- admin_server = 10.10.21.28
- default_domain = example.com
- }
- [domain_realm]
- .example.com = EXAMPLE.COM
- example.com = EXAMPLE.COM
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE=/var/log/kadm5.log
- Debug is true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is /tmp/krb5cc_0 isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
- Acquire TGT from Cache
- Principal is null
- null credentials from Ticket Cache
- Java config name: krb5.ini
- Loaded from Java config
- Looking for keys for: user1/user@EXAMPLE.COM
- Key for the principal user1/user@EXAMPLE.COM not available in default key tab
- [Krb5LoginModule] user entered username: user1/user@EXAMPLE.COM
- >>> KdcAccessibility: reset
- default etypes for default_tkt_enctypes: 16.
- >>> KrbAsReq creating message
- >>> KrbKdcReq send: kdc=10.10.21.28 UDP:88, timeout=30000, number of retries =3, #bytes=138
- >>> KDCCommunication: kdc=10.10.21.28 UDP:88, timeout=30000,Attempt =1, #bytes=138
- >>> KrbKdcReq send: #bytes read=745
- >>> KdcAccessibility: remove 10.10.21.28
- >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
- >>> KrbAsRep cons in KrbAsReq.getReply user1/user
- principal is user1/user@EXAMPLE.COM
- Commit Succeeded
- Found ticket for user1/user@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Tue Sep 19 14:11:17 CEST 2017
- Entered Krb5Context.initSecContext with state=STATE_NEW
- Found ticket for user1/user@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Tue Sep 19 14:11:17 CEST 2017
- Service ticket not found in the subject
- >>> Credentials acquireServiceCreds: same realm
- default etypes for default_tgs_enctypes: 16.
- >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
- >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
- >>> KrbKdcReq send: kdc=10.10.21.28 UDP:88, timeout=30000, number of retries =3, #bytes=655
- >>> KDCCommunication: kdc=10.10.21.28 UDP:88, timeout=30000,Attempt =1, #bytes=655
- >>> KrbKdcReq send: #bytes read=175
- >>> KdcAccessibility: remove 10.10.21.28
- >>> KDCRep: init() encoding tag is 126 req type is 13
- >>>KRBError:
- cTime is Mon Nov 17 18:35:19 CET 2031 1952703319000
- sTime is Mon Sep 18 14:11:18 CEST 2017 1505736678000
- suSec is 62666
- error code is 7
- error Message is Server not found in Kerberos database
- cname is user1/user@EXAMPLE.COM
- sname is user1/port-maier@EXAMPLE.COM
- msgType is 30
- KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
- at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
- at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
- at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
- at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
- at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
- at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
- at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
- at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
- at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
- at kerby.Clientkdc$1.run(Clientkdc.java:110)
- at kerby.Clientkdc$1.run(Clientkdc.java:1)
- at java.security.AccessController.doPrivileged(Native Method)
- at javax.security.auth.Subject.doAs(Subject.java:360)
- at kerby.Clientkdc.initiateSecurityContext(Clientkdc.java:103)
- at kerby.Clientkdc.main(Clientkdc.java:53)
- Caused by: KrbException: Identifier doesn't match expected value (906)
- at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
- at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
- at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
- at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
- ... 14 more
- GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
- at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
- at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
- at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
- at kerby.Clientkdc$1.run(Clientkdc.java:110)
- at kerby.Clientkdc$1.run(Clientkdc.java:1)
- at java.security.AccessController.doPrivileged(Native Method)
- at javax.security.auth.Subject.doAs(Subject.java:360)
- at kerby.Clientkdc.initiateSecurityContext(Clientkdc.java:103)
- at kerby.Clientkdc.main(Clientkdc.java:53)
- Caused by: KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
- at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
- at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
- at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
- at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
- at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
- at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
- at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
- ... 8 more
- Caused by: KrbException: Identifier doesn't match expected value (906)
- at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
- at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
- at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
- at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
- ... 14 more
- Exception in thread "main" java.lang.NullPointerException
- at java.io.ByteArrayInputStream.<init>(ByteArrayInputStream.java:106)
- at sun.misc.CharacterEncoder.encode(CharacterEncoder.java:188)
- at kerby.Clientkdc.encodeAndWriteTicketToDisk(Clientkdc.java:126)
- at kerby.Clientkdc.main(Clientkdc.java:55)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement