It seems now that Krb5LoginModule from java works (with TCP as fallback, as Ram says), but kinit only works with UDP. kinit from Java 1.4.2 seems to suffer from a bug when it has to use TCP.
Can anyone confirm (or deny)? Claude -----Original Message----- From: ram marti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 9:24 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Java (j2sdk1.4.2_03 on a Windows XP client) and Not quite correct. In 1.4.2, TCP should be used as a fall back when the message size is large and the error code KRB_ERR_RESPONSE_TOO_BIG is returned. See: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html "Support TCP for Kerberos Key Distribution Center Transport Sun's implementation of Kerberos implements Kerberos version 5 according to RFC 1510 and uses UDP transport for ticket requests. A new Internet draft updates this RFC. One of the added features is required support for TCP as a transport in addition to UDP. As a result, in cases where Kerberos tickets exceed the UDP packet size limit, the KDC would return an error code indicating that the request should be resent over TCP. In the current 1.4.2 release, Sun's implementation of Kerberos now supports automatic fallback to TCP. Therefore, if the Kerberos ticket request using UDP fails and the KDC returns the error code KRB_ERR_RESPONSE_TOO_BIG, TCP is automatically the default transport. ..." If the error KRB_ERR_RESPONSE_TOO_BIG is returned, TCP will be used. Thanks = Ram Marti Jeffrey Altman wrote: > Apparently Java's Kerberos implementation does not > support using TCP connections to obtain Kerberos tickets. > This is required when using Windows 2003 Active Directory > as the KDC because the Kerberos tickets must include all > of the Windows ACL data. The Kerberos tickets are therefore > larger then the maximum size of a UDP packet. > > Jeffrey Altman > > > Rouiller Claude wrote: > >> When I start (java-) kinit I get the following output: >> >> C:\DEV\OioTutorial>java -Dsun.security.krb5.debug=true >> sun.security.krb5.internal.tools.Kinit sso_testuser >> Config name: c:\winnt\krb5.ini >> >>>>> KinitOptions cache name is C:\Documents and >> >> >> Settings\sso_testadmin\krb5cc_sso_testadmin >> Principal is [EMAIL PROTECTED] >> Password for [EMAIL PROTECTED]:123 >> >>>>> Kinit console input 123 >>>>> Kinit realm name is SSOTEST.RTC.CH >>>>> Creating KrbAsReq >>>>> KrbKdcReq local addresses for pcc2079 are: >> >> >> >> pcc2079/159.29.193.35 >> >>>>> KrbAsReq salt is SSOTEST.RTC.CHsso_testuser >>>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>>>> KrbAsReq calling createMessage >>>>> KrbAsReq in createMessage >>>>> KrbAsReq etypes are: 3 1 >>>>> Kinit: sending as_req to realm SSOTEST.RTC.CH >>>>> KrbKdcReq send: kdc=rtcnt978.ssotest.rtc.ch UDP:88, timeout=30000, >> >> >> number of retries =3, #bytes=251 >> >>>>> KDCCommunication: kdc=rtcnt978.ssotest.rtc.ch UDP:88, >> >> >> timeout=30000,Attempt =1, #bytes=251 >> >>>>> KrbKdcReq send: #bytes read=100 >>>>> KrbKdcReq send: #bytes read=100 >>>>> reading response from kdc >>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>> KRBError: >> >> >> sTime is Tue Jun 01 11:17:27 CEST 2004 1086081447000 >> suSec is 511665 >> error code is 52 >> error Message is Response too big for UDP, retry with TCP >> realm is SSOTEST.RTC.CH >> sname is krbtgt/SSOTEST.RTC.CH >> Exception in thread "main" java.lang.IllegalAccessError: tried to access >> class sun.security.krb5.KrbKdcReq from class >> sun.security.krb5.internal.tools.Kinit >> at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source) >> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) >> >> Do you have any idea why i get this exception? >> >> Thanks in advance >> Claude >> >> ________________________________________________ >> Kerberos mailing list [EMAIL PROTECTED] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
