1 /*
2  * Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 /*
25  * @test
26  * @bug 6932525 6951366 6959292 8194486
27  * @summary kerberos login failure on win2008 with AD set to win2000 compat mode
28  * and cannot login if session key and preauth does not use the same etype
29  * @library /test/lib
30  * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
31  * @run main/othervm -D6932525 -Djdk.net.hosts.file=TestHosts W83
32  * @run main/othervm -D6959292 -Djdk.net.hosts.file=TestHosts W83
33  */
34 import com.sun.security.auth.module.Krb5LoginModule;
35 import java.io.File;
36 import sun.security.krb5.Config;
37 import sun.security.krb5.EncryptedData;
38 import sun.security.krb5.PrincipalName;
39 import sun.security.krb5.internal.crypto.EType;
40 import sun.security.krb5.internal.ktab.KeyTab;
41 
42 public class W83 {
main(String[] args)43     public static void main(String[] args) throws Exception {
44 
45         W83 x = new W83();
46 
47         // Cannot use OneKDC. kinit command cannot resolve
48         // hostname kdc.rabbit.hole
49         KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true);
50         kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
51         kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
52         KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
53         System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
54         Config.refresh();
55 
56         kdc.writeKtab(OneKDC.KTAB);
57 
58         KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB);
59         for (int etype: EType.getBuiltInDefaults()) {
60             if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) {
61                 ktab.deleteEntries(new PrincipalName(OneKDC.USER), etype, -1);
62             }
63         }
64         ktab.save();
65 
66         if (System.getProperty("6932525") != null) {
67             // For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ
68             // is not restricted to that of preauth
69             kdc.setOption(KDC.Option.ONLY_RC4_TGT, true);
70         }
71         if (System.getProperty("6959292") != null) {
72             // For 6959292, make sure that when etype for enc-part in 2nd AS-REQ
73             // is different from that of preauth, client can still decrypt it
74             kdc.setOption(KDC.Option.RC4_FIRST_PREAUTH, true);
75         }
76         x.go();
77     }
78 
go()79     void go() throws Exception {
80         Krb5LoginModule krb5 = new Krb5LoginModule();
81         StringBuffer error = new StringBuffer();
82         try {
83             Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
84         } catch (Exception e) {
85             e.printStackTrace();
86             error.append("Krb5LoginModule password login error\n");
87         }
88         try {
89             Context.fromUserKtab(OneKDC.USER, OneKDC.KTAB, false);
90         } catch (Exception e) {
91             e.printStackTrace();
92             error.append("Krb5LoginModule keytab login error\n");
93         }
94         try {
95             Class.forName("sun.security.krb5.internal.tools.Kinit");
96             String cmd = System.getProperty("java.home") +
97                     System.getProperty("file.separator") +
98                     "bin" +
99                     System.getProperty("file.separator") +
100                     "kinit";
101 
102             int p = execute(
103                 cmd,
104                 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
105                 "-c", "cache1",
106                 OneKDC.USER,
107                 new String(OneKDC.PASS));
108             if (p != 0) {
109                 error.append("kinit password login error\n");
110             }
111             p = execute(
112                 cmd,
113                 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
114                 "-c", "cache2",
115                 "-k", "-t", OneKDC.KTAB,
116                 OneKDC.USER);
117             if (p != 0) {
118                 error.append("kinit keytab login error\n");
119             }
120         } catch (ClassNotFoundException cnfe) {
121             System.out.println("No kinit, test ignored.");
122             // Ignore, not on windows
123         }
124         if (error.length() != 0) {
125             throw new Exception(error.toString());
126         }
127     }
128 
execute(String... args)129     private static int execute(String... args) throws Exception {
130         for (String arg: args) {
131             System.out.printf("%s ", arg);
132         }
133         System.out.println();
134         Process p = Runtime.getRuntime().exec(args);
135         return p.waitFor();
136     }
137 }
138