1 /* 2 * Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 6932525 6951366 6959292 8194486 27 * @summary kerberos login failure on win2008 with AD set to win2000 compat mode 28 * and cannot login if session key and preauth does not use the same etype 29 * @library /test/lib 30 * @run main jdk.test.lib.FileInstaller TestHosts TestHosts 31 * @run main/othervm -D6932525 -Djdk.net.hosts.file=TestHosts W83 32 * @run main/othervm -D6959292 -Djdk.net.hosts.file=TestHosts W83 33 */ 34 import com.sun.security.auth.module.Krb5LoginModule; 35 import java.io.File; 36 import sun.security.krb5.Config; 37 import sun.security.krb5.EncryptedData; 38 import sun.security.krb5.PrincipalName; 39 import sun.security.krb5.internal.crypto.EType; 40 import sun.security.krb5.internal.ktab.KeyTab; 41 42 public class W83 { main(String[] args)43 public static void main(String[] args) throws Exception { 44 45 W83 x = new W83(); 46 47 // Cannot use OneKDC. kinit command cannot resolve 48 // hostname kdc.rabbit.hole 49 KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true); 50 kdc.addPrincipal(OneKDC.USER, OneKDC.PASS); 51 kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); 52 KDC.saveConfig(OneKDC.KRB5_CONF, kdc); 53 System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF); 54 Config.refresh(); 55 56 kdc.writeKtab(OneKDC.KTAB); 57 58 KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB); 59 for (int etype: EType.getBuiltInDefaults()) { 60 if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) { 61 ktab.deleteEntries(new PrincipalName(OneKDC.USER), etype, -1); 62 } 63 } 64 ktab.save(); 65 66 if (System.getProperty("6932525") != null) { 67 // For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ 68 // is not restricted to that of preauth 69 kdc.setOption(KDC.Option.ONLY_RC4_TGT, true); 70 } 71 if (System.getProperty("6959292") != null) { 72 // For 6959292, make sure that when etype for enc-part in 2nd AS-REQ 73 // is different from that of preauth, client can still decrypt it 74 kdc.setOption(KDC.Option.RC4_FIRST_PREAUTH, true); 75 } 76 x.go(); 77 } 78 go()79 void go() throws Exception { 80 Krb5LoginModule krb5 = new Krb5LoginModule(); 81 StringBuffer error = new StringBuffer(); 82 try { 83 Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); 84 } catch (Exception e) { 85 e.printStackTrace(); 86 error.append("Krb5LoginModule password login error\n"); 87 } 88 try { 89 Context.fromUserKtab(OneKDC.USER, OneKDC.KTAB, false); 90 } catch (Exception e) { 91 e.printStackTrace(); 92 error.append("Krb5LoginModule keytab login error\n"); 93 } 94 try { 95 Class.forName("sun.security.krb5.internal.tools.Kinit"); 96 String cmd = System.getProperty("java.home") + 97 System.getProperty("file.separator") + 98 "bin" + 99 System.getProperty("file.separator") + 100 "kinit"; 101 102 int p = execute( 103 cmd, 104 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF, 105 "-c", "cache1", 106 OneKDC.USER, 107 new String(OneKDC.PASS)); 108 if (p != 0) { 109 error.append("kinit password login error\n"); 110 } 111 p = execute( 112 cmd, 113 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF, 114 "-c", "cache2", 115 "-k", "-t", OneKDC.KTAB, 116 OneKDC.USER); 117 if (p != 0) { 118 error.append("kinit keytab login error\n"); 119 } 120 } catch (ClassNotFoundException cnfe) { 121 System.out.println("No kinit, test ignored."); 122 // Ignore, not on windows 123 } 124 if (error.length() != 0) { 125 throw new Exception(error.toString()); 126 } 127 } 128 execute(String... args)129 private static int execute(String... args) throws Exception { 130 for (String arg: args) { 131 System.out.printf("%s ", arg); 132 } 133 System.out.println(); 134 Process p = Runtime.getRuntime().exec(args); 135 return p.waitFor(); 136 } 137 } 138