1 /* 2 * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 6932525 6951366 6959292 27 * @summary kerberos login failure on win2008 with AD set to win2000 compat mode 28 * and cannot login if session key and preauth does not use the same etype 29 * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock -D6932525 W83 30 * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock -D6959292 W83 31 */ 32 import com.sun.security.auth.module.Krb5LoginModule; 33 import java.io.File; 34 import sun.security.krb5.Config; 35 import sun.security.krb5.EncryptedData; 36 import sun.security.krb5.PrincipalName; 37 import sun.security.krb5.internal.crypto.EType; 38 import sun.security.krb5.internal.ktab.KeyTab; 39 40 public class W83 { main(String[] args)41 public static void main(String[] args) throws Exception { 42 43 W83 x = new W83(); 44 45 // Cannot use OneKDC. kinit command cannot resolve 46 // hostname kdc.rabbit.hole 47 KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true); 48 kdc.addPrincipal(OneKDC.USER, OneKDC.PASS); 49 kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); 50 KDC.saveConfig(OneKDC.KRB5_CONF, kdc); 51 System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF); 52 Config.refresh(); 53 54 kdc.writeKtab(OneKDC.KTAB); 55 56 KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB); 57 for (int etype: EType.getBuiltInDefaults()) { 58 if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) { 59 ktab.deleteEntries(new PrincipalName(OneKDC.USER), etype, -1); 60 } 61 } 62 ktab.save(); 63 64 if (System.getProperty("6932525") != null) { 65 // For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ 66 // is not restricted to that of preauth 67 kdc.setOption(KDC.Option.ONLY_RC4_TGT, true); 68 } 69 if (System.getProperty("6959292") != null) { 70 // For 6959292, make sure that when etype for enc-part in 2nd AS-REQ 71 // is different from that of preauth, client can still decrypt it 72 kdc.setOption(KDC.Option.RC4_FIRST_PREAUTH, true); 73 } 74 x.go(); 75 } 76 go()77 void go() throws Exception { 78 Krb5LoginModule krb5 = new Krb5LoginModule(); 79 StringBuffer error = new StringBuffer(); 80 try { 81 Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); 82 } catch (Exception e) { 83 e.printStackTrace(); 84 error.append("Krb5LoginModule password login error\n"); 85 } 86 try { 87 Context.fromUserKtab(OneKDC.USER, OneKDC.KTAB, false); 88 } catch (Exception e) { 89 e.printStackTrace(); 90 error.append("Krb5LoginModule keytab login error\n"); 91 } 92 try { 93 Class.forName("sun.security.krb5.internal.tools.Kinit"); 94 String cmd = System.getProperty("java.home") + 95 System.getProperty("file.separator") + 96 "bin" + 97 System.getProperty("file.separator") + 98 "kinit"; 99 100 int p = execute( 101 cmd, 102 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF, 103 "-c", "cache1", 104 OneKDC.USER, 105 new String(OneKDC.PASS)); 106 if (p != 0) { 107 error.append("kinit password login error\n"); 108 } 109 p = execute( 110 cmd, 111 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF, 112 "-c", "cache2", 113 "-k", "-t", OneKDC.KTAB, 114 OneKDC.USER); 115 if (p != 0) { 116 error.append("kinit keytab login error\n"); 117 } 118 } catch (ClassNotFoundException cnfe) { 119 System.out.println("No kinit, test ignored."); 120 // Ignore, not on windows 121 } 122 if (error.length() != 0) { 123 throw new Exception(error.toString()); 124 } 125 } 126 execute(String... args)127 private static int execute(String... args) throws Exception { 128 for (String arg: args) { 129 System.out.printf("%s ", arg); 130 } 131 System.out.println(); 132 Process p = Runtime.getRuntime().exec(args); 133 return p.waitFor(); 134 } 135 } 136