1 /*
2  * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 /*
25  * @test
26  * @bug 6932525 6951366 6959292
27  * @summary kerberos login failure on win2008 with AD set to win2000 compat mode
28  * and cannot login if session key and preauth does not use the same etype
29  * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock -D6932525 W83
30  * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock -D6959292 W83
31  */
32 import com.sun.security.auth.module.Krb5LoginModule;
33 import java.io.File;
34 import sun.security.krb5.Config;
35 import sun.security.krb5.EncryptedData;
36 import sun.security.krb5.PrincipalName;
37 import sun.security.krb5.internal.crypto.EType;
38 import sun.security.krb5.internal.ktab.KeyTab;
39 
40 public class W83 {
main(String[] args)41     public static void main(String[] args) throws Exception {
42 
43         W83 x = new W83();
44 
45         // Cannot use OneKDC. kinit command cannot resolve
46         // hostname kdc.rabbit.hole
47         KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true);
48         kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
49         kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
50         KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
51         System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
52         Config.refresh();
53 
54         kdc.writeKtab(OneKDC.KTAB);
55 
56         KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB);
57         for (int etype: EType.getBuiltInDefaults()) {
58             if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) {
59                 ktab.deleteEntries(new PrincipalName(OneKDC.USER), etype, -1);
60             }
61         }
62         ktab.save();
63 
64         if (System.getProperty("6932525") != null) {
65             // For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ
66             // is not restricted to that of preauth
67             kdc.setOption(KDC.Option.ONLY_RC4_TGT, true);
68         }
69         if (System.getProperty("6959292") != null) {
70             // For 6959292, make sure that when etype for enc-part in 2nd AS-REQ
71             // is different from that of preauth, client can still decrypt it
72             kdc.setOption(KDC.Option.RC4_FIRST_PREAUTH, true);
73         }
74         x.go();
75     }
76 
go()77     void go() throws Exception {
78         Krb5LoginModule krb5 = new Krb5LoginModule();
79         StringBuffer error = new StringBuffer();
80         try {
81             Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
82         } catch (Exception e) {
83             e.printStackTrace();
84             error.append("Krb5LoginModule password login error\n");
85         }
86         try {
87             Context.fromUserKtab(OneKDC.USER, OneKDC.KTAB, false);
88         } catch (Exception e) {
89             e.printStackTrace();
90             error.append("Krb5LoginModule keytab login error\n");
91         }
92         try {
93             Class.forName("sun.security.krb5.internal.tools.Kinit");
94             String cmd = System.getProperty("java.home") +
95                     System.getProperty("file.separator") +
96                     "bin" +
97                     System.getProperty("file.separator") +
98                     "kinit";
99 
100             int p = execute(
101                 cmd,
102                 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
103                 "-c", "cache1",
104                 OneKDC.USER,
105                 new String(OneKDC.PASS));
106             if (p != 0) {
107                 error.append("kinit password login error\n");
108             }
109             p = execute(
110                 cmd,
111                 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
112                 "-c", "cache2",
113                 "-k", "-t", OneKDC.KTAB,
114                 OneKDC.USER);
115             if (p != 0) {
116                 error.append("kinit keytab login error\n");
117             }
118         } catch (ClassNotFoundException cnfe) {
119             System.out.println("No kinit, test ignored.");
120             // Ignore, not on windows
121         }
122         if (error.length() != 0) {
123             throw new Exception(error.toString());
124         }
125     }
126 
execute(String... args)127     private static int execute(String... args) throws Exception {
128         for (String arg: args) {
129             System.out.printf("%s ", arg);
130         }
131         System.out.println();
132         Process p = Runtime.getRuntime().exec(args);
133         return p.waitFor();
134     }
135 }
136