Hello,
Our small openfire server had kerberos GSSAPI negotiation working without problems for few months, but suddenly two days ago it stopped working - it asks for password even with a valid kerberos ticket. There was no change of configuration of any kind. Any idea? This is Openfire 3.4.5, so it may be also an old bug, but I did not found anything in issue tracker.
Thank you,
Config name: /etc/krb5.conf
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/krb5.keytab refreshKrb5Config is false principal is xmpp/chat.corp.mycompany.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTabInputStream, readName(): mycompany.com
KeyTabInputStream, readName(): host
KeyTabInputStream, readName(): chat.corp.mycompany.com
KeyTab: load() entry length: 63; type: 1
KeyTabInputStream, readName(): mycompany.com
KeyTabInputStream, readName(): host
KeyTabInputStream, readName(): chat.corp.mycompany.com
KeyTab: load() entry length: 79; type: 6
KeyTabInputStream, readName(): mycompany.com
KeyTabInputStream, readName(): xmpp
KeyTabInputStream, readName(): chat.corp.mycompany.com
KeyTab: load() entry length: 63; type: 1
KeyTabInputStream, readName(): mycompany.com
KeyTabInputStream, readName(): xmpp
KeyTabInputStream, readName(): chat.corp.mycompany.com
KeyTab: load() entry length: 79; type: 6
Found unsupported keytype (6) for xmpp/chat.corp.mycompany.com@mycompany.com
Added key: 1version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=kerberos.corp.mycompany.com UDP:88, timeout=30000, number of retries =3, #bytes=156
KDCCommunication: kdc=kerberos.corp.mycompany.com UDP:88, timeout=30000,Attempt =1, #bytes=156
KrbKdcReq send: #bytes read=561
KrbKdcReq send: #bytes read=561
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply xmpp/chat.corp.mycompany.com
principal is xmpp/chat.corp.mycompany.com@mycompany.com
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 07 B6 38 AB 76 0E AB E6
Added server’s keyKerberos Principal xmpp/chat.corp.mycompany.com@mycompany.comKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 07 B6 38 AB 76 0E AB E6
[Krb5LoginModule] added Krb5Principal xmpp/chat.corp.mycompany.com@mycompany.com to Subject
Commit Succeeded
Found key for xmpp/chat.corp.mycompany.com@mycompany.com(1)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: d6aebca9
crc32: 11010110101011101011110010101001
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17.
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 456381ad
crc32: 1000101011000111000000110101101
Config reset default kdc mycompany.com
replay cache for mcepl@mycompany.com is null.
object 0: 1233444450865/865804
object 0: 1233444450865/865804
KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 587121143
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 2721508e
crc32: 100111001000010101000010001110
Krb5Context setting mySeqNumber to: 322025892
Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 10 49 5c 97 8d 59 c5 24 69 71 e9 e2 13 e7 77 91 ad 01 22 f9 6a 3f 25 0f 01 01 00 00 04 04 04 04 ]
Krb5Context.unwrap: token=[60 43 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 5a e8 8d 1d 09 1a 25 28 13 cc 2c ae 7d fb 9c 4d 37 c0 d2 3c 04 98 9c 29 01 01 00 00 6d 63 65 70 6c 40 52 45 44 48 41 54 2e 43 4f 4d 00 03 03 03 ]
Krb5Context.unwrap: data=[01 01 00 00 6d 63 65 70 6c 40 52 45 44 48 41 54 2e 43 4f 4d 00 ]
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/krb5.keytab refreshKrb5Config is false principal is xmpp/chat.corp.mycompany.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Found unsupported keytype (6) for xmpp/chat.corp.mycompany.com@mycompany.com
Added key: 1version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=kerberos.corp.mycompany.com UDP:88, timeout=30000, number of retries =3, #bytes=156
KDCCommunication: kdc=kerberos.corp.mycompany.com UDP:88, timeout=30000,Attempt =1, #bytes=156
KrbKdcReq send: #bytes read=561
KrbKdcReq send: #bytes read=561
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply xmpp/chat.corp.mycompany.com
principal is xmpp/chat.corp.mycompany.com@mycompany.com
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 07 B6 38 AB 76 0E AB E6
Added server’s keyKerberos Principal xmpp/chat.corp.mycompany.com@mycompany.comKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 07 B6 38 AB 76 0E AB E6
[Krb5LoginModule] added Krb5Principal xmpp/chat.corp.mycompany.com@mycompany.com to Subject
Commit Succeeded
Found key for xmpp/chat.corp.mycompany.com@mycompany.com(1)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: d771a2e6
crc32: 11010111011100011010001011100110
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17.
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: ffd878d9
crc32: 11111111110110000111100011011001
Config reset default kdc mycompany.com
replay cache for ebrown@mycompany.com is null.
object 0: 1233460438509/509323
object 0: 1233460438509/509323
KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 186531375
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 4ec035ff
crc32: 1001110110000000011010111111111
Krb5Context setting mySeqNumber to: 901848883
Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 45 81 0c 2f 04 23 25 23 7d 26 7d 81 49 a2 6c 12 3a e2 3b 73 0d e8 6a db 01 01 00 00 04 04 04 04 ]
Krb5Context.unwrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff e0 e2 be 3a f8 60 1a 9a 75 30 26 bb c5 55 ba 43 94 5a 94 cd fd 1b f2 2b 01 00 00 00 04 04 04 04 ]
Krb5Context.unwrap: data=[01 00 00 00 ]