1 /* 2 * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 6932525 6951366 6959292 27 * @summary kerberos login failure on win2008 with AD set to win2000 compat mode 28 * and cannot login if session key and preauth does not use the same etype 29 * @modules java.base/sun.net.spi.nameservice 30 * java.base/sun.security.util 31 * java.security.jgss/sun.security.krb5 32 * java.security.jgss/sun.security.krb5.internal 33 * java.security.jgss/sun.security.krb5.internal.ccache 34 * java.security.jgss/sun.security.krb5.internal.crypto 35 * java.security.jgss/sun.security.krb5.internal.ktab 36 * @run main/othervm -D6932525 W83 37 * @run main/othervm -D6959292 W83 38 */ 39 import com.sun.security.auth.module.Krb5LoginModule; 40 import java.io.File; 41 import sun.security.krb5.Config; 42 import sun.security.krb5.EncryptedData; 43 import sun.security.krb5.PrincipalName; 44 import sun.security.krb5.internal.crypto.EType; 45 import sun.security.krb5.internal.ktab.KeyTab; 46 47 public class W83 { 48 public static void main(String[] args) throws Exception { 49 50 W83 x = new W83(); 51 52 // Cannot use OneKDC. kinit command cannot resolve 53 // hostname kdc.rabbit.hole 54 KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true); 55 kdc.addPrincipal(OneKDC.USER, OneKDC.PASS); 56 kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); 57 KDC.saveConfig(OneKDC.KRB5_CONF, kdc); 58 System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF); 59 Config.refresh(); 60 61 kdc.writeKtab(OneKDC.KTAB); 62 63 KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB); 64 for (int etype: EType.getBuiltInDefaults()) { 65 if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) { 66 ktab.deleteEntries(new PrincipalName(OneKDC.USER), etype, -1); 67 } 68 } 69 ktab.save(); 70 71 if (System.getProperty("6932525") != null) { 72 // For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ 73 // is not restricted to that of preauth 74 kdc.setOption(KDC.Option.ONLY_RC4_TGT, true); 75 } 76 if (System.getProperty("6959292") != null) { 77 // For 6959292, make sure that when etype for enc-part in 2nd AS-REQ 78 // is different from that of preauth, client can still decrypt it 79 kdc.setOption(KDC.Option.RC4_FIRST_PREAUTH, true); 80 } 81 x.go(); 82 } 83 84 void go() throws Exception { 85 Krb5LoginModule krb5 = new Krb5LoginModule(); 86 StringBuffer error = new StringBuffer(); 87 try { 88 Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); 89 } catch (Exception e) { 90 e.printStackTrace(); 91 error.append("Krb5LoginModule password login error\n"); 92 } 93 try { 94 Context.fromUserKtab(OneKDC.USER, OneKDC.KTAB, false); 95 } catch (Exception e) { 96 e.printStackTrace(); 97 error.append("Krb5LoginModule keytab login error\n"); 98 } 99 try { 100 Class.forName("sun.security.krb5.internal.tools.Kinit"); 101 String cmd = System.getProperty("java.home") + 102 System.getProperty("file.separator") + 103 "bin" + 104 System.getProperty("file.separator") + 105 "kinit"; 106 107 int p = execute( 108 cmd, 109 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF, 110 "-c", "cache1", 111 OneKDC.USER, 112 new String(OneKDC.PASS)); 113 if (p != 0) { 114 error.append("kinit password login error\n"); 115 } 116 p = execute( 117 cmd, 118 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF, 119 "-c", "cache2", 120 "-k", "-t", OneKDC.KTAB, 121 OneKDC.USER); 122 if (p != 0) { 123 error.append("kinit keytab login error\n"); 124 } 125 } catch (ClassNotFoundException cnfe) { 126 System.out.println("No kinit, test ignored."); 127 // Ignore, not on windows 128 } 129 if (error.length() != 0) { 130 throw new Exception(error.toString()); 131 } 132 } 133 134 private static int execute(String... args) throws Exception { 135 for (String arg: args) { 136 System.out.printf("%s ", arg); 137 } 138 System.out.println(); 139 Process p = Runtime.getRuntime().exec(args); 140 return p.waitFor(); 141 } 142 }