1 /*
2 * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 6932525 6951366 6959292
27 * @summary kerberos login failure on win2008 with AD set to win2000 compat mode
28 * and cannot login if session key and preauth does not use the same etype
29 * @modules java.base/sun.net.spi.nameservice
30 * java.base/sun.security.util
31 * java.security.jgss/sun.security.krb5
32 * java.security.jgss/sun.security.krb5.internal
33 * java.security.jgss/sun.security.krb5.internal.ccache
34 * java.security.jgss/sun.security.krb5.internal.crypto
35 * java.security.jgss/sun.security.krb5.internal.ktab
36 * @run main/othervm -D6932525 W83
37 * @run main/othervm -D6959292 W83
38 */
39 import com.sun.security.auth.module.Krb5LoginModule;
40 import java.io.File;
41 import sun.security.krb5.Config;
42 import sun.security.krb5.EncryptedData;
43 import sun.security.krb5.PrincipalName;
44 import sun.security.krb5.internal.crypto.EType;
45 import sun.security.krb5.internal.ktab.KeyTab;
46
47 public class W83 {
48 public static void main(String[] args) throws Exception {
49
50 W83 x = new W83();
51
52 // Cannot use OneKDC. kinit command cannot resolve
53 // hostname kdc.rabbit.hole
54 KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true);
55 kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
56 kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
57 KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
58 System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
59 Config.refresh();
60
61 kdc.writeKtab(OneKDC.KTAB);
62
63 KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB);
64 for (int etype: EType.getBuiltInDefaults()) {
65 if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) {
66 ktab.deleteEntries(new PrincipalName(OneKDC.USER), etype, -1);
67 }
68 }
69 ktab.save();
70
71 if (System.getProperty("6932525") != null) {
72 // For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ
73 // is not restricted to that of preauth
74 kdc.setOption(KDC.Option.ONLY_RC4_TGT, true);
75 }
76 if (System.getProperty("6959292") != null) {
77 // For 6959292, make sure that when etype for enc-part in 2nd AS-REQ
78 // is different from that of preauth, client can still decrypt it
79 kdc.setOption(KDC.Option.RC4_FIRST_PREAUTH, true);
80 }
81 x.go();
82 }
83
84 void go() throws Exception {
85 Krb5LoginModule krb5 = new Krb5LoginModule();
86 StringBuffer error = new StringBuffer();
87 try {
88 Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
89 } catch (Exception e) {
90 e.printStackTrace();
91 error.append("Krb5LoginModule password login error\n");
92 }
93 try {
94 Context.fromUserKtab(OneKDC.USER, OneKDC.KTAB, false);
95 } catch (Exception e) {
96 e.printStackTrace();
97 error.append("Krb5LoginModule keytab login error\n");
98 }
99 try {
100 Class.forName("sun.security.krb5.internal.tools.Kinit");
101 String cmd = System.getProperty("java.home") +
102 System.getProperty("file.separator") +
103 "bin" +
104 System.getProperty("file.separator") +
105 "kinit";
106
107 int p = execute(
108 cmd,
109 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
110 "-c", "cache1",
111 OneKDC.USER,
112 new String(OneKDC.PASS));
113 if (p != 0) {
114 error.append("kinit password login error\n");
115 }
116 p = execute(
117 cmd,
118 "-J-Djava.security.krb5.conf=" + OneKDC.KRB5_CONF,
119 "-c", "cache2",
120 "-k", "-t", OneKDC.KTAB,
121 OneKDC.USER);
122 if (p != 0) {
123 error.append("kinit keytab login error\n");
124 }
125 } catch (ClassNotFoundException cnfe) {
126 System.out.println("No kinit, test ignored.");
127 // Ignore, not on windows
128 }
129 if (error.length() != 0) {
130 throw new Exception(error.toString());
131 }
132 }
133
134 private static int execute(String... args) throws Exception {
135 for (String arg: args) {
136 System.out.printf("%s ", arg);
137 }
138 System.out.println();
139 Process p = Runtime.getRuntime().exec(args);
140 return p.waitFor();
141 }
142 }