[jcifs] KerberosAuthExample Double Service Ticket Request

Mike Patnode mike at mpsharp.com
Wed May 9 15:32:40 MDT 2012 

So I'm trying to get the KerberosAuthExample to work with the latest jCIFS 
download: cifs-krb5-1.3.17

java -Djcifs.properties=jcifs.prp KerberosAuthExample bozo password 
smb://host.domain.name/C$/ dc1.domain.name DOMAIN.NAME

Via WireShark, the TGT and the TGS for cifs/host.domain.com are both 
successful, but after successfully creating the SmbFile object, line 50 of 
KerberosAuthExample.java does this seemingly innocent call:

       SmbFile[] files = file.listFiles();

For some reason, this triggers a second TGS request for cifs/xxx.xxx.xxx.xxx 
(IP address) which fails with unknown service on the AD side.   From debugging 
the code, it appears the code is simply trying to find the type of "C$" and 
needs a connection to do so, but the fact this generates a second TGS request 
(when it shouldn't need it) and it does so with the IP address rather than the 
host name seems to be wrong.  So a couple questions:

1. Shouldn't treeConnect just reuse the current service ticket?
2. If not, why is it trying to get one by IP address?  Is this a revDNS 
failure?

thx.  Full stack below:


$ java -Djcifs.properties=jcifs.prp KerberosAuthExample bozo password 
smb://server.domain.name/C$/ b-devdc1.domain.name DOMAIN.NAME
Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt 
false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is 
false principal is null tryFirstPass is true useFirstPass is false storePass 
is false clearPass is false
username from shared state is bozo

username from shared state is bozo

password is password
Acquire TGT using AS Exchange
principal is bozo at DOMAIN.NAME
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: A7 24 24 3D 55 7C 7A C1   
6E A7 85 92 6B 9C 07 EE  .$$=U.z.n...k...

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E0 90 27 99 87 1E BA 33   
8C 12 D2 E3 94 F9 D8 18  ..'....3........

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: E9 F1 E3 FE 73 D9 8F 4A   
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: E9 F1 E3 FE 73 D9 8F 4A   
		[Krb5LoginModule] authentication succeeded
Commit Succeeded 

GSSException: No valid credentials provided (Mechanism level: Server not found 
in Kerberos database (7))
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at jcifs.smb.SpnegoContext.initSecContext(SpnegoContext.java:80)
	at jcifs.smb.Kerb5Authenticator.setup(Kerb5Authenticator.java:196)
	at jcifs.smb.Kerb5Authenticator.access$000(Kerb5Authenticator.java:30)
	at jcifs.smb.Kerb5Authenticator$1.run(Kerb5Authenticator.java:168)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Unknown Source)
	at jcifs.smb.Kerb5Authenticator.sessionSetup
(Kerb5Authenticator.java:166)
	at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:320)
	at jcifs.smb.SmbSession.send(SmbSession.java:239)
	at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
	at jcifs.smb.SmbFile.doConnect(SmbFile.java:925)
	at jcifs.smb.SmbFile.connect(SmbFile.java:974)
	at jcifs.smb.SmbFile.connect0(SmbFile.java:890)
	at jcifs.smb.SmbFile.getType(SmbFile.java:1302)
	at jcifs.smb.SmbFile.doEnum(SmbFile.java:1753)
	at jcifs.smb.SmbFile.listFiles(SmbFile.java:1735)
	at jcifs.smb.SmbFile.listFiles(SmbFile.java:1668)
	at KerberosAuthExample.main(KerberosAuthExample.java:50)
Caused by: KrbException: Server not found in Kerberos database (7)
	at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
	at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown 
Source)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds
(Unknown Source)
	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
	... 21 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(Unknown Source)
	at sun.security.krb5.internal.TGSRep.init(Unknown Source)
	at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
	... 26 more
jcifs.smb.SmbException: No valid credentials provided (Mechanism level: Server 
not found in Kerberos database (7))
	at jcifs.smb.Kerb5Authenticator.setup(Kerb5Authenticator.java:225)
	at jcifs.smb.Kerb5Authenticator.access$000(Kerb5Authenticator.java:30)
	at jcifs.smb.Kerb5Authenticator$1.run(Kerb5Authenticator.java:168)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Unknown Source)
	at jcifs.smb.Kerb5Authenticator.sessionSetup
(Kerb5Authenticator.java:166)
	at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:320)
	at jcifs.smb.SmbSession.send(SmbSession.java:239)
	at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
	at jcifs.smb.SmbFile.doConnect(SmbFile.java:925)
	at jcifs.smb.SmbFile.connect(SmbFile.java:974)
	at jcifs.smb.SmbFile.connect0(SmbFile.java:890)
	at jcifs.smb.SmbFile.getType(SmbFile.java:1302)
	at jcifs.smb.SmbFile.doEnum(SmbFile.java:1753)
	at jcifs.smb.SmbFile.listFiles(SmbFile.java:1735)
	at jcifs.smb.SmbFile.listFiles(SmbFile.java:1668)
	at KerberosAuthExample.main(KerberosAuthExample.java:50)

More information about the jCIFS mailing list