Bug 7583 - Smbclient fails to kerberos connect to a Alfresco JLAN CIFS Server
Smbclient fails to kerberos connect to a Alfresco JLAN CIFS Server
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: libsmbclient
All All
: P3 normal
: ---
Assigned To: Simo Sorce
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-07-23 12:34 UTC by Jeremy Allison
Modified: 2010-12-23 11:54 UTC (History)
2 users (show)

See Also:

Patch for 3.5.x. (12.47 KB, patch)
2010-07-23 12:59 UTC, Jeremy Allison
idra: review+
Patch for 3.4.x. (12.37 KB, patch)
2010-07-23 13:23 UTC, Jeremy Allison
jra: review? (idra)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2010-07-23 12:34:59 UTC
Reported by Gary Spencer <gk.spencer@mac.com>

I'm the author of the Java based CIFS server JLAN Server, which has been owned by the open source company Alfresco for a while now. The JLAN Server code is used within Alfresco's content management system to provide CIFS/FTP/NFS access, as well as being available for use as a component in other projects.

The JLAN Server code supports Kerberos logons from AD clients but we have a problem when trying to connect using the smbclient application when Kerberos is used.

The problem seems to be due to a mismatch in the type of checksum that the Java JDK runtime code expects for the authenticator checksum in the Kerberos ticket. In the JDK source code I have found a check which tests to see if the checksum starts with the bytes 0x10, 0x00, 0x00, 0x00, here's the output from Wireshark :-

                                            Authenticator vno: 5
                                            Client Realm: ALFRESCO.ORG
                                            Client Name (Principal): gkspencer
                                                Type: gssapi-8003 (32771)
                                                checksum: 100000000000000000000000000000000000000001000000...
                                                Length: 16
                                                Bnd: 00000000000000000000000000000000
                                                .... .... .... .... ...0 .... .... .... = DCE-style: Not using DCE-STYLE
                                                .... .... .... .... .... .... ..0. .... = Integ: Do NOT use integrity protection
                                                .... .... .... .... .... .... ...0 .... = Conf: Do NOT use Confidentiality (sealing)
                                                .... .... .... .... .... .... .... 0... = Sequence: Do NOT enable out-of-sequence detection
                                                .... .... .... .... .... .... .... .0.. = Replay: Do NOT enable replay protection
                                                .... .... .... .... .... .... .... ..0. = Mutual: Mutual authentication NOT required
                                                .... .... .... .... .... .... .... ...1 = Deleg: Delegate credantials to remote peer
                                                DlgOpt: 1
                                                DlgLen: 646
                                                CRED_BODY KRB-CRED

This check fails with the following Java error on the server side :-
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Incorrect checksum)
Comment 1 Jeremy Allison 2010-07-23 12:35:15 UTC
More data:


Hi Jeremy,

This is the stacktrace from the Java exception, I haven't included the whole trace as it's quite deep and you only really need the first few levels to see which JDK classes are being used, this is running under a Java6
+ JVM :-

15:39:00,347 ERROR [org.alfresco.fileserver] GSSException: Failure unspecified at GSS-API level (Mechanism level: Incorrect checksum)
15:39:00,347 ERROR [org.alfresco.fileserver]    at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:201)
15:39:00,347 ERROR [org.alfresco.fileserver]    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)
15:39:00,347 ERROR [org.alfresco.fileserver]    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
15:39:00,347 ERROR [org.alfresco.fileserver]    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
15:39:00,347 ERROR [org.alfresco.fileserver]    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
15:39:00,347 ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
15:39:00,347 ERROR [org.alfresco.fileserver]    at java.security.AccessController.doPrivileged(Native Method)
15:39:00,347 ERROR [org.alfresco.fileserver]    at javax.security.auth.Subject.doAs(Subject.java:337)
15:39:00,347 ERROR [org.alfresco.fileserver]    at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1402)
15:39:00,347 ERROR [org.alfresco.fileserver]    at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1282)

The exception comes from the OverloadedChecksum inner class that is in the InitialToken.java module, that's buried down in the j2se/src/share/classes/sun/security/jgss/krb5 folder within the Java6 JDK source tree. I've
+ attached a zip with the jgss/ and subfolders modules which maybe enough information to save downloading the whole JDK source.
Comment 2 Jeremy Allison 2010-07-23 12:36:08 UTC
Error is:

./bin/smbclient -k // -d 3
creating lame upcase table
creating lame lowcase table
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf":
        No such file or directory
Failed to load /usr/local/samba/lib/valid.dat - No such file or directory
creating default valid table
./bin/smbclient: Can't load /usr/local/samba/lib/smb.conf - run testparm to debug it
added interface eth1 ip=fe80::21b:21ff:fe2f:afa1%eth1 bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip= bcast= netmask=
Client started (version 3.5.4).
Connecting to at port 445
Doing spnego session setup (blob length=100)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got principal=cifs/macpro@WIN2003.STARLASOFT.CO.UK
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Wed, 21 Jul 2010 20:12:48 BST
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (KDC can't fulfill requested option)
ads_krb5_get_fwd_ticket failed (KDC can't fulfill requested option)
cli_session_setup_blob: receive failed (NT_STATUS_ACCESS_DENIED)
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
Comment 3 Jeremy Allison 2010-07-23 12:59:41 UTC
Created attachment 5862 [details]
Patch for 3.5.x.

Patch for 3.5.5.

Comment 4 Simo Sorce 2010-07-23 13:03:59 UTC
Comment on attachment 5862 [details]
Patch for 3.5.x.

good to go
Comment 5 Jeremy Allison 2010-07-23 13:23:13 UTC
Created attachment 5863 [details]
Patch for 3.4.x.
Comment 6 Jeremy Allison 2010-07-24 11:37:47 UTC
Re-assigning to Karolin for inclusion.

Comment 7 Karolin Seeger 2010-07-27 01:42:54 UTC
(In reply to comment #3)
> Created an attachment (id=5862) [details]
> Patch for 3.5.x.
> Patch for 3.5.5.
> Jeremy.

Pushed to v3-5-test.
Comment 8 Karolin Seeger 2010-07-27 01:43:39 UTC
(In reply to comment #5)
> Created an attachment (id=5863) [details]
> Patch for 3.4.x.

Waiting for review flag.
Re-assigning to Simo.
Comment 9 Stefan Metzmacher 2010-12-23 11:54:51 UTC
Can you please check if the connection still works with the patch
(https://bugzilla.samba.org/attachment.cgi?id=6164) from