Reported by Gary Spencer <gk.spencer@mac.com> I'm the author of the Java based CIFS server JLAN Server, which has been owned by the open source company Alfresco for a while now. The JLAN Server code is used within Alfresco's content management system to provide CIFS/FTP/NFS access, as well as being available for use as a component in other projects. The JLAN Server code supports Kerberos logons from AD clients but we have a problem when trying to connect using the smbclient application when Kerberos is used. The problem seems to be due to a mismatch in the type of checksum that the Java JDK runtime code expects for the authenticator checksum in the Kerberos ticket. In the JDK source code I have found a check which tests to see if the checksum starts with the bytes 0x10, 0x00, 0x00, 0x00, here's the output from Wireshark :- Authenticator Authenticator vno: 5 Client Realm: ALFRESCO.ORG Client Name (Principal): gkspencer Checksum Type: gssapi-8003 (32771) checksum: 100000000000000000000000000000000000000001000000... Length: 16 Bnd: 00000000000000000000000000000000 .... .... .... .... ...0 .... .... .... = DCE-style: Not using DCE-STYLE .... .... .... .... .... .... ..0. .... = Integ: Do NOT use integrity protection .... .... .... .... .... .... ...0 .... = Conf: Do NOT use Confidentiality (sealing) .... .... .... .... .... .... .... 0... = Sequence: Do NOT enable out-of-sequence detection .... .... .... .... .... .... .... .0.. = Replay: Do NOT enable replay protection .... .... .... .... .... .... .... ..0. = Mutual: Mutual authentication NOT required .... .... .... .... .... .... .... ...1 = Deleg: Delegate credantials to remote peer DlgOpt: 1 DlgLen: 646 CRED_BODY KRB-CRED This check fails with the following Java error on the server side :- GSSException: Failure unspecified at GSS-API level (Mechanism level: Incorrect checksum)
More data: ----------------------------------------------------------------- Hi Jeremy, This is the stacktrace from the Java exception, I haven't included the whole trace as it's quite deep and you only really need the first few levels to see which JDK classes are being used, this is running under a Java6 + JVM :- 15:39:00,347 ERROR [org.alfresco.fileserver] GSSException: Failure unspecified at GSS-API level (Mechanism level: Incorrect checksum) 15:39:00,347 ERROR [org.alfresco.fileserver] at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:201) 15:39:00,347 ERROR [org.alfresco.fileserver] at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102) 15:39:00,347 ERROR [org.alfresco.fileserver] at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) 15:39:00,347 ERROR [org.alfresco.fileserver] at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) 15:39:00,347 ERROR [org.alfresco.fileserver] at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) 15:39:00,347 ERROR [org.alfresco.fileserver] at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102) 15:39:00,347 ERROR [org.alfresco.fileserver] at java.security.AccessController.doPrivileged(Native Method) 15:39:00,347 ERROR [org.alfresco.fileserver] at javax.security.auth.Subject.doAs(Subject.java:337) 15:39:00,347 ERROR [org.alfresco.fileserver] at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1402) 15:39:00,347 ERROR [org.alfresco.fileserver] at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1282) The exception comes from the OverloadedChecksum inner class that is in the InitialToken.java module, that's buried down in the j2se/src/share/classes/sun/security/jgss/krb5 folder within the Java6 JDK source tree. I've + attached a zip with the jgss/ and subfolders modules which maybe enough information to save downloading the whole JDK source.
Error is: ./bin/smbclient -k //192.168.1.2/alfresco -d 3 creating lame upcase table creating lame lowcase table lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory Failed to load /usr/local/samba/lib/valid.dat - No such file or directory creating default valid table ./bin/smbclient: Can't load /usr/local/samba/lib/smb.conf - run testparm to debug it added interface eth1 ip=fe80::21b:21ff:fe2f:afa1%eth1 bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff:: added interface eth1 ip=192.168.1.40 bcast=192.168.1.255 netmask=255.255.255.0 Client started (version 3.5.4). Connecting to 192.168.1.2 at port 445 Doing spnego session setup (blob length=100) got OID=1.2.840.113554.1.2.2 got OID=1.2.840.48018.1.2.2 got principal=cifs/macpro@WIN2003.STARLASOFT.CO.UK Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Wed, 21 Jul 2010 20:12:48 BST ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (KDC can't fulfill requested option) ads_krb5_get_fwd_ticket failed (KDC can't fulfill requested option) cli_session_setup_blob: receive failed (NT_STATUS_ACCESS_DENIED) SPNEGO login failed: Access denied session setup failed: NT_STATUS_ACCESS_DENIED
Created attachment 5862 [details] Patch for 3.5.x. Patch for 3.5.5. Jeremy.
Comment on attachment 5862 [details] Patch for 3.5.x. good to go
Created attachment 5863 [details] Patch for 3.4.x.
Re-assigning to Karolin for inclusion. Jeremy.
(In reply to comment #3) > Created an attachment (id=5862) [details] > Patch for 3.5.x. > > Patch for 3.5.5. > > Jeremy. > Pushed to v3-5-test.
(In reply to comment #5) > Created an attachment (id=5863) [details] > Patch for 3.4.x. > Waiting for review flag. Re-assigning to Simo.
Can you please check if the connection still works with the patch (https://bugzilla.samba.org/attachment.cgi?id=6164) from https://bugzilla.samba.org/show_bug.cgi?id=7883