Improve the support of gssapi/sasl, fully realize wraptoken.

jcmturner / gokrb5

Pure Go Kerberos library for clients and services

Apache License 2.0

723 stars 245 forks source link

Improve the support of gssapi/sasl, fully realize wraptoken. #460

Open kirbyzhou opened 2 years ago

kirbyzhou commented 2 years ago

Now, wrapToken.go only supports Wrap Tokens v2 defined in

https://datatracker.ietf.org/doc/html/rfc4121#section-4.2.6 The Kerberos Version 5 GSS-API Mechanism: Version 2

for Backwards Compatibility Considerations, is should implement Wrap Tokens v1 defined in rfc1964 see https://datatracker.ietf.org/doc/html/rfc4121#section-6 for backword compatibility see https://datatracker.ietf.org/doc/html/rfc1964#section-1.2.2 for old format

Now, if we encounter kerberos which use rc4, errors will happen like that:

2022/03/16 18:36:59 failed to init session context while performing kerberos authentication, err: wrong Token ID. Expected 0504, was 6030 2022/03/16 18:36:59 failed to authorize with kerberos, err: wrong Token ID. Expected 0504, was 6030, zookeeper server: kb01.sa:2181 2022/03/16 18:36:59 error in resending auth creds: wrong Token ID. Expected 0504, was 6030

zhuliquan commented 2 years ago

@jcmturner I think you should make unwrap more compatiable, like java implements: gokrb5 implements: https://github.com/jcmturner/gokrb5/blob/663478bf457f1fc3275973bea5b7b787cd332015/gssapi/wrapToken.go#L132 java implements: https://github.com/openjdk/jdk/blob/jdk-11+0/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java#L1051

doddys commented 2 years ago

I am also having this issues

kirbyzhou commented 2 years ago

set the following lines in /etc/krb5.conf can easily reproduce the problem

[libdefaults]
default_tkt_enctypes = arcfour-hmac 
default_tgs_enctypes = arcfour-hmac

2022/07/25 17:38:37 connected to 10.120.238.27:2181
2022/07/25 17:38:37 authenticated: id=75784111401558642, timeout=10000
2022/07/25 17:38:37 failed to init session context while performing kerberos authentication, err: wrong Token ID. Expected 0504, was 6030
2022/07/25 17:38:37 failed to authorize with kerberos, err: wrong Token ID. Expected 0504, was 6030, zookeeper server: kb01.sa:2181
2022/07/25 17:38:37 error in resending auth creds: wrong Token ID. Expected 0504, was 6030

MikhailMS commented 1 year ago

I've made some progress on the issue --> https://github.com/MikhailMS/gokrb5 - if anyone wants to check it against their Kafka, would be appreciated

If I can keep up the pace, then soon it would be offered as PR - so it would be up to owner to include it into the next release whenever that happens :)

veezhang commented 8 months ago

@MikhailMS I also have similar problems. So, can this PR solve your problem? Thanks!

no available namenodes: SASL handshake: wrong Token ID. Expect 0504, was 6030.