IJ31990: KERBEROS KRBTGSREQ FAILS WITH SERVER NOT FOUND IN KERBEROS DATABASE.

APAR status

• Closed as program error.

Error description

• Error Message: N/A
  .
  Stack Trace: Java callstack:
  <OSB>KRB_DBG_KDC<CSB> KRBError:main: error Message is Server
  not found in Kerberos database
  <OSB>KRB_DBG_KDC<CSB> KRBError:main: sname is
  cifs/your.host.name.here.com@HOME.HOME.ON.THE.RANGE.COM
  <OSB>KRB_DBG_KDC<CSB> KRBError:main: msgType is 30
  com.ibm.security.krb5.KrbException, status code: 7
  message:
  :cifs/your.host.name.here.com@HOME.HOME.ON.THE.RANGE.COM
  at com.ibm.security.krb5.KrbTgsRep.<init>(Unknown Source)
  at com.ibm.security.krb5.KrbTgsReq.getReply(Unknown Source)
  at com.ibm.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown
  Source)
  at com.ibm.security.krb5.internal.l.b(Unknown Source)
  at com.ibm.security.krb5.internal.l.a(Unknown Source)
  at com.ibm.security.krb5.Credentials.acquireServiceCreds(Unknown
  Source)
  at com.ibm.security.krb5.Credentials.acquireServiceCreds(Unknown
  Source)
  at com.ibm.security.jgss.mech.krb5.g.a(Unknown Source)
  at com.ibm.security.jgss.mech.krb5.g.initSecContext(Unknown
  Source)
  at com.ibm.security.jgss.mech.spnego.SPNEGOContext.a(Unknown
  Source)
  at
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.initSecContext(U
  nknown Source)
  at com.ibm.security.jgss.GSSContextImpl.initSecContext(Unknown
  Source)
  at com.ibm.security.jgss.GSSContextImpl.initSecContext(Unknown
  Source)
  at
  com.hierynomus.smbj.auth.SpnegoAuthenticator.authenticateSession
  (SpnegoAuthenticator.java:88)
  at
  com.hierynomus.smbj.auth.SpnegoAuthenticator.access$000(SpnegoAu
  thenticator.java:38)
  at
  com.hierynomus.smbj.auth.SpnegoAuthenticator$1.run(SpnegoAuthent
  icator.java:64)
  at
  com.hierynomus.smbj.auth.SpnegoAuthenticator$1.run(SpnegoAuthent
  icator.java:62)
  at
  java.security.AccessController.doPrivileged(AccessController.jav
  a:770)
  at javax.security.auth.Subject.doAs(Subject.java:570)
  at
  com.hierynomus.smbj.auth.SpnegoAuthenticator.authenticate(Spnego
  Authenticator.java:62)
  at
  com.hierynomus.smbj.connection.Connection.processAuthenticationT
  oken(Connection.java:224)
  at
  com.hierynomus.smbj.connection.Connection.authenticate(Connectio
  n.java:180)
  at
  com.wallyworld.file.download.KerberosAuthenticationPMR.downloadF
  ilesUsingKBRAuth(KerberosAuthenticationPMR.java:97)
  at
  com.wallyworld.file.download.KerberosAuthenticationPMR.main(Kerb
  erosAuthenticationPMR.java:74)
  .
  

Local fix

• N/A
  

Problem summary

• The Krb5Name.getHostBasedNameString() method is incorrectly
  performing DNS lookup on host-based service, based on the
  "dns_lookup_realm=true" option. This results in an
  inappropriate mapping of the original Kerberos target SPN to
  a random non-Kerberos SPN, which is not registered with the KDC.
  

Problem conclusion

• Per RFC 4102, removed the host-based service DNS lookup code
  from the Krb5Name.getHostBasedNameString() method.
  The files affected by this APAR are: ibmjgssprovider.jar (Java
  7 & 7.1: build_20210405--70, Java 8: build_20210405--69).
  The associated Hursley RTC Problem Report is 145158.
  The associated Austin Git issue is Issue# 16 for IBMJGSS.
  The associated Austin APAR issue is IJ31054.
  The fix was delivered for: Java 7.0 SR10 FP90, Java 7.1 SR4
  FP90, & Java 8.0 SR6 FP35.
  .
  This APAR will be fixed in the following Java Releases:
   8 SR6 FP35 (8.0.6.35)
   7 SR10 FP90 (7.0.10.90)
   7 R1 SR4 FP90 (7.1.4.90)
  .
  Contact your IBM Product's Service Team for these Service
  Refreshes and Fix Packs.
  For those running stand-alone, information about the available
  Service Refreshes and Fix Packs can be found at:
   https://www.ibm.com/developerworks/java/jdk/
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  SECURITY

• Fixed component ID

  620700125

Applicable component levels