[Building Sakai] A recent outage caused by Kerberos upgrade.

Wed Apr 28 12:00:06 PDT 2010

Hi,

     This past weekend our IT has upgraded campus kerberos to Heimdal, 
which caused a flood of help tickets filed by users failing to log in to 
our Sakai production site.  IT decided to roll back their upgrade after 
a few hours.  

     The culprit is a hard coded string in Sakai's code.   Our 
UserDirectoryProvider imlementation is based on Sakai's 
KerberosUserDirectoryProvider.java.  During login, Sakai tries to get 
user information from LDAP. getUser() calls userKnownToKerberos to check 
to see if a user is a valid Kerberos user.   It determines this by 
simply attempting a LoginContext.login() with the valid user id and a 
'dummy' password , then parses the resulting text error message and 
looks for a string like this :

       protected String m_knownusermsg = "Integrity check on decrypted 
field failed";

       The block of code in userKnownToKerberos(String user)  looks like 
this:

                try
                {
                        // attempt authentication
                        lc.login();
                        lc.logout();

                        if (m_logger.isDebugEnabled())
                                m_logger.debug(this + ".useKnownToKerberos(" + user + "): Kerberos auth success");

                        return true;
                }
                catch (LoginException le)
                {
                        String msg = le.getMessage();
                        
                        // if this is the message, the user was good, the password was bad
                        if (msg.startsWith(m_knownusermsg))
                        {
                                if (m_logger.isDebugEnabled())
                                        m_logger.debug(this + ".userKnownToKerberos(" + user + "): Kerberos user known (bad pw)");

                                return true;
                        }
                        
                        // the other message is when the user is bad:
                        if (m_logger.isDebugEnabled())
                                m_logger.debug(this + ".userKnownToKerberos(" + user + "): Kerberos user unknown or invalid");

                        return false;


                }

      This m_knownusermsg apparently is different for Heimdal kerberos, 
thus this method returned false and caused the authenticate() method to 
return false. 

      I can modify the code to check for additional text strings, or 
possibly move the strings out to a properties file.  However, I'm 
wondering if there is a better way to check if a user is known to 
Kerberos, without having to log in with a dummy password and parse the 
returned message.  Has any other schools encountered the problem and has 
attempted to fix this?  Thanks in advance for your ideas and help.


thanks,
Lydia