0 Replies Latest reply: Feb 24, 2010 6:42 AM by 843810 RSS

    Kerberos on Apache Dir Server

    843810
      Hi all

      I have set up kerberos sample program as per http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/BasicClientServer.html
      Also set up KDC on Apache Directory server as mentioned. http://thejavamonkey.blogspot.com/2008/07/using-apache-directory-server-as-kdc.html

      I am getting GSSException: No valid credentials provided (Mechanism level: Attempt to obtain
      new INITIATE credentials failed! (null))

      How can I fix this problem ?
      is there any links how to setup kerberos on AD ?


      C:\NeoWork\Kerboros\PlainKerboros\Client>java -Djava.security.krb5.realm=EXAMPLE
      .COM -Djava.security.krb5.kdc=localhost -Djavax.security.auth.useSubjectCredsO
      nly=false -Dsun.security.krb5.debug=true -Djava.security.auth.login.config=bcsLo
      gin.conf SampleClient webserver/inenvasudrl3c@EXAMPLE.COM localhost 6800
      Connected to server localhost/127.0.0.1
      Kerberos username [vasudr]: monkey@EXAMPLE.COM
      Kerberos password for monkey@EXAMPLE.COM: Password99krb5
      Using builtin default etypes for default_tkt_enctypes
      default etypes for default_tkt_enctypes: 3 1 23 16 17.
      Using builtin default etypes for default_tkt_enctypes
      default etypes for default_tkt_enctypes: 3 1 23 16 17.
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=localhost UDP:88, timeout=30000, number of retries =3, #
      bytes=145
      KDCCommunication: kdc=localhost UDP:88, timeout=30000,Attempt =1, #bytes=145> > > KrbKdcReq send: #bytes read=135
      KrbKdcReq send: #bytes read=135
      KDCRep: init() encoding tag is 126 req type is 11
      KRBError:
      sTime is Wed Feb 24 18:04:26 IST 2010 1267014866000
      suSec is 0
      error code is 6
      error Message is Client not found in Kerberos database
      realm is EXAMPLE.COM
      sname is krbtgt/EXAMPLE.COM
      msgType is 30
      KRBError received: Client not found in Kerberos database
      GSSException: No valid credentials provided (Mechanism level: Attempt to obtain
      new INITIATE credentials failed! (null))
      at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Unknown S
      ource)
      at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)

      at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown S
      ource)
      at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

      at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
      at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
      at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
      at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
      at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
      at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
      at SampleClient.main(SampleClient.java:144)
      Caused by: javax.security.auth.login.LoginException: Client not found in Kerbero
      s database (6) - Client not found in Kerberos database
      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
      known Source)
      at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at javax.security.auth.login.LoginContext.invoke(Unknown Source)
      at javax.security.auth.login.LoginContext.access$000(Unknown Source)
      at javax.security.auth.login.LoginContext$4.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
      at javax.security.auth.login.LoginContext.login(Unknown Source)
      at sun.security.jgss.LoginUtility.login(Unknown Source)
      at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Unknown Source)
      at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      ... 11 more
      Caused by: KrbException: Client not found in Kerberos database (6) - Client not
      found in Kerberos database
      at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
      at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
      at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
      at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
      ... 27 more
      Caused by: KrbException: Identifier doesn't match expected value (906)
      at sun.security.krb5.internal.KDCRep.init(Unknown Source)
      at sun.security.krb5.internal.ASRep.init(Unknown Source)
      at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
      ... 31 more
      Exception in thread "main" GSSException: No valid credentials provided
      at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
      at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
      at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
      at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
      at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
      at SampleClient.main(SampleClient.java:144)
      C:\NeoWork\Kerboros\PlainKerboros\Client>

      MY LIDF file configuration for Apache directory server.
      ---------------------------------------------------------------------------------
      # Web server identity/service principal.
      dn: uid=webserver,ou=users,dc=example,dc=com
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      objectclass: krb5Principal
      objectclass: krb5KDCEntry
      cn: Web Server
      sn: Web Server
      uid: webserver
      userpassword: Password99
      krb5PrincipalName: webserver/INENVASUDRL3C@EXAMPLE.COM
      # User / client principal.
      dn: uid=monkey,ou=users,dc=example,dc=com
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      objectclass: krb5Principal
      objectclass: krb5KDCEntry
      cn: Monkey
      sn: Monkey
      uid: monkey
      userpassword: Password99krb5
      PrincipalName: monkey@EXAMPLE.COM
      # Ticket Granting Service.
      dn: uid=krbtgt,ou=users,dc=example,dc=com
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      objectclass: krb5Principal
      objectclass: krb5KDCEntry
      cn: KDC Service
      sn: KDC Service
      uid: krbtgtuser
      password: randomKeykrb5
      PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM