Forum Stats

  • 3,780,922 Users
  • 2,254,456 Discussions
  • 7,879,494 Comments

Discussions

Kerberos TGT From Memory

843810
843810 Member Posts: 46,938
edited Jun 18, 2010 3:49PM in Kerberos & Java GSS (JGSS)
I am rather new to Kerberos. Our workstations when logging in already have a TGT stored in memory.

I have been trying to find a way to pull this information from the memory cache. Is this even possible? If so, where should I begin?

Thanks!
«1

Comments

  • 843810
    843810 Member Posts: 46,938
    The Java Krb5LoginModule allows to use the native in-memory Kerberos ticket.

    For details refer to the Java GSS programming guide:
    http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/index.html

    Seema
  • 843810
    843810 Member Posts: 46,938
    Thanks for the quick reply.
  • 843810
    843810 Member Posts: 46,938
    edited Apr 6, 2007 10:13AM
    I'm still doing something wrong. I have a simple login setup to authenticate. However, it is still prompting for my password.

    I got this error:

    Kerberos password for <principal>: <password>
    Authentication failed:
    Pre-authentication information was invalid (24) - PREAUTH_FAILED


    In my client config
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true
    principal="<principal>";

    I can add doNotPrompt=true

    then I get:
    Authentication failed:
    Unable to obtain password from user

    Message was edited by:
    jjhusa01
  • 843810
    843810 Member Posts: 46,938
    Here is my debug

    Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is isInitiator true KeyTab is null refreshKrb5Config is false principal is <principal> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Acquire TGT from Cache
    Principal is <principal>
    null credentials from Ticket Cache
    [Krb5LoginModule] authentication failed
    Unable to obtain password from user

    Authentication failed:
    Unable to obtain password from user
  • 843810
    843810 Member Posts: 46,938
    I got it working. Apperently, It had to do with encryption. We are using Java 1.5 and it doesn't support AES256. I adjusted it to use Triple DES and it worked fine. However, I cannot read it from the PIPE cache.
  • 843810
    843810 Member Posts: 46,938
    edited Apr 17, 2007 9:21AM
    Sorry to bump this. But between looking for information and feeling I may have not accurately described my problem, I decided to post again. Hopefully giving a clearer picture of what I am looking at.

    First, let me try to explain what I am working with.

    OS: RedHat Enterprise & CentOS
    Location of TGT: PIPE:#### stored in memory
    Java Version: Java(TM) SE Runtime Environment (build 1.6.0_01-b06)


    At log on, the PIPE is created in memory and given a four digit number. This is where the credential cache is stored. From what I understand, this most likely considered an "unnamed" pipe. Therefore, only the parent/children processes can access this. I believe this is where my problem is coming from. I need a separate Java application to access this and authenticate to use other Java applications.

    I have used the examples Seema has posted. I can get it to work with only a file Ccache. I generally set the file to /tmp/krb5cc_uid. I have been able to test and authenticate this way. Again, once I move it to the PIPE, I cannot read the Ccache.

    Moving this to a file is out of the question. For security reason, most likely reason I am having my problems, it must stay in this form.

    Message was edited by:
    jjhusa01

    Message was edited by:
    jjhusa01
  • 843810
    843810 Member Posts: 46,938
    The Java Krb5LoginModule can read Kerberos ticket following native ticket cache:
    - File based ticket cache
    - Windows in-memory ticket cache using LSA API

    Can you send me the details of your in-memory ticket cache on Linux ?

    Seema
  • 843810
    843810 Member Posts: 46,938
    edited Apr 18, 2007 9:50AM
    Seema,

    You'll have to excuse me. My Linux/Unix programming is limited to classroom experience in which we never covered anything like this.

    What information are you looking for about the ticket cache?

    From what I know, its a credential cache stored in a pipe in memory.

    At login a PIPE is initialized. Kinit, which is the child of kshell creates the pipe. The name of this pipe is stored in the KRB5CCNAME variable. When it was a file cache, it was "FILE:/tmp/krb5cc_uid". Now it is set to "PIPE:XXXX" where XXXX is an integer. Just for an example, we'll use 1234. In the Linux environment, KRB5CCNAME=PIPE:1234.

    The PIPE will store the exact information as the krb5cc_uid file would.

    I think the problem stems from the java applications are not children of the shell that created the pipe.

    I can run kshell to create a new shell and kinit under that. That will setup another pipe to store my ticket.

    Message was edited by:
    jjhusa01
  • 843810
    843810 Member Posts: 46,938
    I solved my problem. I was unaware the pipe was written by an internal programmer. I have gotten in contact with him and solving my problem.
  • 843810
    843810 Member Posts: 46,938
    Hi,

    Though this a very old thread but I am still writing with hope.

    I am using Kerberos for the first time. Our application is deployed in Jboss - Linux and need to validate against AD. When I test the "Jboss negotiate toolkit (jboss-negotiation-toolkit/SecurityDomainTest?securityDomain=host), I get the following error. Same error comes when I try for application as well.


    2010-04-17 10:42:31,105 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/apps/obcbs/obdsmq-zd6.keytab refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is true clearPass is false
    2010-04-17 10:42:31,109 INFO [STDOUT] Key for the principal HTTP/[email protected] not available in /opt/apps/obcbs/obdsmq-zd6.keytab
    2010-04-17 10:42:31,109 INFO [STDOUT] [Krb5LoginModule] authentication failed
    Unable to obtain password from user
    2010-04-17 10:42:31,110 ERROR [org.jboss.security.negotiation.toolkit.SecurityDomainTestServlet] testDomain Failed
    javax.security.auth.login.LoginException: Unable to obtain password from user

    at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)

    I am really struggling with these errors for last 1 week. I will really appreciate any of your valuable suggestion.

    I have also logged an another thread. Will appreciate if anyone helps on this. New Thread - http://forums.sun.com/thread.jspa?threadID=5435969

    Many Thanks.

    Best Regards - Sidd
This discussion has been closed.