directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stef Walter (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSTUDIO-789) Kerberos integration does not recognize "dns_lookup_kdc = true"
Date Tue, 06 Mar 2012 20:33:58 GMT

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223633#comment-13223633
] 

Stef Walter commented on DIRSTUDIO-789:
---------------------------------------

Sure. Using JNDI also fails with the following (slightly different) error .... unless i add
the "kdc = xxxx" line to /etc/krb5.conf, in which case authentication works.

The authentication failed
 - GSSAPI
  javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Cannot get kdc for realm AD.THEWALTER.LAN)]]
	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2593)
	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2567)
	at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2563)
	at javax.naming.ldap.InitialLdapContext.reconnect(InitialLdapContext.java:190)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1199)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:357)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1193)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:107)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1076)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1305)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1100)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:253)
	at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
	at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
	at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123)
	... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for
realm AD.THEWALTER.LAN)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
	... 19 more
Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
	at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
	... 22 more

  GSSAPI

                
> Kerberos integration does not recognize "dns_lookup_kdc = true"
> ---------------------------------------------------------------
>
>                 Key: DIRSTUDIO-789
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-789
>             Project: Directory Studio
>          Issue Type: Bug
>          Components: studio-connection
>    Affects Versions: 2.0.0-M2
>         Environment: Linux stef-desktop.thewalter.lan 3.2.5-3.fc16.x86_64 #1 SMP Thu
Feb 9 01:24:38 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>            Reporter: Stef Walter
>
> The kerberos integration does not support an /etc/krb5.conf where the KDC's of the realms
are not included. For example, an /etc/krb5.conf that looks like:
> ----------------------------------------------------
> [libdefaults]
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
> [realms]
>   AD.THEWALTER.LAN = {
>   }
> [domain_realm]
>  .ad.thewalter.lan = AD.THEWALTER.LAN
>  ad.thewalter.lan = AD.THEWALTER.LAN
> ----------------------------------------------------
> Results in the error.
> The authentication failed
>  - java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
>   org.apache.directory.shared.ldap.model.exception.LdapException: java.security.PrivilegedActionException:
org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1593)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1485)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:308)
> 	at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
> 	at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
> 	at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
> Caused by: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:416)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1583)
> 	... 8 more
> Caused by: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3900)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:177)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1587)
> 	... 11 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3810)
> 	... 13 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
for realm AD.THEWALTER.LAN)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
> 	... 14 more
> Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
> 	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
> 	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
> 	at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
> 	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
> 	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
> 	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
> 	... 17 more
>   java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> If I add a "kdc = dc.ad.thewalter.lan:88" to the /etc/krb5.conf in the appropriate place
in the realms section, then the error goes away and we can log in. It looks like Dirstudio
(or one of its libraries) does not support dns_lookup_kdc settings in /etc/krb5.conf
> I'm using the nightly snapshot from today (later than 2.0.0 M2). And my kerberos settings
are "Use native TGT" and "Use native system configuration".

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message