directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stef Walter (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSTUDIO-789) Kerberos integration does not recognize "dns_lookup_kdc = true"
Date Tue, 06 Mar 2012 18:00:58 GMT
Kerberos integration does not recognize "dns_lookup_kdc = true"
---------------------------------------------------------------

                 Key: DIRSTUDIO-789
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-789
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-connection
    Affects Versions: 2.0.0-M2
         Environment: Linux stef-desktop.thewalter.lan 3.2.5-3.fc16.x86_64 #1 SMP Thu Feb
9 01:24:38 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

            Reporter: Stef Walter


The kerberos integration does not support an /etc/krb5.conf where the KDC's of the realms
are not included. For example, an /etc/krb5.conf that looks like:

----------------------------------------------------
[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
  AD.THEWALTER.LAN = {
  }

[domain_realm]
 .ad.thewalter.lan = AD.THEWALTER.LAN
 ad.thewalter.lan = AD.THEWALTER.LAN
----------------------------------------------------

Results in the error.

The authentication failed
 - java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
  org.apache.directory.shared.ldap.model.exception.LdapException: java.security.PrivilegedActionException:
org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Cannot get kdc for realm AD.THEWALTER.LAN)]
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1593)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1485)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:308)
	at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
	at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
	at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:416)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1583)
	... 8 more
Caused by: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Cannot get kdc for realm AD.THEWALTER.LAN)]
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3900)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:177)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1587)
	... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3810)
	... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for
realm AD.THEWALTER.LAN)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
	... 14 more
Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
	at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
	... 17 more

  java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]

If I add a "kdc = dc.ad.thewalter.lan:88" to the /etc/krb5.conf in the appropriate place in
the realms section, then the error goes away and we can log in. It looks like Dirstudio (or
one of its libraries) does not support dns_lookup_kdc settings in /etc/krb5.conf

I'm using the nightly snapshot from today (later than 2.0.0 M2). And my kerberos settings
are "Use native TGT" and "Use native system configuration".

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message