Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B0D409C2A for ; Tue, 6 Mar 2012 18:01:23 +0000 (UTC) Received: (qmail 35434 invoked by uid 500); 6 Mar 2012 18:01:23 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 35317 invoked by uid 500); 6 Mar 2012 18:01:23 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 35309 invoked by uid 99); 6 Mar 2012 18:01:22 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Mar 2012 18:01:22 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Mar 2012 18:01:19 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id A99E3B172 for ; Tue, 6 Mar 2012 18:00:58 +0000 (UTC) Date: Tue, 6 Mar 2012 18:00:58 +0000 (UTC) From: "Stef Walter (Created) (JIRA)" To: dev@directory.apache.org Message-ID: <656953058.28360.1331056858696.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Created] (DIRSTUDIO-789) Kerberos integration does not recognize "dns_lookup_kdc = true" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org Kerberos integration does not recognize "dns_lookup_kdc = true" --------------------------------------------------------------- Key: DIRSTUDIO-789 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-789 Project: Directory Studio Issue Type: Bug Components: studio-connection Affects Versions: 2.0.0-M2 Environment: Linux stef-desktop.thewalter.lan 3.2.5-3.fc16.x86_64 #1 SMP Thu Feb 9 01:24:38 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Reporter: Stef Walter The kerberos integration does not support an /etc/krb5.conf where the KDC's of the realms are not included. For example, an /etc/krb5.conf that looks like: ---------------------------------------------------- [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true [realms] AD.THEWALTER.LAN = { } [domain_realm] .ad.thewalter.lan = AD.THEWALTER.LAN ad.thewalter.lan = AD.THEWALTER.LAN ---------------------------------------------------- Results in the error. The authentication failed - java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)] org.apache.directory.shared.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1593) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1485) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:308) at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81) at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123) at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121) Caused by: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)] at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:416) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1583) ... 8 more Caused by: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3900) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:177) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1587) ... 11 more Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3810) ... 13 more Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) ... 14 more Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141) at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114) at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) ... 17 more java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)] If I add a "kdc = dc.ad.thewalter.lan:88" to the /etc/krb5.conf in the appropriate place in the realms section, then the error goes away and we can log in. It looks like Dirstudio (or one of its libraries) does not support dns_lookup_kdc settings in /etc/krb5.conf I'm using the nightly snapshot from today (later than 2.0.0 M2). And my kerberos settings are "Use native TGT" and "Use native system configuration". -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira