directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frank Ren (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSTUDIO-900) Server not found in Kerberos database
Date Wed, 10 Apr 2013 23:25:17 GMT
Frank Ren created DIRSTUDIO-900:
-----------------------------------

             Summary: Server not found in Kerberos database
                 Key: DIRSTUDIO-900
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-900
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-connection
    Affects Versions: 2.0.0-M6
         Environment: ubuntu 10.04 64bit (I don't think it was relevant.)
            Reporter: Frank Ren


Follow it to the last step here, 4.2 - Authenticate with Studio — Apache Directory

http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html

Please read the (1) error message, and (2) server log at the bottom.

Everything is Okay if tested against 4.1 - Authenticate with kinit on Linux — Apache Directory

http://directory.apache.org/apacheds/kerberos-ug/4.1-authenticate-kinit.html

renfeng@dreadnought:~$ kinit --version
kinit (Heimdal 1.2.1)
Copyright 1995-2008 Kungliga Tekniska H�gskolan
Send bug-reports to heimdal-bugs@h5l.org
renfeng@dreadnought:~$ kinit test4
test4@ROMEO-FOXTROT.COM's Password: 
renfeng@dreadnought:~$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: test4@ROMEO-FOXTROT.COM
    Cache version: 4

Server: krbtgt/ROMEO-FOXTROT.COM@ROMEO-FOXTROT.COM
Client: test4@ROMEO-FOXTROT.COM
Ticket etype: aes128-cts-hmac-sha1-96
Ticket length: 253
Auth time:  Apr 11 07:10:58 2013
End time:   Apr 11 17:10:58 2013
Ticket flags: forwardable, proxiable, initial, pre-authenticated
Addresses: addressless


Nothing abnormal in server log.

[07:10:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[07:10:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
[07:10:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication
required (25)


The problem must have been caused by reverse dns lookup. When the following line was inserted
into /etc/hosts, the problem is gone.

121.228.65.198  dreadnought.romeo-foxtrot.com


Conclusion: a reverse dns lookup when apacheds studio authenticates agains kerberos server
is unexpected, and should be unnecessary.


----

(1) error message
Error while opening connection
 - java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in
Kerberos database)]
org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7) - Server not found in Kerberos database)]
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
	at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
	at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in
Kerberos database)]
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:416)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459)
	... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7) - Server not found in Kerberos database)]
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3825)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463)
	... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)
- Server not found in Kerberos database)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3735)
	... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - Server not found in Kerberos database)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
	... 14 more
Caused by: KrbException: Server not found in Kerberos database (7) - Server not found in Kerberos
database
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72)
	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:556)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
	... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144)
	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
	... 23 more

java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in
Kerberos database)]

----

(2) server log

[06:56:08] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[06:56:08] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
[06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication
required (25)
[06:56:08] WARN [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - No server
entry found for kerberos principal name ldap/121.228.65.198@ROMEO-FOXTROT.COM
[06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - No server entry found for kerberos
principal name ldap/121.228.65.198@ROMEO-FOXTROT.COM
[06:56:08] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Server not found in Kerberos database (7)
[06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - Server not found in Kerberos
database (7)
[06:56:08] ERROR [org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler]
- ERR_169 failed to unbind session properly
org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException: ERR_268 Cannot find
a partition for 
	at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:927)
	at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:794)
	at org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:266)
	at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:690)
	at org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1159)
	at org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1230)
	at org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1073)
	at org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:50)
	at org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:38)
	at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:219)
	at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
	at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
	at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
	at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
	at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
	at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
	at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
	at java.lang.Thread.run(Thread.java:679)


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message