I'm using 2.0.0-M15. I think KdcConnection is being a little more helpful. Connecting like this:

  KdcConfig config = KdcConfig.getDefaultConfig();
  config.setUseUdp( false );
  config.setHostName("127.0.0.1");
  config.setKdcPort( kdcServer.getTcpPort() );
  config.setEncryptionTypes( kdcServer.getConfig().getEncryptionTypes() );
  config.setTimeout( Integer.MAX_VALUE );
  KdcConnection connection = new KdcConnection( config );  
  ServiceTicket ticket = connection.getServiceTicket(USER_UID + "@" + REALM, USER_PASSWORD, "krbtgt/" + REALM + "@" + REALM);

is at least giving me an error:

  11:15:57,186 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No key for client uid=hnelson,ou=users,dc=example,dc=com
  11:15:57,186 WARN  [KerberosProtocolHandler] (KerberosProtocolHandler.java:241) The client or server has a null key (9)
  11:15:57,187 WARN  [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The client or server has a null key (9)
  11:15:57,269 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No key for client uid=hnelson,ou=users,dc=example,dc=com
  11:15:57,269 WARN  [KerberosProtocolHandler] (KerberosProtocolHandler.java:241) The client or server has a null key (9)
  11:15:57,269 WARN  [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The client or server has a null key (9)

I'm guessing I have to register/create a keytab with server for hnelson? I manually created a keytab for hnelson but I don't see a way to specify it using connection.getServiceTicket.





On Thu, Apr 10, 2014 at 9:29 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:



On Thu, Apr 10, 2014 at 6:37 PM, Josh Clum <joshclum@gmail.com> wrote:
Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping EXAMPLE.COM, but still no luck.

I did notice that when i call kdcServer.isStarted() in my test, that it will always return false. It seems that the method that kdcServer.start(); is not correctly setting the started flag. I tried manually kdcServer.stop(); then kdcServer.start(); as another check. 
I doubt that, which version of the server are you using? 

Is there any way to connect to the kdc other than just trying to kinit? Any other thoughts?

you can use KdcConnection present in kerberos-client module to test

On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:



On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <joshclum@gmail.com> wrote:
Hi,

I'm trying to set up an IT for one of my classes that inherits from using the AbstractKerberosITest inside of apacheds-kerberos-test.

Here are the annotations on my class:

  @RunWith(FrameworkRunner.class)
  @CreateDS(name = "KerberosTcpIT-class",
    partitions = {
      @CreatePartition(name = "example", suffix = "dc=example,dc=com")},
      additionalInterceptors = { KeyDerivationInterceptor.class })
  @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP") })
  @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP", port = 6089) })
  @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")


AbstractKerberosITest generates a krb5.conf that looks like this:

  [libdefaults]
  default_realm = EXAMPLE.COM
  default_tkt_enctypes = des3-cbc-sha1
  default_tgs_enctypes = des3-cbc-sha1
  permitted_enctypes = des3-cbc-sha1
  default-checksum_type = hmac-sha1-des3
  udp_preference_limit = 1
  [realms]
  kdc = localhost:6089
  }
  [domain_realm]

To kinit, I'm using this command (hnelson is automatically added by AbstractKerberosITest):

  env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t /path/to/hnelson.keytab hnelson@EXAMPLE.COM

And I get this error:

  kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM

The kdc seems to running just fine:

  ➜  ~  lsof -i :6089        
  COMMAND   PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
  java    98545 clumjo  201u  IPv6 0x3b381b5f4ac2a677      0t0  TCP localhost:6089 (LISTEN)
  ➜  ~  telnet localhost 6089
  Trying ::1...
  telnet: connect to address ::1: Connection refused
  Trying 127.0.0.1...
  Connected to localhost.

Do you have any thoughts as to what might be wrong?

nope, am able to get the ticket using the same config (but with a standalone server)
looks like some DNS issue, can you map EXAMPLE.COM to loopback address
in your hosts file and see
Thanks,

Josh




--
Kiran Ayyagari
http://keydap.com




--
Kiran Ayyagari
http://keydap.com