directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <>
Subject RE: Getting started with the client API
Date Sat, 14 Nov 2015 02:40:55 GMT
Your setup looks fine.

>> From inside of my IDE with the following parameters : "-conf /etc  -k -t /Users/mlb/Documents/localdev.keytab

OK. Since you're in your IDE, maybe you could set your breakpoint at kerb.requestTgtWithKeytab()
and check if the keytab file parameter is correctly passed there?

-----Original Message-----
From: Marc Boorshtein [] 
Sent: Saturday, November 14, 2015 10:25 AM
Subject: Re: Getting started with the client API

> >> The next issue I'm having is getting my keytab to work.  Here's the
> exception I get in the same code:
> It seemed the keytab isn't passed along to the place so it reported 
> some client key or credential is needed. Maybe you could have a debug 
> along the stacktrace?
> By the way, how did you generate the keytab file by which tool?

Keytab was generated by free ipa:

ipa-getkeytab -s freeipa.rhelent.lan -p HTTP/s4u.rhelent.lan@RHELENT.LAN -k ./localdev.keytab

Using MIT kerberos on OSX I'm able to initialize the keytab without issue:

Marcs-MBP:Downloads mlb$ kinit -k -t /Users/mlb/Documents/localdev.keytab
-V HTTP/s4u.rhelent.lan@RHELENT.LAN

Placing tickets for 'HTTP/s4u.rhelent.lan@RHELENT.LAN' in cache 'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6'

Marcs-MBP:Downloads mlb$ klist

Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6

        Principal: HTTP/s4u.rhelent.lan@RHELENT.LAN

  Issued                Expires               Principal

Nov 13 21:19:22 2015  Nov 14 21:19:22 2015  krbtgt/RHELENT.LAN@RHELENT.LAN

Marcs-MBP:Downloads mlb$
Here's my code:

KrbClient kerb = new KrbClient(new File("/etc"));


TgtTicket tgt = kerb.requestTgtWithKeytab("HTTP/s4u.rhelent.lan@RHELENT.LAN",
new File("/Users/mlb/Documents/localdev.keytab"));

> >> Now, I tried to load the keytab using the kinit that comes with 
> >> kerby
> and I get a different error:
> Let's get this issue solved second. Looking at the NPE place as I did 
> last time, it looks like your keytab file isn't correctly passed 
> along. How did you invoke the Kerby kinit tool?
From inside of my IDE with the following parameters : "-conf /etc  -k -t /Users/mlb/Documents/localdev.keytab

> Regarding the krb5.conf file, we prefer the format used by MIT 
> Kerberos, though currently the full support isn't done yet. The format 
> used by the files you found should work with Kerby fine.
Let me try a krb5.conf file that doesn't share with multiple realms.

View raw message