directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Getting started with the client API
Date Sat, 14 Nov 2015 03:27:16 GMT
Great you made clear about the issue. It seems that the keytab file option in KinitTool isn't
converted or passed to KrbClient API call. We'll need a fix in Kerby codes. Maybe you could
have a simple fixup in your workspace to proceed?

For the krb5.conf, it looks like the items in [REALM] section aren't be able to loaded (a
gap here). I just realized that most of krb5.conf files used in Kerby codes are for Oracle
Java Kerberos support. 
Please add the following item in [libdefaults] section.

kdc_host = your-kdc-host

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com] 
Sent: Saturday, November 14, 2015 11:06 AM
To: kerby@directory.apache.org
Subject: Re: Getting started with the client API

For kinit, its not a permissions issue, everything is owned by the same user.  The issue appears
to be in line 45 of AsRequestWithKeytab.java.  Its looking for

KrbOption.KEYTAB_FILE

but koptions has "{USE_KEYTAB=USE_KEYTAB, NONE=NONE, CLIENT_PRINCIPAL=CLIENT_PRINCIPAL}"

Here's my krb5.conf file:

[libdefaults]

  kdc_udp_port = 88

  default_realm = RHELENT.LAN

 dns_lookup_realm = false

 dns_lookup_kdc = true

 rdns = false

 ticket_lifetime = 24h

 forwardable = yes

 udp_preference_limit = 0


[realms]

RHELENT.LAN = {

  kdc = freeipa.rhelent.lan:88

  master_kdc = freeipa.rhelent.lan:88

  admin_server = freeipa.rhelent.lan:749

  default_domain = rhelent.lan

  #pkinit_anchors = FILE:/etc/ipa/ca.crt

}


[domain_realm]

 .rhelent.lan = RHELENT.LAN

 rhelent.lan = RHELENT.LAN

Also, with the above krb5.conf file I have a new issue with the code, I get the following
exception:

Exception in thread "main" org.apache.kerby.kerberos.kerb.KrbException:
Receiving response message failed

at
org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleRequest(
DefaultKrbHandler.java:45)

at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequestTgtTicket(
DefaultInternalKrbClient.java:74)

at
org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.requestTgtTicket(
AbstractInternalKrbClient.java:105)

at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithOptions(
KrbClient.java:252)

at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithKeytab(
KrbClient.java:194)

at TestKerb.main(TestKerb.java:12)

Caused by: java.net.PortUnreachableException

at sun.nio.ch.DatagramChannelImpl.receive0(Native Method)

at sun.nio.ch.DatagramChannelImpl.receiveIntoNativeBuffer(
DatagramChannelImpl.java:414)

at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:400)

at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:345)

at org.apache.kerby.kerberos.kerb.transport.KrbUdpTransport.receiveMessage(
KrbUdpTransport.java:60)

at
org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleRequest(
DefaultKrbHandler.java:43)

... 5 more

Debugging the code made it look like kerby is trying to hit 127.0.0.1 (which doesn't have
the kerberos server running)

On Fri, Nov 13, 2015 at 9:45 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Another thing to check is the keytab file permission. It may be failed 
> to access from your IDE. For simple, please make a copy to /tmp/ and 
> chmod a+r to it.
>
> -----Original Message-----
> From: Zheng, Kai [mailto:kai.zheng@intel.com]
> Sent: Saturday, November 14, 2015 10:41 AM
> To: kerby@directory.apache.org
> Subject: RE: Getting started with the client API
>
> Your setup looks fine.
>
> >> From inside of my IDE with the following parameters : "-conf /etc  
> >> -k
> -t /Users/mlb/Documents/localdev.keytab HTTP/s4u.rhelent.lan@RHELENT.LAN"
>
> OK. Since you're in your IDE, maybe you could set your breakpoint at
> kerb.requestTgtWithKeytab() and check if the keytab file parameter is 
> correctly passed there?
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Saturday, November 14, 2015 10:25 AM
> To: kerby@directory.apache.org
> Subject: Re: Getting started with the client API
>
> >
> >
> >
> > >> The next issue I'm having is getting my keytab to work.  Here's 
> > >> the
> > exception I get in the same code:
> > It seemed the keytab isn't passed along to the place so it reported 
> > some client key or credential is needed. Maybe you could have a 
> > debug along the stacktrace?
> >
> > By the way, how did you generate the keytab file by which tool?
> >
>
> Keytab was generated by free ipa:
>
> ipa-getkeytab -s freeipa.rhelent.lan -p 
> HTTP/s4u.rhelent.lan@RHELENT.LAN -k ./localdev.keytab
>
> Using MIT kerberos on OSX I'm able to initialize the keytab without issue:
>
> Marcs-MBP:Downloads mlb$ kinit -k -t 
> /Users/mlb/Documents/localdev.keytab
> -V HTTP/s4u.rhelent.lan@RHELENT.LAN
>
> Placing tickets for 'HTTP/s4u.rhelent.lan@RHELENT.LAN' in cache 
> 'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6'
>
> Marcs-MBP:Downloads mlb$ klist
>
> Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6
>
>         Principal: HTTP/s4u.rhelent.lan@RHELENT.LAN
>
>
>   Issued                Expires               Principal
>
> Nov 13 21:19:22 2015  Nov 14 21:19:22 2015  
> krbtgt/RHELENT.LAN@RHELENT.LAN
>
> Marcs-MBP:Downloads mlb$
> Here's my code:
>
> KrbClient kerb = new KrbClient(new File("/etc"));
>
> kerb.init();
>
> TgtTicket tgt = 
> kerb.requestTgtWithKeytab("HTTP/s4u.rhelent.lan@RHELENT.LAN
> ",
> new File("/Users/mlb/Documents/localdev.keytab"));
>
>
> >
> > >> Now, I tried to load the keytab using the kinit that comes with 
> > >> kerby
> > and I get a different error:
> > Let's get this issue solved second. Looking at the NPE place as I 
> > did last time, it looks like your keytab file isn't correctly passed 
> > along. How did you invoke the Kerby kinit tool?
> >
> >
> From inside of my IDE with the following parameters : "-conf /etc  -k 
> -t /Users/mlb/Documents/localdev.keytab HTTP/s4u.rhelent.lan@RHELENT.LAN"
>
>
> > Regarding the krb5.conf file, we prefer the format used by MIT 
> > Kerberos, though currently the full support isn't done yet. The 
> > format used by the files you found should work with Kerby fine.
> >
> >
> Let me try a krb5.conf file that doesn't share with multiple realms.
>
>  Thanks
> Marc
>
Mime
View raw message