directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Getting started with the client API
Date Sat, 14 Nov 2015 03:50:11 GMT
KrbClientSettingTest will also need to be improved to consider a configuration file.

To bypass the issue if you would, please use the API to set the kdc host.

-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com] 
Sent: Saturday, November 14, 2015 11:47 AM
To: kerby@directory.apache.org
Subject: RE: Getting started with the client API

Thanks for the trying. Then I believe it's also an issue we need to fix. If you would dig
before possible fix in next week, please look at KrbSetting/KrbConfig/KrbConfigKey classes.
There is a unit test TestKrbConfigLoad, but it misses to check kdc host item, and we can add
it.

Regards,
Kai

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
Sent: Saturday, November 14, 2015 11:32 AM
To: kerby@directory.apache.org
Subject: Re: Getting started with the client API

Same issue, here's the krb5.conf:

[libdefaults]
  kdc_udp_port = 88
  kdc_host = freeipa.rhelent.lan
  default_realm = RHELENT.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0

[realms]
RHELENT.LAN = {
  kdc = freeipa.rhelent.lan:88
  master_kdc = freeipa.rhelent.lan:88
  admin_server = freeipa.rhelent.lan:749
  default_domain = rhelent.lan
  #pkinit_anchors = FILE:/etc/ipa/ca.crt }

[domain_realm]
 .rhelent.lan = RHELENT.LAN
 rhelent.lan = RHELENT.LAN

On Fri, Nov 13, 2015 at 10:27 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Great you made clear about the issue. It seems that the keytab file 
> option in KinitTool isn't converted or passed to KrbClient API call.
> We'll need a fix in Kerby codes. Maybe you could have a simple fixup 
> in your workspace to proceed?
>
> For the krb5.conf, it looks like the items in [REALM] section aren't 
> be able to loaded (a gap here). I just realized that most of krb5.conf 
> files used in Kerby codes are for Oracle Java Kerberos support.
> Please add the following item in [libdefaults] section.
>
> kdc_host = your-kdc-host
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Saturday, November 14, 2015 11:06 AM
> To: kerby@directory.apache.org
> Subject: Re: Getting started with the client API
>
> For kinit, its not a permissions issue, everything is owned by the 
> same user.  The issue appears to be in line 45 of 
> AsRequestWithKeytab.java.  Its looking for
>
> KrbOption.KEYTAB_FILE
>
> but koptions has "{USE_KEYTAB=USE_KEYTAB, NONE=NONE, 
> CLIENT_PRINCIPAL=CLIENT_PRINCIPAL}"
>
> Here's my krb5.conf file:
>
> [libdefaults]
>
>   kdc_udp_port = 88
>
>   default_realm = RHELENT.LAN
>
>  dns_lookup_realm = false
>
>  dns_lookup_kdc = true
>
>  rdns = false
>
>  ticket_lifetime = 24h
>
>  forwardable = yes
>
>  udp_preference_limit = 0
>
>
> [realms]
>
> RHELENT.LAN = {
>
>   kdc = freeipa.rhelent.lan:88
>
>   master_kdc = freeipa.rhelent.lan:88
>
>   admin_server = freeipa.rhelent.lan:749
>
>   default_domain = rhelent.lan
>
>   #pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
> [domain_realm]
>
>  .rhelent.lan = RHELENT.LAN
>
>  rhelent.lan = RHELENT.LAN
>
> Also, with the above krb5.conf file I have a new issue with the code, 
> I get the following exception:
>
> Exception in thread "main" org.apache.kerby.kerberos.kerb.KrbException:
> Receiving response message failed
>
> at
> org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleReq
> uest(
> DefaultKrbHandler.java:45)
>
> at
>
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.do
> RequestTgtTicket(
> DefaultInternalKrbClient.java:74)
>
> at
>
> org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.r
> equestTgtTicket(
> AbstractInternalKrbClient.java:105)
>
> at
> org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithOptions(
> KrbClient.java:252)
>
> at
> org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithKeytab(
> KrbClient.java:194)
>
> at TestKerb.main(TestKerb.java:12)
>
> Caused by: java.net.PortUnreachableException
>
> at sun.nio.ch.DatagramChannelImpl.receive0(Native Method)
>
> at sun.nio.ch.DatagramChannelImpl.receiveIntoNativeBuffer(
> DatagramChannelImpl.java:414)
>
> at
> sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:400)
>
> at
> sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:345)
>
> at
> org.apache.kerby.kerberos.kerb.transport.KrbUdpTransport.receiveMessag
> e(
> KrbUdpTransport.java:60)
>
> at
> org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleReq
> uest(
> DefaultKrbHandler.java:43)
>
> ... 5 more
>
> Debugging the code made it look like kerby is trying to hit 127.0.0.1 
> (which doesn't have the kerberos server running)
>
> On Fri, Nov 13, 2015 at 9:45 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Another thing to check is the keytab file permission. It may be 
> > failed to access from your IDE. For simple, please make a copy to 
> > /tmp/ and chmod a+r to it.
> >
> > -----Original Message-----
> > From: Zheng, Kai [mailto:kai.zheng@intel.com]
> > Sent: Saturday, November 14, 2015 10:41 AM
> > To: kerby@directory.apache.org
> > Subject: RE: Getting started with the client API
> >
> > Your setup looks fine.
> >
> > >> From inside of my IDE with the following parameters : "-conf /etc 
> > >> -k
> > -t /Users/mlb/Documents/localdev.keytab
> > HTTP/s4u.rhelent.lan@RHELENT.LAN
> "
> >
> > OK. Since you're in your IDE, maybe you could set your breakpoint at
> > kerb.requestTgtWithKeytab() and check if the keytab file parameter 
> > is correctly passed there?
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > Sent: Saturday, November 14, 2015 10:25 AM
> > To: kerby@directory.apache.org
> > Subject: Re: Getting started with the client API
> >
> > >
> > >
> > >
> > > >> The next issue I'm having is getting my keytab to work.  Here's 
> > > >> the
> > > exception I get in the same code:
> > > It seemed the keytab isn't passed along to the place so it 
> > > reported some client key or credential is needed. Maybe you could 
> > > have a debug along the stacktrace?
> > >
> > > By the way, how did you generate the keytab file by which tool?
> > >
> >
> > Keytab was generated by free ipa:
> >
> > ipa-getkeytab -s freeipa.rhelent.lan -p 
> > HTTP/s4u.rhelent.lan@RHELENT.LAN -k ./localdev.keytab
> >
> > Using MIT kerberos on OSX I'm able to initialize the keytab without
> issue:
> >
> > Marcs-MBP:Downloads mlb$ kinit -k -t 
> > /Users/mlb/Documents/localdev.keytab
> > -V HTTP/s4u.rhelent.lan@RHELENT.LAN
> >
> > Placing tickets for 'HTTP/s4u.rhelent.lan@RHELENT.LAN' in cache 
> > 'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6'
> >
> > Marcs-MBP:Downloads mlb$ klist
> >
> > Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6
> >
> >         Principal: HTTP/s4u.rhelent.lan@RHELENT.LAN
> >
> >
> >   Issued                Expires               Principal
> >
> > Nov 13 21:19:22 2015  Nov 14 21:19:22 2015 
> > krbtgt/RHELENT.LAN@RHELENT.LAN
> >
> > Marcs-MBP:Downloads mlb$
> > Here's my code:
> >
> > KrbClient kerb = new KrbClient(new File("/etc"));
> >
> > kerb.init();
> >
> > TgtTicket tgt =
> > kerb.requestTgtWithKeytab("HTTP/s4u.rhelent.lan@RHELENT.LAN
> > ",
> > new File("/Users/mlb/Documents/localdev.keytab"));
> >
> >
> > >
> > > >> Now, I tried to load the keytab using the kinit that comes with 
> > > >> kerby
> > > and I get a different error:
> > > Let's get this issue solved second. Looking at the NPE place as I 
> > > did last time, it looks like your keytab file isn't correctly 
> > > passed along. How did you invoke the Kerby kinit tool?
> > >
> > >
> > From inside of my IDE with the following parameters : "-conf /etc -k 
> > -t /Users/mlb/Documents/localdev.keytab
> > HTTP/s4u.rhelent.lan@RHELENT.LAN
> "
> >
> >
> > > Regarding the krb5.conf file, we prefer the format used by MIT 
> > > Kerberos, though currently the full support isn't done yet. The 
> > > format used by the files you found should work with Kerby fine.
> > >
> > >
> > Let me try a krb5.conf file that doesn't share with multiple realms.
> >
> >  Thanks
> > Marc
> >
>
Mime
View raw message