directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject Re: Getting started with the client API
Date Sat, 14 Nov 2015 15:49:49 GMT
Thanks Kai!  We're making progress.  Here's the current stack trace:

Exception in thread "main" java.lang.NullPointerException

at org.apache.kerby.kerberos.kerb.client.request.AsRequest.getTicket(
AsRequest.java:135)

at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequestTgtTicket(
DefaultInternalKrbClient.java:76)

at
org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.requestTgtTicket(
AbstractInternalKrbClient.java:105)

at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithOptions(
KrbClient.java:252)

at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithKeytab(
KrbClient.java:194)

at TestKerb.main(TestKerb.java:12)

Looking at the kerberos messages over the wire it looks like its setting
the realm to EXAMPLE.COM even though the krb5.conf file has "default_realm
= RHELENT.LAN" which is causing the KDC to fail.  Trying to see if I can
make that setting in the code instead of the krb5.conf file.

Thanks

Marc

On Sat, Nov 14, 2015 at 8:47 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

> The keytab issue was just resolved. Please check it.
>
> commit 955a84585c937561750a761134711b0ad4fdfeff
> Author: Kai Zheng <kai.zheng@intel.com>
> Date:   Sat Nov 14 21:44:41 2015 +0800
>
>     DIRKRB-456 KinitTool doesn't work to use keytab file
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Saturday, November 14, 2015 10:25 AM
> To: kerby@directory.apache.org
> Subject: Re: Getting started with the client API
>
> >
> >
> >
> > >> The next issue I'm having is getting my keytab to work.  Here's the
> > exception I get in the same code:
> > It seemed the keytab isn't passed along to the place so it reported
> > some client key or credential is needed. Maybe you could have a debug
> > along the stacktrace?
> >
> > By the way, how did you generate the keytab file by which tool?
> >
>
> Keytab was generated by free ipa:
>
> ipa-getkeytab -s freeipa.rhelent.lan -p HTTP/s4u.rhelent.lan@RHELENT.LAN
> -k ./localdev.keytab
>
> Using MIT kerberos on OSX I'm able to initialize the keytab without issue:
>
> Marcs-MBP:Downloads mlb$ kinit -k -t /Users/mlb/Documents/localdev.keytab
> -V HTTP/s4u.rhelent.lan@RHELENT.LAN
>
> Placing tickets for 'HTTP/s4u.rhelent.lan@RHELENT.LAN' in cache
> 'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6'
>
> Marcs-MBP:Downloads mlb$ klist
>
> Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6
>
>         Principal: HTTP/s4u.rhelent.lan@RHELENT.LAN
>
>
>   Issued                Expires               Principal
>
> Nov 13 21:19:22 2015  Nov 14 21:19:22 2015  krbtgt/RHELENT.LAN@RHELENT.LAN
>
> Marcs-MBP:Downloads mlb$
> Here's my code:
>
> KrbClient kerb = new KrbClient(new File("/etc"));
>
> kerb.init();
>
> TgtTicket tgt = kerb.requestTgtWithKeytab("HTTP/s4u.rhelent.lan@RHELENT.LAN
> ",
> new File("/Users/mlb/Documents/localdev.keytab"));
>
>
> >
> > >> Now, I tried to load the keytab using the kinit that comes with
> > >> kerby
> > and I get a different error:
> > Let's get this issue solved second. Looking at the NPE place as I did
> > last time, it looks like your keytab file isn't correctly passed
> > along. How did you invoke the Kerby kinit tool?
> >
> >
> From inside of my IDE with the following parameters : "-conf /etc  -k -t
> /Users/mlb/Documents/localdev.keytab HTTP/s4u.rhelent.lan@RHELENT.LAN"
>
>
> > Regarding the krb5.conf file, we prefer the format used by MIT
> > Kerberos, though currently the full support isn't done yet. The format
> > used by the files you found should work with Kerby fine.
> >
> >
> Let me try a krb5.conf file that doesn't share with multiple realms.
>
>  Thanks
> Marc
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message