directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject Re: Getting started with the client API
Date Sat, 14 Nov 2015 03:31:50 GMT
Same issue, here's the krb5.conf:

[libdefaults]
  kdc_udp_port = 88
  kdc_host = freeipa.rhelent.lan
  default_realm = RHELENT.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0

[realms]
RHELENT.LAN = {
  kdc = freeipa.rhelent.lan:88
  master_kdc = freeipa.rhelent.lan:88
  admin_server = freeipa.rhelent.lan:749
  default_domain = rhelent.lan
  #pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .rhelent.lan = RHELENT.LAN
 rhelent.lan = RHELENT.LAN

On Fri, Nov 13, 2015 at 10:27 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Great you made clear about the issue. It seems that the keytab file option
> in KinitTool isn't converted or passed to KrbClient API call. We'll need a
> fix in Kerby codes. Maybe you could have a simple fixup in your workspace
> to proceed?
>
> For the krb5.conf, it looks like the items in [REALM] section aren't be
> able to loaded (a gap here). I just realized that most of krb5.conf files
> used in Kerby codes are for Oracle Java Kerberos support.
> Please add the following item in [libdefaults] section.
>
> kdc_host = your-kdc-host
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Saturday, November 14, 2015 11:06 AM
> To: kerby@directory.apache.org
> Subject: Re: Getting started with the client API
>
> For kinit, its not a permissions issue, everything is owned by the same
> user.  The issue appears to be in line 45 of AsRequestWithKeytab.java.  Its
> looking for
>
> KrbOption.KEYTAB_FILE
>
> but koptions has "{USE_KEYTAB=USE_KEYTAB, NONE=NONE,
> CLIENT_PRINCIPAL=CLIENT_PRINCIPAL}"
>
> Here's my krb5.conf file:
>
> [libdefaults]
>
>   kdc_udp_port = 88
>
>   default_realm = RHELENT.LAN
>
>  dns_lookup_realm = false
>
>  dns_lookup_kdc = true
>
>  rdns = false
>
>  ticket_lifetime = 24h
>
>  forwardable = yes
>
>  udp_preference_limit = 0
>
>
> [realms]
>
> RHELENT.LAN = {
>
>   kdc = freeipa.rhelent.lan:88
>
>   master_kdc = freeipa.rhelent.lan:88
>
>   admin_server = freeipa.rhelent.lan:749
>
>   default_domain = rhelent.lan
>
>   #pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
> [domain_realm]
>
>  .rhelent.lan = RHELENT.LAN
>
>  rhelent.lan = RHELENT.LAN
>
> Also, with the above krb5.conf file I have a new issue with the code, I
> get the following exception:
>
> Exception in thread "main" org.apache.kerby.kerberos.kerb.KrbException:
> Receiving response message failed
>
> at
> org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleRequest(
> DefaultKrbHandler.java:45)
>
> at
>
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequestTgtTicket(
> DefaultInternalKrbClient.java:74)
>
> at
>
> org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.requestTgtTicket(
> AbstractInternalKrbClient.java:105)
>
> at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithOptions(
> KrbClient.java:252)
>
> at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithKeytab(
> KrbClient.java:194)
>
> at TestKerb.main(TestKerb.java:12)
>
> Caused by: java.net.PortUnreachableException
>
> at sun.nio.ch.DatagramChannelImpl.receive0(Native Method)
>
> at sun.nio.ch.DatagramChannelImpl.receiveIntoNativeBuffer(
> DatagramChannelImpl.java:414)
>
> at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:400)
>
> at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:345)
>
> at org.apache.kerby.kerberos.kerb.transport.KrbUdpTransport.receiveMessage(
> KrbUdpTransport.java:60)
>
> at
> org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleRequest(
> DefaultKrbHandler.java:43)
>
> ... 5 more
>
> Debugging the code made it look like kerby is trying to hit 127.0.0.1
> (which doesn't have the kerberos server running)
>
> On Fri, Nov 13, 2015 at 9:45 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Another thing to check is the keytab file permission. It may be failed
> > to access from your IDE. For simple, please make a copy to /tmp/ and
> > chmod a+r to it.
> >
> > -----Original Message-----
> > From: Zheng, Kai [mailto:kai.zheng@intel.com]
> > Sent: Saturday, November 14, 2015 10:41 AM
> > To: kerby@directory.apache.org
> > Subject: RE: Getting started with the client API
> >
> > Your setup looks fine.
> >
> > >> From inside of my IDE with the following parameters : "-conf /etc
> > >> -k
> > -t /Users/mlb/Documents/localdev.keytab HTTP/s4u.rhelent.lan@RHELENT.LAN
> "
> >
> > OK. Since you're in your IDE, maybe you could set your breakpoint at
> > kerb.requestTgtWithKeytab() and check if the keytab file parameter is
> > correctly passed there?
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > Sent: Saturday, November 14, 2015 10:25 AM
> > To: kerby@directory.apache.org
> > Subject: Re: Getting started with the client API
> >
> > >
> > >
> > >
> > > >> The next issue I'm having is getting my keytab to work.  Here's
> > > >> the
> > > exception I get in the same code:
> > > It seemed the keytab isn't passed along to the place so it reported
> > > some client key or credential is needed. Maybe you could have a
> > > debug along the stacktrace?
> > >
> > > By the way, how did you generate the keytab file by which tool?
> > >
> >
> > Keytab was generated by free ipa:
> >
> > ipa-getkeytab -s freeipa.rhelent.lan -p
> > HTTP/s4u.rhelent.lan@RHELENT.LAN -k ./localdev.keytab
> >
> > Using MIT kerberos on OSX I'm able to initialize the keytab without
> issue:
> >
> > Marcs-MBP:Downloads mlb$ kinit -k -t
> > /Users/mlb/Documents/localdev.keytab
> > -V HTTP/s4u.rhelent.lan@RHELENT.LAN
> >
> > Placing tickets for 'HTTP/s4u.rhelent.lan@RHELENT.LAN' in cache
> > 'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6'
> >
> > Marcs-MBP:Downloads mlb$ klist
> >
> > Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6
> >
> >         Principal: HTTP/s4u.rhelent.lan@RHELENT.LAN
> >
> >
> >   Issued                Expires               Principal
> >
> > Nov 13 21:19:22 2015  Nov 14 21:19:22 2015
> > krbtgt/RHELENT.LAN@RHELENT.LAN
> >
> > Marcs-MBP:Downloads mlb$
> > Here's my code:
> >
> > KrbClient kerb = new KrbClient(new File("/etc"));
> >
> > kerb.init();
> >
> > TgtTicket tgt =
> > kerb.requestTgtWithKeytab("HTTP/s4u.rhelent.lan@RHELENT.LAN
> > ",
> > new File("/Users/mlb/Documents/localdev.keytab"));
> >
> >
> > >
> > > >> Now, I tried to load the keytab using the kinit that comes with
> > > >> kerby
> > > and I get a different error:
> > > Let's get this issue solved second. Looking at the NPE place as I
> > > did last time, it looks like your keytab file isn't correctly passed
> > > along. How did you invoke the Kerby kinit tool?
> > >
> > >
> > From inside of my IDE with the following parameters : "-conf /etc  -k
> > -t /Users/mlb/Documents/localdev.keytab HTTP/s4u.rhelent.lan@RHELENT.LAN
> "
> >
> >
> > > Regarding the krb5.conf file, we prefer the format used by MIT
> > > Kerberos, though currently the full support isn't done yet. The
> > > format used by the files you found should work with Kerby fine.
> > >
> > >
> > Let me try a krb5.conf file that doesn't share with multiple realms.
> >
> >  Thanks
> > Marc
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message