directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <>
Subject Re: Getting started with the client API
Date Sat, 14 Nov 2015 02:25:24 GMT
> >> The next issue I'm having is getting my keytab to work.  Here's the
> exception I get in the same code:
> It seemed the keytab isn't passed along to the place so it reported some
> client key or credential is needed. Maybe you could have a debug along the
> stacktrace?
> By the way, how did you generate the keytab file by which tool?

Keytab was generated by free ipa:

ipa-getkeytab -s freeipa.rhelent.lan -p HTTP/s4u.rhelent.lan@RHELENT.LAN -k

Using MIT kerberos on OSX I'm able to initialize the keytab without issue:

Marcs-MBP:Downloads mlb$ kinit -k -t /Users/mlb/Documents/localdev.keytab
-V HTTP/s4u.rhelent.lan@RHELENT.LAN

Placing tickets for 'HTTP/s4u.rhelent.lan@RHELENT.LAN' in cache

Marcs-MBP:Downloads mlb$ klist

Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6

        Principal: HTTP/s4u.rhelent.lan@RHELENT.LAN

  Issued                Expires               Principal

Nov 13 21:19:22 2015  Nov 14 21:19:22 2015  krbtgt/RHELENT.LAN@RHELENT.LAN

Marcs-MBP:Downloads mlb$
Here's my code:

KrbClient kerb = new KrbClient(new File("/etc"));


TgtTicket tgt = kerb.requestTgtWithKeytab("HTTP/s4u.rhelent.lan@RHELENT.LAN",
new File("/Users/mlb/Documents/localdev.keytab"));

> >> Now, I tried to load the keytab using the kinit that comes with kerby
> and I get a different error:
> Let's get this issue solved second. Looking at the NPE place as I did last
> time, it looks like your keytab file isn't correctly passed along. How did
> you invoke the Kerby kinit tool?
>From inside of my IDE with the following parameters : "-conf /etc  -k -t
/Users/mlb/Documents/localdev.keytab HTTP/s4u.rhelent.lan@RHELENT.LAN"

> Regarding the krb5.conf file, we prefer the format used by MIT Kerberos,
> though currently the full support isn't done yet. The format used by the
> files you found should work with Kerby fine.
Let me try a krb5.conf file that doesn't share with multiple realms.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message