directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leonardo Graf <leolege...@hotmail.com>
Subject RE: [ApacheDS] Slash domain name inserted when searching for service principal in 1.5.5?
Date Wed, 23 Dec 2009 21:28:22 GMT

Hello

 

Yes it does. I put in another IP (or remove the entry altogether), then ApacheDS seems to
search for leosservice/127.0.0.1/example.com@EXAMPLE.COM - the IP seems to be ignored. Also,
if I use another hostname than localhost the same happens, it always adds /example.com to
the search (e. g. leosservice/myhostname/example.com@EXAMPLE.COM). When I change the krb5PrincipalName
to whatever it searches it works fine again. By the way, I'm running on Windows standalone,
no DNS setup.

 

Regards, Leo
 
> Date: Wed, 23 Dec 2009 00:23:11 +0100
> From: elecharny@gmail.com
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Slash domain name inserted when searching for service principal
in 1.5.5?
> 
> Leonardo Graf a écrit :
> > Hello
> > 
> 
> Hi,
> 
> can you check that the localhost entry in /etc/hosts does not refer to 
> the loopback address (127.0.0.1) ? If so, can you add your server IP 
> instead ?
> 
> > 
> >
> > I'm getting a service ticket from the directory server with this code:
> >
> > 
> >
> > GSSManager manager = GSSManager.getInstance();
> > final Oid kerberos = new Oid("1.2.840.113554.1.2.2");
> > GSSName serverName = manager.createName("leosservice/localhost@EXAMPLE.COM",
> > GSSName.NT_HOSTBASED_SERVICE);
> > final GSSContext context = manager.createContext( serverName,
> > kerberos, null,
> > GSSContext.DEFAULT_LIFETIME);
> >
> > Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<byte[]>()
{
> >
> > public GSSContext run() throws Exception {
> > byte[] token = new byte[0];
> > // This is a one pass context initialisation.
> > context.requestMutualAuth( false);
> > context.requestCredDeleg( false);
> > byte[] serviceTicket = context.initSecContext( token, 0, token.length);
> >
> > ...
> >
> > 
> >
> > This works nicely, but only if I set the krb5PrincipalName attribute to: leosservice/localhost/example.com@EXAMPLE.COM
> >
> > 
> >
> > If I set it to (without the domain name in between): leosservice/localhost@EXAMPLE.COM
as I would expect to be correct, the server complains with the following error:
> >
> > 
> >
> > [22:46:36] WARN [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
- No server entry found for kerberos principal name leosservice/localhost/example.com@EXAMPLE.COM
> > [22:46:36] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Server not found in Kerberos database (7)
> > org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Server
not found in Kerberos database
> > at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosUtils.java:315)
> > at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.getRequestPrincipalEntry(TicketGrantingService.java:310)
> > at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.execute(TicketGrantingService.java:103)
> > at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:158)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
> > at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
> > at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
> > at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
> > at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:425)
> > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
> > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
> > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
> > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
> > at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> > at java.lang.Thread.run(Unknown Source)
> > Caused by: java.lang.NullPointerException
> > at org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.getEntry(GetPrincipal.java:97)
> > at org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.execute(GetPrincipal.java:81)
> > at org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrincipal(SingleBaseSearch.java:63)
> > at org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore.getPrincipal(DirectoryPrincipalStore.java:71)
> > at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosUtils.java:311)
> > ... 23 more
> >
> >
> > 
> >
> > Is this expected behaviour or am I doing something wrong?
> >
> > 
> >
> > Regards, Leo
> > 
> > _________________________________________________________________
> > Keep your friends updated—even when you’re not signed in.
> > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
> > 
> 
 		 	   		  
_________________________________________________________________
Keep your friends updated—even when you’re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message