directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leonardo Graf <leolege...@hotmail.com>
Subject RE: [ApacheDS] Slash domain name inserted when searching for service principal in 1.5.5?
Date Thu, 07 Jan 2010 21:13:20 GMT

In case anyone is interested, it seems that this is not a problem with ApacheDS but a missunderstanding
from my side about how to use GSSName. If I code: GSSName serverName = manager.createName("leosservice/localhost@EXAMPLE.COM",
GSSName.NT_USER_NAME); everything works as expected.

 

Regards, Leo
 
> From: leolegenie@hotmail.com
> To: users@directory.apache.org
> Subject: RE: [ApacheDS] Slash domain name inserted when searching for service principal
in 1.5.5?
> Date: Wed, 23 Dec 2009 22:28:22 +0100
> 
> 
> Hello
> 
> 
> 
> Yes it does. I put in another IP (or remove the entry altogether), then ApacheDS seems
to search for leosservice/127.0.0.1/example.com@EXAMPLE.COM - the IP seems to be ignored.
Also, if I use another hostname than localhost the same happens, it always adds /example.com
to the search (e. g. leosservice/myhostname/example.com@EXAMPLE.COM). When I change the krb5PrincipalName
to whatever it searches it works fine again. By the way, I'm running on Windows standalone,
no DNS setup.
> 
> 
> 
> Regards, Leo
> 
> > Date: Wed, 23 Dec 2009 00:23:11 +0100
> > From: elecharny@gmail.com
> > To: users@directory.apache.org
> > Subject: Re: [ApacheDS] Slash domain name inserted when searching for service principal
in 1.5.5?
> > 
> > Leonardo Graf a écrit :
> > > Hello
> > > 
> > 
> > Hi,
> > 
> > can you check that the localhost entry in /etc/hosts does not refer to 
> > the loopback address (127.0.0.1) ? If so, can you add your server IP 
> > instead ?
> > 
> > > 
> > >
> > > I'm getting a service ticket from the directory server with this code:
> > >
> > > 
> > >
> > > GSSManager manager = GSSManager.getInstance();
> > > final Oid kerberos = new Oid("1.2.840.113554.1.2.2");
> > > GSSName serverName = manager.createName("leosservice/localhost@EXAMPLE.COM",
> > > GSSName.NT_HOSTBASED_SERVICE);
> > > final GSSContext context = manager.createContext( serverName,
> > > kerberos, null,
> > > GSSContext.DEFAULT_LIFETIME);
> > >
> > > Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<byte[]>()
{
> > >
> > > public GSSContext run() throws Exception {
> > > byte[] token = new byte[0];
> > > // This is a one pass context initialisation.
> > > context.requestMutualAuth( false);
> > > context.requestCredDeleg( false);
> > > byte[] serviceTicket = context.initSecContext( token, 0, token.length);
> > >
> > > ...
> > >
> > > 
> > >
> > > This works nicely, but only if I set the krb5PrincipalName attribute to: leosservice/localhost/example.com@EXAMPLE.COM
> > >
> > > 
> > >
> > > If I set it to (without the domain name in between): leosservice/localhost@EXAMPLE.COM
as I would expect to be correct, the server complains with the following error:
> > >
> > > 
> > >
> > > [22:46:36] WARN [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
- No server entry found for kerberos principal name leosservice/localhost/example.com@EXAMPLE.COM
> > > [22:46:36] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Server not found in Kerberos database (7)
> > > org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Server
not found in Kerberos database
> > > at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosUtils.java:315)
> > > at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.getRequestPrincipalEntry(TicketGrantingService.java:310)
> > > at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.execute(TicketGrantingService.java:103)
> > > at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:158)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:721)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
> > > at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
> > > at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:801)
> > > at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:433)
> > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:425)
> > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
> > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
> > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
> > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
> > > at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > > at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> > > at java.lang.Thread.run(Unknown Source)
> > > Caused by: java.lang.NullPointerException
> > > at org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.getEntry(GetPrincipal.java:97)
> > > at org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.execute(GetPrincipal.java:81)
> > > at org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrincipal(SingleBaseSearch.java:63)
> > > at org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore.getPrincipal(DirectoryPrincipalStore.java:71)
> > > at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosUtils.java:311)
> > > ... 23 more
> > >
> > >
> > > 
> > >
> > > Is this expected behaviour or am I doing something wrong?
> > >
> > > 
> > >
> > > Regards, Leo
> > > 
> > > _________________________________________________________________
> > > Keep your friends updated—even when you’re not signed in.
> > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
> > > 
> > 
> 
> _________________________________________________________________
> Keep your friends updated—even when you’re not signed in.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
 		 	   		  
_________________________________________________________________
Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message