Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 52644 invoked from network); 7 Jan 2010 21:13:49 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 7 Jan 2010 21:13:49 -0000 Received: (qmail 55651 invoked by uid 500); 7 Jan 2010 21:13:49 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 55588 invoked by uid 500); 7 Jan 2010 21:13:49 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 55578 invoked by uid 99); 7 Jan 2010 21:13:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Jan 2010 21:13:49 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of leolegenie@hotmail.com designates 65.55.34.142 as permitted sender) Received: from [65.55.34.142] (HELO col0-omc3-s4.col0.hotmail.com) (65.55.34.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Jan 2010 21:13:40 +0000 Received: from COL116-W32 ([65.55.34.136]) by col0-omc3-s4.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 7 Jan 2010 13:13:20 -0800 Message-ID: Content-Type: multipart/alternative; boundary="_db2bd997-2f6a-4042-b73f-3a6cfaa0f30a_" X-Originating-IP: [212.101.16.185] From: Leonardo Graf To: Subject: RE: [ApacheDS] Slash domain name inserted when searching for service principal in 1.5.5? Date: Thu, 7 Jan 2010 22:13:20 +0100 Importance: Normal In-Reply-To: References: ,<4B3154DF.604@gmail.com>, MIME-Version: 1.0 X-OriginalArrivalTime: 07 Jan 2010 21:13:20.0137 (UTC) FILETIME=[3CF03F90:01CA8FDE] --_db2bd997-2f6a-4042-b73f-3a6cfaa0f30a_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable In case anyone is interested=2C it seems that this is not a problem with Ap= acheDS but a missunderstanding from my side about how to use GSSName. If I = code: GSSName serverName =3D manager.createName("leosservice/localhost@EXAM= PLE.COM"=2C GSSName.NT_USER_NAME)=3B everything works as expected. =20 Regards=2C Leo =20 > From: leolegenie@hotmail.com > To: users@directory.apache.org > Subject: RE: [ApacheDS] Slash domain name inserted when searching for ser= vice principal in 1.5.5? > Date: Wed=2C 23 Dec 2009 22:28:22 +0100 >=20 >=20 > Hello >=20 >=20 >=20 > Yes it does. I put in another IP (or remove the entry altogether)=2C then= ApacheDS seems to search for leosservice/127.0.0.1/example.com@EXAMPLE.COM= - the IP seems to be ignored. Also=2C if I use another hostname than local= host the same happens=2C it always adds /example.com to the search (e. g. l= eosservice/myhostname/example.com@EXAMPLE.COM). When I change the krb5Princ= ipalName to whatever it searches it works fine again. By the way=2C I'm run= ning on Windows standalone=2C no DNS setup. >=20 >=20 >=20 > Regards=2C Leo >=20 > > Date: Wed=2C 23 Dec 2009 00:23:11 +0100 > > From: elecharny@gmail.com > > To: users@directory.apache.org > > Subject: Re: [ApacheDS] Slash domain name inserted when searching for s= ervice principal in 1.5.5? > >=20 > > Leonardo Graf a =E9crit : > > > Hello > > >=20 > >=20 > > Hi=2C > >=20 > > can you check that the localhost entry in /etc/hosts does not refer to= =20 > > the loopback address (127.0.0.1) ? If so=2C can you add your server IP= =20 > > instead ? > >=20 > > >=20 > > > > > > I'm getting a service ticket from the directory server with this code= : > > > > > >=20 > > > > > > GSSManager manager =3D GSSManager.getInstance()=3B > > > final Oid kerberos =3D new Oid("1.2.840.113554.1.2.2")=3B > > > GSSName serverName =3D manager.createName("leosservice/localhost@EXAM= PLE.COM"=2C > > > GSSName.NT_HOSTBASED_SERVICE)=3B > > > final GSSContext context =3D manager.createContext( serverName=2C > > > kerberos=2C null=2C > > > GSSContext.DEFAULT_LIFETIME)=3B > > > > > > Subject.doAs(loginContext.getSubject()=2C new PrivilegedExceptionActi= on() { > > > > > > public GSSContext run() throws Exception { > > > byte[] token =3D new byte[0]=3B > > > // This is a one pass context initialisation. > > > context.requestMutualAuth( false)=3B > > > context.requestCredDeleg( false)=3B > > > byte[] serviceTicket =3D context.initSecContext( token=2C 0=2C token.= length)=3B > > > > > > ... > > > > > >=20 > > > > > > This works nicely=2C but only if I set the krb5PrincipalName attribut= e to: leosservice/localhost/example.com@EXAMPLE.COM > > > > > >=20 > > > > > > If I set it to (without the domain name in between): leosservice/loca= lhost@EXAMPLE.COM as I would expect to be correct=2C the server complains w= ith the following error: > > > > > >=20 > > > > > > [22:46:36] WARN [org.apache.directory.server.kerberos.shared.store.op= erations.StoreUtils] - No server entry found for kerberos principal name le= osservice/localhost/example.com@EXAMPLE.COM > > > [22:46:36] WARN [org.apache.directory.server.kerberos.protocol.Kerber= osProtocolHandler] - Server not found in Kerberos database (7) > > > org.apache.directory.server.kerberos.shared.exceptions.KerberosExcept= ion: Server not found in Kerberos database > > > at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry= (KerberosUtils.java:315) > > > at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantin= gService.getRequestPrincipalEntry(TicketGrantingService.java:310) > > > at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantin= gService.execute(TicketGrantingService.java:103) > > > at org.apache.directory.server.kerberos.protocol.KerberosProtocolHand= ler.messageReceived(KerberosProtocolHandler.java:158) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.m= essageReceived(DefaultIoFilterChain.java:721) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMess= ageReceived(DefaultIoFilterChain.java:433) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(= DefaultIoFilterChain.java:47) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.= messageReceived(DefaultIoFilterChain.java:801) > > > at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOu= tputImpl.flush(ProtocolCodecFilter.java:375) > > > at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(P= rotocolCodecFilter.java:229) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMess= ageReceived(DefaultIoFilterChain.java:433) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(= DefaultIoFilterChain.java:47) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.= messageReceived(DefaultIoFilterChain.java:801) > > > at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(I= oFilterAdapter.java:119) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMess= ageReceived(DefaultIoFilterChain.java:433) > > > at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageR= eceived(DefaultIoFilterChain.java:425) > > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAccept= or.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436) > > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAccept= or.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407) > > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAccept= or.access$600(AbstractPollingConnectionlessIoAcceptor.java:56) > > > at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAccept= or$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360) > > > at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunn= able.java:64) > > > at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Sou= rce) > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > > > at java.lang.Thread.run(Unknown Source) > > > Caused by: java.lang.NullPointerException > > > at org.apache.directory.server.kerberos.shared.store.operations.GetPr= incipal.getEntry(GetPrincipal.java:97) > > > at org.apache.directory.server.kerberos.shared.store.operations.GetPr= incipal.execute(GetPrincipal.java:81) > > > at org.apache.directory.server.kerberos.shared.store.SingleBaseSearch= .getPrincipal(SingleBaseSearch.java:63) > > > at org.apache.directory.server.kerberos.shared.store.DirectoryPrincip= alStore.getPrincipal(DirectoryPrincipalStore.java:71) > > > at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry= (KerberosUtils.java:311) > > > ... 23 more > > > > > > > > >=20 > > > > > > Is this expected behaviour or am I doing something wrong? > > > > > >=20 > > > > > > Regards=2C Leo > > >=20 > > > _________________________________________________________________ > > > Keep your friends updated=97even when you=92re not signed in. > > > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-act= ion/social-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB= _5:092010 > > >=20 > >=20 >=20 > _________________________________________________________________ > Keep your friends updated=97even when you=92re not signed in. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/= social-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:0= 92010 =20 _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates=2C right f= rom Hotmail=AE. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so= cial-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092= 009= --_db2bd997-2f6a-4042-b73f-3a6cfaa0f30a_--