directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <seelm...@apache.org>
Subject Re: Kerberos Can't Find Users
Date Wed, 21 Apr 2010 21:32:16 GMT
Andrew Wiley wrote:
> I'm setting up an embedded ADS server, and I'm trying to get a KDC running
> as well, but for some reason the KDC can't find any users. I'm creating a
> partition in dc=wileynet,dc=org and
> adding uid=administrator,ou=Administrators,dc=wileynet,dc=org with the
> objectClasses account, posixAccount, andkrb5Principal. The entry winds up
> looking like this:
> ServerEntry
>     dn[n]: uid=administrator,ou=Administrators,dc=wileynet,dc=org
>     objectClass: krb5Principal
>     objectClass: posixAccount
>     objectClass: account
>     objectClass: top
>     uid: administrator
>     krb5PrincipalName: administrator@WILEYNET.ORG
>     userPassword: (null)
>     uidNumber: 1000
>     cn: administrator
>     gidNumber: 1000
>     homeDirectory:
> 
> I have also created a KdcServer with this code, where defaultSuffix is
> wileynet.org and getDN simply converts wileynet.org to dc=wileynet,dc=org
> KdcServer kdcServer = new KdcServer();
> kdcServer.setDirectoryService(service);
> String temp = "krbtgt/" + defaultSuffix.toUpperCase() + "@"
> + defaultSuffix.toUpperCase();
> System.out.println(temp);
> kdcServer.setKdcPrincipal(temp);
> temp = defaultSuffix.toUpperCase();
> System.out.println(temp);
> kdcServer.setPrimaryRealm(temp);
> temp = getDN(defaultSuffix);
> System.out.println(temp);
> kdcServer.setSearchBaseDn(getDN(defaultSuffix));
> kdcServer.setMaximumTicketLifetime(1000);
> kdcServer.setMaximumRenewableLifetime(2000);
> Transport kt = new UdpTransport(1088);
> kdcServer.addTransports(kt);
> kdcServer.setEncryptionTypes(EncryptionType.values());
>  try {
> kdcServer.start();
> } catch (Exception e) {
> log.error("Failed to start Kerberos Server", e);
> }
> I've got all the printlns in there to prove that these values are being fed
> in:
> KdcPrincipal: krbtgt/WILEYNET.ORG@WILEYNET.ORG
> PrimaryRealm: WILEYNET.ORG
> SearchBaseDN: dc=wileynet,dc=org
> I then go to a console (I'm running Ubuntu), and try to run kinit
> administrator@WILEYNET.ORG and see this on the command line:
> kinit: Client not found in Kerberos database while getting initial
> credentials
> and this in the ADS log:
> 160564 [NioDatagramAcceptor-3] WARN
> org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler  -
> Client not found in Kerberos database (6)
> 
> Am I missing something here?

Please check the Kerberos configuration example [1]. You need to make
the same settings when you configure the KDC programatically (I myself
never tried this but want to do so at the weekend).

Did you add the KeyDerivationInterceptor to the interceptor chain before
adding your entry?

Also try to enable debug log level for the kerberos server which is also
described on [1]. Hopefully there will be more information what's going on.

The last idea (since you embed the server) is to debug into the ApacheDS
code using your IDE to see what's going on.


Kind Regards,
Stefan


[1]http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html

PS: Unfortunately the code samples are broken, but they are visible in
the HTML source ;-)

Mime
View raw message