directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Krummenacker" <b...@datadg.com>
Subject Apache Directory Studio - Problem using Kerberos
Date Fri, 24 Sep 2010 15:25:27 GMT
I am attempting to make use of Kerberos authentication within Apache
Directory Studio (into Apache DS - same machine)
I have followed the instructions as given by
http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html

Major issue (see log) - *** No server entry found for kerberos principal
name ldap/127.0.0.1@EXAMPLE.COM ***

Using - 
Apache Directory Studio Version 1.5.3.v20100330
Apache DS : 1.5.7 
Operating System : Windows Server 2008 - 64bit


Below is the output from the ApapcheDS log
---------------------------------------
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51686 CREATED:  datagram
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51686 OPENED
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51686 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@a1d7b
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Received Authentication Service (AS) request:
	messageType:           AS_REQ
	protocolVersionNumber: 5
	clientAddress:         127.0.0.1
	nonce:                 1285341083
	kdcOptions:            
	clientPrincipal:       hnelson@EXAMPLE.COM
	serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
	encryptionType:        aes128-cts-hmac-sha1-96 (17), rc4-hmac (23),
des-cbc-crc (1), des3-cbc-sha1-kd (16), des-cbc-md5 (3)
	realm:                 EXAMPLE.COM
	from time:             null
	till time:             19700101000000Z
	renew-till time:       null
	hostAddresses:         null
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Session will use encryption type des-cbc-md5 (3).
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
    dn[n]: uid=hnelson,ou=users,dc=example,dc=com
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    objectClass: top
    uid: hnelson
    sn: Nelson
    krb5PrincipalName: hnelson@EXAMPLE.COM
    krb5Key: ... 
    krb5Key: ... 
    krb5Key: ... 
    krb5Key: ... 
    krb5KeyVersionNumber: 2
    cn: Horatio Nelson
    userPassword: ... 
 for kerberos principal name hnelson@EXAMPLE.COM
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Verifying using SAM subsystem.
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Verifying using encrypted timestamp.
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type.
Proceeding with standard pre-authentication.
[08:11:23] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Additional pre-authentication required
	at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServic
e.verifyEncryptedTimestamp(AuthenticationService.java:269)
	at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServic
e.execute(AuthenticationService.java:107)
	at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messag
eReceived(KerberosProtocolHandler.java:145)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageRece
ived(DefaultIoFilterChain.java:713)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive
d(DefaultIoFilterChain.java:434)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF
ilterChain.java:46)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec
eived(DefaultIoFilterChain.java:793)
	at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.f
lush(ProtocolCodecFilter.java:375)
	at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCod
ecFilter.java:229)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive
d(DefaultIoFilterChain.java:434)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF
ilterChain.java:46)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec
eived(DefaultIoFilterChain.java:793)
	at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAda
pter.java:119)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive
d(DefaultIoFilterChain.java:434)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(De
faultIoFilterChain.java:426)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHan
dle(AbstractPollingConnectionlessIoAcceptor.java:436)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.process
ReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$
600(AbstractPollingConnectionlessIoAcceptor.java:56)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Accepto
r.run(AbstractPollingConnectionlessIoAcceptor.java:360)
	at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:
64)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
	at java.lang.Thread.run(Unknown Source)
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Responding to request with error:
	explanatory text:      Additional pre-authentication required
	error code:            25
	clientPrincipal:       null
	client time:           null
	serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
	server time:           20100924151123Z
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51686 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@a030d6
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51687 CREATED:  datagram
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51687 OPENED
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51687 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@1e4eb5b
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Received Authentication Service (AS) request:
	messageType:           AS_REQ
	protocolVersionNumber: 5
	clientAddress:         127.0.0.1
	nonce:                 1285341084
	kdcOptions:            
	clientPrincipal:       hnelson@EXAMPLE.COM
	serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
	encryptionType:        des-cbc-md5 (3)
	realm:                 EXAMPLE.COM
	from time:             null
	till time:             19700101000000Z
	renew-till time:       null
	hostAddresses:         null
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Session will use encryption type des-cbc-md5 (3).
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
    dn[n]: uid=hnelson,ou=users,dc=example,dc=com
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    objectClass: top
    uid: hnelson
    sn: Nelson
    krb5PrincipalName: hnelson@EXAMPLE.COM
    krb5Key: ... 
    krb5Key: ... 
    krb5Key: ... 
    krb5Key: ... 
    krb5KeyVersionNumber: 2
    cn: Horatio Nelson
    userPassword: ... 
 for kerberos principal name hnelson@EXAMPLE.COM
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Verifying using SAM subsystem.
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Verifying using encrypted timestamp.
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type.
Proceeding with standard pre-authentication.
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Pre-authentication by encrypted timestamp successful for
hnelson@EXAMPLE.COM.
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
    dn[n]: uid=krbtgt,ou=users,dc=example,dc=com
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    objectClass: top
    uid: krbtgt
    sn: Service
    krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
    krb5Key: ...
    krb5Key: ...
    krb5Key: ...
    krb5Key: ...
    krb5KeyVersionNumber: 2
    cn: KDC Service
    userPassword: ...
 for kerberos principal name krbtgt/EXAMPLE.COM@EXAMPLE.COM
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Monitoring Authentication Service (AS) context:
	clockSkew              300000
	clientAddress          /127.0.0.1
	principal              hnelson@EXAMPLE.COM
	cn                     null
	realm                  null
	principal              hnelson@EXAMPLE.COM
	SAM type               null
	principal              krbtgt/EXAMPLE.COM@EXAMPLE.COM
	cn                     null
	realm                  null
	principal              krbtgt/EXAMPLE.COM@EXAMPLE.COM
	SAM type               null
	Request key type       des-cbc-md5 (3)
	Client key version     0
	Server key version     0
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi
ce] - Responding with Authentication Service (AS) reply:
	messageType:           AS_REP
	protocolVersionNumber: 5
	nonce:                 1285341084
	clientPrincipal:       hnelson@EXAMPLE.COM
	client realm:          EXAMPLE.COM
	serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
	server realm:          EXAMPLE.COM
	auth time:             20100924151123Z
	start time:            null
	end time:              20100925151123Z
	renew-till time:       null
	hostAddresses:         null
[08:11:23] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51687 SENT:
org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@13d
d208
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51688 CREATED:  datagram
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51688 OPENED
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51688 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@1a8402c
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService]
- Received Ticket-Granting Service (TGS) request:
	messageType:           TGS_REQ
	protocolVersionNumber: 5
	clientAddress:         127.0.0.1
	nonce:                 1285341085
	kdcOptions:            
	clientPrincipal:       null
	serverPrincipal:       ldap/127.0.0.1@EXAMPLE.COM
	encryptionType:        aes128-cts-hmac-sha1-96 (17), rc4-hmac (23),
des-cbc-crc (1), des3-cbc-sha1-kd (16), des-cbc-md5 (3)
	realm:                 EXAMPLE.COM
	from time:             null
	till time:             19700101000000Z
	renew-till time:       null
	hostAddresses:         null
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService]
- Session will use encryption type des-cbc-md5 (3).
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
Found entry ServerEntry
    dn[n]: uid=krbtgt,ou=users,dc=example,dc=com
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    objectClass: top
    uid: krbtgt
    sn: Service
    krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
    krb5Key: ...
    krb5Key: ...
    krb5Key: ...
    krb5Key: ...
    krb5KeyVersionNumber: 2
    cn: KDC Service
    userPassword: ...
 for kerberos principal name krbtgt/EXAMPLE.COM@EXAMPLE.COM
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService]
- Verifying body checksum type 'RSA_MD5'.
[08:11:24] WARN
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] -
No server entry found for kerberos principal name ldap/127.0.0.1@EXAMPLE.COM
[08:11:24] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Server not found in Kerberos database (7)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Server not found in Kerberos database
	at
org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosU
tils.java:316)
	at
org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.g
etRequestPrincipalEntry(TicketGrantingService.java:311)
	at
org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.e
xecute(TicketGrantingService.java:104)
	at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messag
eReceived(KerberosProtocolHandler.java:158)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageRece
ived(DefaultIoFilterChain.java:713)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive
d(DefaultIoFilterChain.java:434)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF
ilterChain.java:46)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec
eived(DefaultIoFilterChain.java:793)
	at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.f
lush(ProtocolCodecFilter.java:375)
	at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCod
ecFilter.java:229)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive
d(DefaultIoFilterChain.java:434)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF
ilterChain.java:46)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec
eived(DefaultIoFilterChain.java:793)
	at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAda
pter.java:119)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive
d(DefaultIoFilterChain.java:434)
	at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(De
faultIoFilterChain.java:426)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHan
dle(AbstractPollingConnectionlessIoAcceptor.java:436)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.process
ReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$
600(AbstractPollingConnectionlessIoAcceptor.java:56)
	at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Accepto
r.run(AbstractPollingConnectionlessIoAcceptor.java:360)
	at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:
64)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
	at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.ge
tEntry(GetPrincipal.java:98)
	at
org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.ex
ecute(GetPrincipal.java:82)
	at
org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrinci
pal(SingleBaseSearch.java:64)
	at
org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore.ge
tPrincipal(DirectoryPrincipalStore.java:71)
	at
org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosU
tils.java:312)
	... 23 more
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Responding to request with error:
	explanatory text:      Server not found in Kerberos database
	error code:            7
	clientPrincipal:       null
	client time:           null
	serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
	server time:           20100924151124Z
[08:11:24] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
/127.0.0.1:51688 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@1899213



Robert Krummenacker


Mime
View raw message