directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hebron <>
Subject Re: GSSAPI authentication using Java client
Date Fri, 11 Mar 2011 14:31:57 GMT
Having authenticated and got the ticket I'm now attempting an LDAP 
search against the ADS that issued it:

ldapsearch -H ldap://<ADS address>:10389 -b "ou=users,dc=example,dc=com" 
"(uid=hnelson)" -Y GSSAPI -O "maxssf=0"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Decoding error (-4)

However, after running the command I check my ticket cache and see that 
I have a ticket for the ldap service:

klist -5fea
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
03/11/11 13:37:24  03/12/11 13:37:24  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc 
mode with HMAC/sha1
	Addresses: (none)
03/11/11 13:37:32  03/12/11 13:37:24  ldap/<ADS address>@EXAMPLE.COM
	Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc 
mode with HMAC/sha1
	Addresses: (none)

The <ADS address> in the ticket is that same as the address of the LDAP 
server in the orginal query, and also matches the saslHost in 
server.xml. The saslPrincipal matches the  ldap/<ADS 
address>@EXAMPLE.COM value in the ticket, which is also present in the 
krb5PrincipalName attribute in uid=ldap,ou=Users,dc=example,dc=com.

The server log shows the ticket being issued, but then throws an error:

[14:16:48] WARN [] - 
Unexpected exception forcing session to close: sending disconnect notice 
to client. Failure to initialize security 
context [Caused by GSSException: No valid credentials provided 
(Mechanism level: Failed to find any Kerberos Key)]

Any ideas of anything else I should check?



On 11/03/11 12:04, Rob Hebron wrote:
> Solved it by removing:
> 	forwardable = true
> 	proxiable = true
> from the krb5.conf file used.
> Rob
> On 11/03/11 10:44, Rob Hebron wrote:
>> Hi,
>> I'm experimenting with GSSAPI authentication against ApacheDS 1.5.7.
>> Following various guides I have it working such that I am successfully
>> issued a TGT using kinit (on Debian) - changes mainly involved enabling
>> crypto protocols in server.xml. However, when I try to authenticate with
>> a java client I get always get this error:
>> Kerberos username [rob]: hnelson@EXAMPLE.COM
>> Kerberos password for hnelson@EXAMPLE.COM:
>> default etypes for default_tkt_enctypes: 16.
>> default etypes for default_tkt_enctypes: 16.
>>    >>>   KrbAsReq calling createMessage
>>    >>>   KrbAsReq in createMessage
>>    >>>   KrbKdcReq send: kdc=<kdc address>   UDP:60088, timeout=30000,
>> of retries =3, #bytes=134
>>    >>>   KDCCommunication: kdc=<kdc address>   UDP:60088,
>> timeout=30000,Attempt =1, #bytes=134
>>    >>>   KrbKdcReq send: #bytes read=536
>>    >>>   KrbKdcReq send: #bytes read=536
>>    >>>   KdcAccessibility: remove<kdc address>:60088
>>    >>>   EType:
>> Authentication failed:
>>      Checksum failed
>> .. with no error logged on the server. I'm guessing that a checksum
>> verification has failed. This error is also logged when I try to
>> authenticate to ApacheDS server in Apache Directory Studio. I'm able to
>> log on to a production MIT KDC using the same java code with no problem.
>> A search hasn't turned up much - any ideas of what I could try?
>> Thanks,
>> Rob

View raw message