Having authenticated and got the ticket I'm now attempting an LDAP search against the ADS that issued it: ldapsearch -H ldap://:10389 -b "ou=users,dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI -O "maxssf=0" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Decoding error (-4) However, after running the command I check my ticket cache and see that I have a ticket for the ldap service: klist -5fea Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: hnelson@EXAMPLE.COM Valid starting Expires Service principal 03/11/11 13:37:24 03/12/11 13:37:24 krbtgt/EXAMPLE.COM@EXAMPLE.COM Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 Addresses: (none) 03/11/11 13:37:32 03/12/11 13:37:24 ldap/@EXAMPLE.COM Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 Addresses: (none) The in the ticket is that same as the address of the LDAP server in the orginal query, and also matches the saslHost in server.xml. The saslPrincipal matches the ldap/@EXAMPLE.COM value in the ticket, which is also present in the krb5PrincipalName attribute in uid=ldap,ou=Users,dc=example,dc=com. The server log shows the ticket being issued, but then throws an error: [14:16:48] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client. java.security.PrivilegedActionException: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)] Any ideas of anything else I should check? Thanks, Rob On 11/03/11 12:04, Rob Hebron wrote: > Solved it by removing: > > forwardable = true > proxiable = true > > from the krb5.conf file used. > > Rob > > On 11/03/11 10:44, Rob Hebron wrote: >> Hi, >> >> I'm experimenting with GSSAPI authentication against ApacheDS 1.5.7. >> Following various guides I have it working such that I am successfully >> issued a TGT using kinit (on Debian) - changes mainly involved enabling >> crypto protocols in server.xml. However, when I try to authenticate with >> a java client I get always get this error: >> >> Kerberos username [rob]: hnelson@EXAMPLE.COM >> Kerberos password for hnelson@EXAMPLE.COM: >> default etypes for default_tkt_enctypes: 16. >> default etypes for default_tkt_enctypes: 16. >> >>> KrbAsReq calling createMessage >> >>> KrbAsReq in createMessage >> >>> KrbKdcReq send: kdc= UDP:60088, timeout=30000, number >> of retries =3, #bytes=134 >> >>> KDCCommunication: kdc= UDP:60088, >> timeout=30000,Attempt =1, #bytes=134 >> >>> KrbKdcReq send: #bytes read=536 >> >>> KrbKdcReq send: #bytes read=536 >> >>> KdcAccessibility: remove:60088 >> >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType >> Authentication failed: >> Checksum failed >> >> .. with no error logged on the server. I'm guessing that a checksum >> verification has failed. This error is also logged when I try to >> authenticate to ApacheDS server in Apache Directory Studio. I'm able to >> log on to a production MIT KDC using the same java code with no problem. >> >> A search hasn't turned up much - any ideas of what I could try? >> >> Thanks, >> >> Rob >> >>