directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "バーチャル クリストファー" <birch...@infoscience.co.jp>
Subject ApacheDS + GSSAPI/Kerberos problem "Failed to find any Kerberos Key"
Date Thu, 02 Jun 2011 04:56:56 GMT
Hello,

I'm trying to set up ApacheDS 1.5.7 on Linux with Kerberos authentication.

I basically followed this tutorial to the letter:

http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html

However, I am using a custom realm and hostname, instead of the
localhost and EXAMPLE.COM used in the tutorial.
(Incidentally, I had to add "primaryRealm" and "kdcPrincipal" attributes
to the kdcServer attribute in server.xml to get my custom realm to work
correctly.)

I have 3 users: kerbuser, krbtgt and ldap. See attached LDIF file for
details.
All users have their krb5Key automatically generated by the
KeyDerivationInterceptor.

Authenticating with kinit works fine for all 3 users:

kinit kerbuser
kinit krbtgt/INFOSCIENCE.CO.JP
kinit ldap/logst20.dev.infoscience.co.jp

all work as expected, run either locally or remotely.

However, when I try to login to ApacheDS using Directory Studio, I get
"javax.naming.CommunicationException: Request: 1 cancelled".
Looking at the Kerberos log server-side (see attached file), I find the
message "Failed to find any Kerberos Key". It looks like it cannot find
the Kerberos key for the "ldap" user. This is strange, because this user
has its krb5Key attribute set correctly, just like the other users. Do I
need to copy this key to somewhere else, e.g. a keytab file?

I've spent days battling with this problem and I'm out of ideas. Can
anybody shed some light on this?

Thanks,

Chris Birchall.


Mime
View raw message