directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <ami...@wso2.com>
Subject Re: ApacheDS + GSSAPI/Kerberos problem "Failed to find any Kerberos Key"
Date Fri, 10 Jun 2011 09:33:31 GMT
Hi Chris,

According to your ldif file you are using hashed passwords.
>From my experience  ApacheDS Kerberos implementation only works with plain
text passwords. But i am not aware about latest improvements. So i may be
wrong.

Thanks
AmilaJ

2011/6/2 バーチャル クリストファー <birchall@infoscience.co.jp>

> Hello,
>
> I'm trying to set up ApacheDS 1.5.7 on Linux with Kerberos authentication.
>
> I basically followed this tutorial to the letter:
>
> http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
>
> However, I am using a custom realm and hostname, instead of the
> localhost and EXAMPLE.COM used in the tutorial.
> (Incidentally, I had to add "primaryRealm" and "kdcPrincipal" attributes
> to the kdcServer attribute in server.xml to get my custom realm to work
> correctly.)
>
> I have 3 users: kerbuser, krbtgt and ldap. See attached LDIF file for
> details.
> All users have their krb5Key automatically generated by the
> KeyDerivationInterceptor.
>
> Authenticating with kinit works fine for all 3 users:
>
> kinit kerbuser
> kinit krbtgt/INFOSCIENCE.CO.JP
> kinit ldap/logst20.dev.infoscience.co.jp
>
> all work as expected, run either locally or remotely.
>
> However, when I try to login to ApacheDS using Directory Studio, I get
> "javax.naming.CommunicationException: Request: 1 cancelled".
> Looking at the Kerberos log server-side (see attached file), I find the
> message "Failed to find any Kerberos Key". It looks like it cannot find
> the Kerberos key for the "ldap" user. This is strange, because this user
> has its krb5Key attribute set correctly, just like the other users. Do I
> need to copy this key to somewhere else, e.g. a keytab file?
>
> I've spent days battling with this problem and I'm out of ideas. Can
> anybody shed some light on this?
>
> Thanks,
>
> Chris Birchall.
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message