From users-return-3923-apmail-directory-users-archive=directory.apache.org@directory.apache.org Tue Jun 14 08:17:30 2011 Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E590D60A8 for ; Tue, 14 Jun 2011 08:17:30 +0000 (UTC) Received: (qmail 58061 invoked by uid 500); 14 Jun 2011 08:17:30 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 58026 invoked by uid 500); 14 Jun 2011 08:17:30 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 58018 invoked by uid 99); 14 Jun 2011 08:17:30 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Jun 2011 08:17:30 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of birchall@infoscience.co.jp designates 202.126.225.172 as permitted sender) Received: from [202.126.225.172] (HELO filter11.asp.infoscience.co.jp) (202.126.225.172) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Jun 2011 08:17:23 +0000 Received: from filter11.asp.infoscience.co.jp (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id E6FFE187BEC for ; Tue, 14 Jun 2011 17:16:59 +0900 (JST) Received: from mail.infoscience.co.jp (mail.infoscience.co.jp [202.126.225.4]) by filter11.asp.infoscience.co.jp (Postfix) with SMTP id C1808187BCD for ; Tue, 14 Jun 2011 17:16:59 +0900 (JST) Received: (qmail 25329 invoked from network); 14 Jun 2011 17:16:59 +0900 Received: (ofmipd 219.101.133.190); 14 Jun 2011 17:16:59 +0900 Date: 14 Jun 2011 17:16:58 +0900 Message-ID: <4DF718FA.1040506@infoscience.co.jp> From: "=?ISO-2022-JP?B?GyRCJVAhPCVBJWMlayEhJS8laiU5JUglVSUhITwbKEI=?=" To: users@directory.apache.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 Subject: Re: ApacheDS + GSSAPI/Kerberos problem "Failed to find any Kerberos Key" References: <4DE71818.50008@infoscience.co.jp> In-Reply-To: Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-SPASIGN: Checked by filter11.asp.infoscience.co.jp(127.0.2.1) X-Virus-Checked: Checked by ClamAV on apache.org Amila, Thanks for the help. However, my passwords are actually stored in plain text, so I don't think this is the problem. I used Apache Directory Studio to create the ldif file, and it appears to automatically hash the passwords when you export as LDIF. Thanks, Chris. On 2011/06/10 18:33, Amila Jayasekara wrote: > Hi Chris, > > According to your ldif file you are using hashed passwords. > >From my experience ApacheDS Kerberos implementation only works with plain > text passwords. But i am not aware about latest improvements. So i may be > wrong. > > Thanks > AmilaJ > > 2011/6/2 バーチャル クリストファー > >> Hello, >> >> I'm trying to set up ApacheDS 1.5.7 on Linux with Kerberos authentication. >> >> I basically followed this tutorial to the letter: >> >> http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html >> >> However, I am using a custom realm and hostname, instead of the >> localhost and EXAMPLE.COM used in the tutorial. >> (Incidentally, I had to add "primaryRealm" and "kdcPrincipal" attributes >> to the kdcServer attribute in server.xml to get my custom realm to work >> correctly.) >> >> I have 3 users: kerbuser, krbtgt and ldap. See attached LDIF file for >> details. >> All users have their krb5Key automatically generated by the >> KeyDerivationInterceptor. >> >> Authenticating with kinit works fine for all 3 users: >> >> kinit kerbuser >> kinit krbtgt/INFOSCIENCE.CO.JP >> kinit ldap/logst20.dev.infoscience.co.jp >> >> all work as expected, run either locally or remotely. >> >> However, when I try to login to ApacheDS using Directory Studio, I get >> "javax.naming.CommunicationException: Request: 1 cancelled". >> Looking at the Kerberos log server-side (see attached file), I find the >> message "Failed to find any Kerberos Key". It looks like it cannot find >> the Kerberos key for the "ldap" user. This is strange, because this user >> has its krb5Key attribute set correctly, just like the other users. Do I >> need to copy this key to somewhere else, e.g. a keytab file? >> >> I've spent days battling with this problem and I'm out of ideas. Can >> anybody shed some light on this? >> >> Thanks, >> >> Chris Birchall. >> >>