directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Stroiazzo <sstroia...@aimrecyclinggroup.com>
Subject Kerberos in ApacheDS2.0.0-M9
Date Fri, 18 Jan 2013 22:01:19 GMT
Would it be possible to throw together a quick page on properly configuring
Kerberos in the 2.0.0-M9 version of ApacheDS? Currently the default
settings for the LDAP and Kerberos servers are properly laid out in the
configuration pages, however the specific user accounts that they relate to
'krbtgt/EXAMPLE.COM@EXAMPLE.COM' and 'ldap/ldap.example.com@EXAMPLE.COM' no
longer appear.

If an updated .ldif could be attached somewhere in the new documentation
and include the default accounts and settings necessary to allow Kerberos
authentication through Apache Directory Studio - that would make things
much easier for new users such as myself.

I have not been having success while trying to alter the older 1.5 versions
of user accounts included in kdc-data.ldif and typically end up at a
"server not found in kerberos database (7)" error. This has come up on both
windows servers as well as ubuntu servers with modified host and krb5.conf
files. Additionally I have also been making sure to enable the
'keyDerivationInterceptor' as well as the kerberos server itself and
deleting/reimporting the user .ldif file to recreate the krb5 keys when
necessary - although these steps are no longer included with the new 2.0.0
documentation.

Below is the .ldif for dc=example,dc=com that I have been basing most of my
testing from, I've tried many small variations with the ldap and krbtgt
principal names however have been unable to find one which works properly.
In addition I have included a larger dump of the error message (as seen
from my windows server, although the ubuntu one appears identical) below
that - just in case.

Thanks,
Stephen

dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
dc: example
o: example.com

dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users

dn: uid=hnelson,ou=users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0

dn: uid=krbtgt,ou=users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0

dn: uid=ldap,ou=users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: secret
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0

==========================================================

Error while opening connection
 - java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
org.apache.directory.api.ldap.model.exception.LdapException:
java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
    at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469)
    at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361)
    at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446)
    at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
    at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
    at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
    at
org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
    at
org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Unknown Source)
    at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459)
    ... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
    at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3783)
    at
org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176)
    at
org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463)
    ... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
by GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
    at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
    at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3693)
    ... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7) - Server not found in Kerberos
database)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
    ... 15 more
Caused by: KrbException: Server not found in Kerberos database (7) - Server
not found in Kerberos database
    at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
    at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
Source)
    at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown
Source)
    at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
    ... 18 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(Unknown Source)
    at sun.security.krb5.internal.TGSRep.init(Unknown Source)
    at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
    ... 24 more

java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]




*Stephen Stroiazzo | Special Project Assistant | Information Technology | AIM
Holding LP
*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message