directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] Generating keytab file for Websphere Kerberos configuration, now with KRB-ERROR in logs
Date Fri, 25 Jul 2014 16:38:11 GMT
On Fri, Jul 25, 2014 at 8:49 PM, Brian Laskey <brian.laskey@gmail.com>
wrote:

> Actually, I solved the "Additional pre-authentication required" error by
> Opening Configuration on my ApacheDS server with Directory Studio, on the
> Kerberos Server tab, uncheck Require Pre-AuthenticationBy Encrypted
> TimeStamp check box under Ticket Settings.
>
>
> Now I receive a different error with kinit using the same keytab and conf
> file:
> kinit: Server not found in Kerberos database while getting initial
> credentials
>
> In the apacheds.log I now see a different KrbError now:
>
> [10:29:48] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] -
> KrbError encoding : 0x7E 0x81 0x84 0x30 0x81 0x81 0xA0 0x03 0x02 0x01 0x05
> 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x34 0x30 0x37
> 0x32 0x35 0x31 0x34 0x32 0x39 0x34 0x38 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6
> 0x03 0x02 0x01 0x07 0xA9 0x0D 0x1B 0x0B 0x45 0x58 0x41 0x4D 0x50 0x4C 0x45
> 0x2E 0x43 0x4F 0x4D 0xAA 0x20 0x30 0x1E 0xA0 0x03 0x02 0x01 0x02 0xA1 0x17
> 0x30 0x15 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0B 0x45 0x58 0x41
> 0x4D 0x50 0x4C 0x45 0x2E 0x43 0x4F 0x4D 0xAB 0x27 0x1B 0x25 0x53 0x65 0x72
> 0x76 0x65 0x72 0x20 0x6E 0x6F 0x74 0x20 0x66 0x6F 0x75 0x6E 0x64 0x20 0x69
> 0x6E 0x20 0x4B 0x65 0x72 0x62 0x65 0x72 0x6F 0x73 0x20 0x64 0x61 0x74 0x61
> 0x62 0x61 0x73 0x65
> [10:29:48] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] -
> KrbError initial value :
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20140725142948Z
>     susec: 0
>     errorCode: Server not found in Kerberos database
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
> EXAMPLE.COM'>realm: EXAMPLE.COM }
>     eText: Server not found in Kerberos database
> }
>
>
>
> Should I create a principal krbtgt manually? Do I need to put something for
>
yes, you need to create this entry manually

> krbtgt@EXAMPLE.COM in the keytab file as well?
>
>
> Thank you,
> Brian
>
>
> On Fri, Jul 25, 2014 at 9:39 AM, Brian Laskey <brian.laskey@gmail.com>
> wrote:
>
> > Thanks all, I was able to generate a keytab file using the JUnit test as
> > an example.
> >
> > When I try to use kinit with the generated keytab I am getting an error:
> > kinit: Generic preauthentication failure while getting initial
> credentials
> >
> > I turned on DEBUG logging in ApacheDS, I see this:
> > [09:35:50] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError]
> > - KrbError initial value :
> > KRB-ERROR : {
> >     pvno: 5
> >     msgType: KRB_ERROR
> >     sTime: 20140725133550Z
> >     susec: 0
> >     errorCode: Additional pre-authentication required
> >     realm: EXAMPLE.COM
> >     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
> > EXAMPLE.COM'>realm: EXAMPLE.COM }
> >     eText: Additional pre-authentication required
> >     eData: 0x30 0x2D 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04
> > 0x00 0x30 0x20 0xA1 0x03 0x02 0x01 0x13 0xA2 0x19 0x04 0x17 0x30 0x15
> 0x30
> > 0x05 0xA0 0x03 0x02 0x01 0x11 0x30 0x05 0xA0 0x03 0x02 0x01 0x10 0x30
> 0x05
> > 0xA0 0x03 0x02 0x01 0x03
> > }
> >
> > Is there something I should look at for this.
> >
> >
> > On Thu, Jul 24, 2014 at 2:32 PM, Kiran Ayyagari <kayyagari@apache.org>
> > wrote:
> >
> >> On Thu, Jul 24, 2014 at 9:06 PM, Brian Laskey <brian.laskey@gmail.com>
> >> wrote:
> >>
> >> > Thank you,
> >> >
> >> > I am trying out ApacheDS 2.0.0-M17 as you suggest. Configuration seems
> >> > easier there...
> >> >
> >> > Regarding the unit test. For my own wrapper I will need to write, in
> >> what
> >> > environment would I execute the class to get the keytab for a user?
> Do I
> >> > just run a main class in my own JVM? Does it need access to something
> on
> >> > the file system, or is there someway that I can deploy and invoke the
> >> code
> >> > from the ApacheDS server program?
> >> >
> >> > it doesn't need to read anything from the file system, but you may
> want
> >> to
> >> contact
> >> the server to get access to the kerberos keys of the user account for
> >> which
> >> this keytab
> >> is generated
> >>
> >> > Thanks
> >> >
> >> > Le 23/07/2014 23:17, Brian Laskey a écrit :
> >> > > I would like to try to use an existing Apache DS 1.5.7 server that
> my
> >> > team
> >> > > had, and add in the built in Kerberos server support (KDC). After
> >> > following
> >> > > a number of tutorials, I think I am somewhat there. I have
> principals
> >> in
> >> > > Apache DS under an example.com domain.
> >> >
> >> > I would seriously suggest you switch to a more recent version. 1.5.7
> is
> >> > more than 4 years old, and a hell lot of work has been injected in the
> >> > server, including a complete rewrote of most of the kerberos code...
> >> > >
> >> > > My goal is to integrate with WebSphere Security Kerberos
> configuration
> >> > (WAS
> >> > > 8.5.0.1). As part of the information required by WebSphere you must
> >> > provide:
> >> > > - The Kerberos keytab file contains one or more Kerberos service
> >> > principal
> >> > > names and keys. This same file is used for both Kerberos
> >> authentication
> >> > and
> >> > > SPNEGO web authentication
> >> > >
> >> > > This seems to be a command line utility with the MIT krb5 server
> that
> >> > would
> >> > > do this (ktadd ...). Is there an equivalent approach with Apache
> DS? I
> >> > was
> >> > > unable to find documentation around this.
> >> >
> >> > We have a class taht does update a Keytab file, it's not documented.
> >> > There is a unit test that show how to use it from a piece of Java
> code :
> >> >
> >> >
> >>
> http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-codec/src/test/java/org/apache/directory/server/kerberos/shared/keytab/KeytabTest.java?revision=1589929&view=markup
> >> >
> >> > It probbaly deserves some wrapper around it.
> >> >
> >>
> >>
> >>
> >> --
> >> Kiran Ayyagari
> >> http://keydap.com
> >>
> >
> >
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message