directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Laskey <brian.las...@gmail.com>
Subject Re: [ApacheDS] Generating keytab file for Websphere Kerberos configuration, now with KRB-ERROR in logs
Date Fri, 25 Jul 2014 20:40:30 GMT
Thanks all for the help. I am able to successfully use kinit on the linux
server to authenticate using my generated keytab file. It seemed that the
passwords were not working, but after editing all the passwords of my
principals and trying again everything started to work?

bash-4.1$ env
KRB5_CONFIG=/opt/IBM/WebSphere/V8.5/AppServer/etc/krb5/apacheds-krb.conf
kinit -V -k -t /opt/IBM/WebSphere/V8.5/AppServer/etc/krb5/apacheds.keytab
was/op-dev-kvm26.swg.usma.ibm.com@EXAMPLE.COM
Using default cache: /tmp/krb5cc_13553
Using principal: was/op-dev-kvm26.swg.usma.ibm.com@EXAMPLE.COM
Using keytab: /opt/IBM/WebSphere/V8.5/AppServer/etc/krb5/apacheds.keytab
Authenticated to Kerberos v5


Unfortunately, I am now stuck with WebSphere errors on log in:
com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login ProbeId:554
Reporter:com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper@84ff01dd
javax.security.auth.login.FailedLoginException: Login error:
com.ibm.security.krb5.KrbException, status code: 29
    message: A service is not available
    at
com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:30)
    at
com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:719)
    at
com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:742)
    at
com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:25)


In ApacheDS debug logs, I see this exception corresponding to the login
attempt in websphere:

[16:16:55] ERROR
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
ERR_152 Unexpected exception: 1
java.lang.ArrayIndexOutOfBoundsException: 1
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at javax.security.auth.kerberos.KerberosPrincipal.<init>(Unknown Source)
    at
org.apache.directory.shared.kerberos.KerberosUtils.getKerberosPrincipal(KerberosUtils.java:312)
    at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.getClientEntry(AuthenticationService.java:169)
    at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:122)
    at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:206)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
    at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:407)
    at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:236)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
    at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
    at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
    at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:701)
    at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:670)
    at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$800(AbstractPollingConnectionlessIoAcceptor.java:61)
    at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:607)
    at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

Although later I do see SUCCESS messages in the logs for that same user
request

[16:16:55] DEBUG
[org.apache.directory.server.ldap.handlers.request.BindRequestHandler] -
Returned SUCCESS message: MessageType : BIND_RESPONSE
...
[16:16:55] DEBUG [org.apache.directory.server.OPERATION_LOG] - <<
UnbindOperation successful
...




On Fri, Jul 25, 2014 at 3:14 PM, Brian Laskey <brian.laskey@gmail.com>
wrote:

> > the default enctypes are
> > aes128-cts-hmac-sha1-96
> > des3-cbc-sha1-kd
> > des-cbc-md5
> > what error are you getting? the preauth error?
> If I set my conf file to only:
>
>      default_tkt_enctypes = aes128-cts-hmac-sha1-96
>      default_tgs_enctypes = aes128-cts-hmac-sha1-96
>
> And only check that off in the Kerberos setting page of ApacheDS
>
> I get this in kinit (on linux)  for any user I've tried, with either
> manually typing password or keytab file
>
> kinit: Password incorrect while getting initial credentials
>
> I think I was seeing encryption type not supported by server error if I
> checked the RC4-HMAC box in ApacheDS and put that in my conf.
>
>
> > I would suggest to first test with kinit(to rule out any non-Studio
> > related issues), and
> > once this succeeds we can try with Studio
>
> I agree. But I can't seem to figure out why the password incorrect error
> is coming up?
>
>
> On Fri, Jul 25, 2014 at 2:44 PM, Kiran Ayyagari <kayyagari@apache.org>
> wrote:
>
>> On Sat, Jul 26, 2014 at 12:00 AM, Brian Laskey <brian.laskey@gmail.com>
>> wrote:
>>
>> > What are the supported encryption types for ApacheDS?
>> >
>> > the default enctypes are
>> aes128-cts-hmac-sha1-96
>> des3-cbc-sha1-kd
>> des-cbc-md5
>>
>>
>> > I've had some issues on the Linux side with kinit, I had configured my
>> > krb.conf file with:
>> >     default_tkt_enctypes = aes128-cts-hmac-sha1-96
>> >     default_tgs_enctypes = aes128-cts-hmac-sha1-96
>> >
>> > And tried checking that off only in the Kerberos settings of Studio.
>> Didn't
>> > seem to solve the password error with kinit. If I tried other enctypes I
>> >
>> what error are you getting? the preauth error?
>>
>> > got other errors like encryption type not supported. Eg.g had problems
>> with
>> > below, not sure if it's the cause of my issues.
>> >     #default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts
>> > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
>> >     #default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts
>> > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
>> >
>> > I can try to install Studio on my red hat linux server, but that only
>> has
>> > IBM JDK 6 on it if that matters.
>> >
>> > I would suggest to first test with kinit(to rule out any non-Studio
>> related issues), and
>> once this succeeds we can try with Studio
>>
>> > Thanks
>> > Brian
>> >
>> >
>> > On Fri, Jul 25, 2014 at 2:23 PM, Kiran Ayyagari <kayyagari@apache.org>
>> > wrote:
>> >
>> > > On Fri, Jul 25, 2014 at 11:50 PM, Brian Laskey <
>> brian.laskey@gmail.com>
>> > > wrote:
>> > >
>> > > > Apologies for the multiple emails, but if I change Directory Studio
>> vm
>> > to
>> > > >
>> > > np, feel free to post
>> > >
>> > > > Sun/Oracle jdk1.6.0_31\jre\bin I get a different exception in
>> logging
>> > in
>> > > > with Kerberos or using the 'Check Authentication' button.
>> > > >
>> > > >  can you try with Studio on Linux/Unix? I suspect that RC4 is being
>> > used
>> > > on Windows
>> > > box (RC4 encryption type is not yet supported in ApacheDS)
>> > >
>> > > > I don't seem to see any errors in apacheds.log
>> > > >
>> > > >
>> > > > Error while opening connection
>> > > >  - *javax.security.auth.login.LoginException: Checksum failed*
>> > > > org.apache.directory.api.ldap.model.exception.LdapException:
>> > > > javax.security.auth.login.LoginException: Checksum failed
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
>> > > >     at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
>> > > > Caused by: javax.security.auth.login.LoginException: Checksum failed
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
>> > > >     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>> > > >     at java.lang.reflect.Method.invoke(Method.java:597)
>> > > >     at
>> > > javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
>> > > >     at
>> > > >
>> > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
>> > > >     at
>> > > javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>> > > >     at java.security.AccessController.doPrivileged(Native Method)
>> > > >     at
>> > > >
>> > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>> > > >     at
>> > > javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1522)
>> > > >     ... 8 more
>> > > > Caused by: KrbException: Checksum failed
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:85)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:77)
>> > > >     at
>> sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
>> > > >     at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
>> > > >     at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
>> > > >     at
>> > sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
>> > > >     at
>> sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
>> > > >     ... 20 more
>> > > > Caused by: java.security.GeneralSecurityException: Checksum failed
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
>> > > >     at
>> sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:59)
>> > > >     at
>> > > >
>> > > >
>> > >
>> >
>> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:83)
>> > > >     ... 27 more
>> > > >
>> > > > javax.security.auth.login.LoginException: Checksum failed
>> > > >
>> > > >
>> > > > On Fri, Jul 25, 2014 at 2:06 PM, Brian Laskey <
>> brian.laskey@gmail.com>
>> > > > wrote:
>> > > >
>> > > > >
>> > > > > I appreciate the help with this. I am new to ApacheDS and
>> Kerberos.
>> > > > >
>> > > > > I have now tried that tutorial (of course I hadn't got that far,
I
>> > was
>> > > > > trying the tutorial before it, 4.1 - Authenticate with kinit
on
>> > Linux!)
>> > > > >
>> > > > > Adding krbtgt/EXAMPLE.COM@EXAMPLE.COM SOLVES the "Server not
>> found
>> > in
>> > > > the
>> > > > > Kerberos database while getting initial credentials" error with
>> > kinit.
>> > > So
>> > > > > that's good.
>> > > > >
>> > > > > However, now in kinit I get a new error for any principal I try
>> > (either
>> > > > > using my generated keytab or by typing in the password).
>> > > > > Verbose output of kinit -V monkey@EXAMPLE.COM
>> > > > > Using default cache: /tmp/krb5cc_13553
>> > > > > Using principal: monkey@EXAMPLE.COM
>> > > > > Password for monkey@EXAMPLE.COM:
>> > > > > kinit: Password incorrect while getting initial credentials
>> > > > >
>> > > > > I am trying kinit on a linux machine.
>> > > > >
>> > > > > On a separate Windows 7 machine, I have Apache Directory Studio.
>> > > > Following
>> > > > > the tutorial as best I can (Kerberos settings tab seems subtly
>> > > different
>> > > > > than the screens I see on Apache Directory Studio 2.0.0.v20130628
>> /
>> > > Win7
>> > > > /
>> > > > > IBM Java 1.7 JRE)
>> > > > >
>> > > > > After I set up krbtgt and ldap principals, when I try to connect
>> as
>> > one
>> > > > of
>> > > > > my principals using Apache directory Studio I get this exception:
>> > > > >
>> > > > > Error while opening connection
>> > > > >  - java.lang.IllegalArgumentException
>> > > > > org.apache.directory.api.ldap.model.exception.LdapException:
>> > > > > java.lang.IllegalArgumentException
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
>> > > > >     at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
>> > > > > Caused by: java.lang.IllegalArgumentException
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> javax.security.auth.login.AppConfigurationEntry.<init>(AppConfigurationEntry.java:84)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$InnerConfiguration.getAppConfigurationEntry(DirectoryApiConnectionWrapper.java:1222)
>> > > > >     at
>> > > javax.security.auth.login.LoginContext.init(LoginContext.java:269)
>> > > > >     at
>> > > > javax.security.auth.login.LoginContext.<init>(LoginContext.java:427)
>> > > > >     at
>> > > > >
>> > > >
>> > >
>> >
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1520)
>> > > > >     ... 8 more
>> > > > >
>> > > > > java.lang.IllegalArgumentException
>> > > > >
>> > > > >
>> > > > > Seems like no matter which way I go I am finding all the hurdles.
>> > > > >
>> > > > > Thank you,
>> > > > > Brian
>> > > > >
>> > > > > On Fri, Jul 25, 2014 at 12:12 PM, Emmanuel Lécharny <
>> > > elecharny@gmail.com
>> > > > >
>> > > > > wrote:
>> > > > >
>> > > > >> Le 25/07/2014 17:19, Brian Laskey a écrit :
>> > > > >> > Actually, I solved the "Additional pre-authentication
required"
>> > > error
>> > > > by
>> > > > >> > Opening Configuration on my ApacheDS server with Directory
>> Studio,
>> > > on
>> > > > >> the
>> > > > >> > Kerberos Server tab, uncheck Require Pre-AuthenticationBy
>> > Encrypted
>> > > > >> > TimeStamp check box under Ticket Settings.
>> > > > >> >
>> > > > >> >
>> > > > >> > Now I receive a different error with kinit using the
same
>> keytab
>> > and
>> > > > >> conf
>> > > > >> > file:
>> > > > >> > kinit: Server not found in Kerberos database while getting
>> initial
>> > > > >> > credentials
>> > > > >> >
>> > > > >> >
>> > > > >> > Should I create a principal krbtgt manually?
>> > > > >>
>> > > > >> I think so.
>> > > > >>
>> > > > >> Have you followed the tutorial on
>> > > > >>
>> > > > >>
>> > > >
>> > >
>> >
>> http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
>> > > > >> ?
>> > > > >>
>> > > > >>
>> > > > >
>> > > >
>> > >
>> > >
>> > >
>> > > --
>> > > Kiran Ayyagari
>> > > http://keydap.com
>> > >
>> >
>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message