directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Laskey <brian.las...@gmail.com>
Subject Re: [ApacheDS] Generating keytab file for Websphere Kerberos configuration, now with KRB-ERROR in logs
Date Fri, 25 Jul 2014 15:19:19 GMT
Actually, I solved the "Additional pre-authentication required" error by
Opening Configuration on my ApacheDS server with Directory Studio, on the
Kerberos Server tab, uncheck Require Pre-AuthenticationBy Encrypted
TimeStamp check box under Ticket Settings.


Now I receive a different error with kinit using the same keytab and conf
file:
kinit: Server not found in Kerberos database while getting initial
credentials

In the apacheds.log I now see a different KrbError now:

[10:29:48] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] -
KrbError encoding : 0x7E 0x81 0x84 0x30 0x81 0x81 0xA0 0x03 0x02 0x01 0x05
0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x34 0x30 0x37
0x32 0x35 0x31 0x34 0x32 0x39 0x34 0x38 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6
0x03 0x02 0x01 0x07 0xA9 0x0D 0x1B 0x0B 0x45 0x58 0x41 0x4D 0x50 0x4C 0x45
0x2E 0x43 0x4F 0x4D 0xAA 0x20 0x30 0x1E 0xA0 0x03 0x02 0x01 0x02 0xA1 0x17
0x30 0x15 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0B 0x45 0x58 0x41
0x4D 0x50 0x4C 0x45 0x2E 0x43 0x4F 0x4D 0xAB 0x27 0x1B 0x25 0x53 0x65 0x72
0x76 0x65 0x72 0x20 0x6E 0x6F 0x74 0x20 0x66 0x6F 0x75 0x6E 0x64 0x20 0x69
0x6E 0x20 0x4B 0x65 0x72 0x62 0x65 0x72 0x6F 0x73 0x20 0x64 0x61 0x74 0x61
0x62 0x61 0x73 0x65
[10:29:48] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] -
KrbError initial value :
KRB-ERROR : {
    pvno: 5
    msgType: KRB_ERROR
    sTime: 20140725142948Z
    susec: 0
    errorCode: Server not found in Kerberos database
    realm: EXAMPLE.COM
    sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
EXAMPLE.COM'>realm: EXAMPLE.COM }
    eText: Server not found in Kerberos database
}



Should I create a principal krbtgt manually? Do I need to put something for
krbtgt@EXAMPLE.COM in the keytab file as well?


Thank you,
Brian


On Fri, Jul 25, 2014 at 9:39 AM, Brian Laskey <brian.laskey@gmail.com>
wrote:

> Thanks all, I was able to generate a keytab file using the JUnit test as
> an example.
>
> When I try to use kinit with the generated keytab I am getting an error:
> kinit: Generic preauthentication failure while getting initial credentials
>
> I turned on DEBUG logging in ApacheDS, I see this:
> [09:35:50] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError]
> - KrbError initial value :
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20140725133550Z
>     susec: 0
>     errorCode: Additional pre-authentication required
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
> EXAMPLE.COM'>realm: EXAMPLE.COM }
>     eText: Additional pre-authentication required
>     eData: 0x30 0x2D 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04
> 0x00 0x30 0x20 0xA1 0x03 0x02 0x01 0x13 0xA2 0x19 0x04 0x17 0x30 0x15 0x30
> 0x05 0xA0 0x03 0x02 0x01 0x11 0x30 0x05 0xA0 0x03 0x02 0x01 0x10 0x30 0x05
> 0xA0 0x03 0x02 0x01 0x03
> }
>
> Is there something I should look at for this.
>
>
> On Thu, Jul 24, 2014 at 2:32 PM, Kiran Ayyagari <kayyagari@apache.org>
> wrote:
>
>> On Thu, Jul 24, 2014 at 9:06 PM, Brian Laskey <brian.laskey@gmail.com>
>> wrote:
>>
>> > Thank you,
>> >
>> > I am trying out ApacheDS 2.0.0-M17 as you suggest. Configuration seems
>> > easier there...
>> >
>> > Regarding the unit test. For my own wrapper I will need to write, in
>> what
>> > environment would I execute the class to get the keytab for a user? Do I
>> > just run a main class in my own JVM? Does it need access to something on
>> > the file system, or is there someway that I can deploy and invoke the
>> code
>> > from the ApacheDS server program?
>> >
>> > it doesn't need to read anything from the file system, but you may want
>> to
>> contact
>> the server to get access to the kerberos keys of the user account for
>> which
>> this keytab
>> is generated
>>
>> > Thanks
>> >
>> > Le 23/07/2014 23:17, Brian Laskey a écrit :
>> > > I would like to try to use an existing Apache DS 1.5.7 server that my
>> > team
>> > > had, and add in the built in Kerberos server support (KDC). After
>> > following
>> > > a number of tutorials, I think I am somewhat there. I have principals
>> in
>> > > Apache DS under an example.com domain.
>> >
>> > I would seriously suggest you switch to a more recent version. 1.5.7 is
>> > more than 4 years old, and a hell lot of work has been injected in the
>> > server, including a complete rewrote of most of the kerberos code...
>> > >
>> > > My goal is to integrate with WebSphere Security Kerberos configuration
>> > (WAS
>> > > 8.5.0.1). As part of the information required by WebSphere you must
>> > provide:
>> > > - The Kerberos keytab file contains one or more Kerberos service
>> > principal
>> > > names and keys. This same file is used for both Kerberos
>> authentication
>> > and
>> > > SPNEGO web authentication
>> > >
>> > > This seems to be a command line utility with the MIT krb5 server that
>> > would
>> > > do this (ktadd ...). Is there an equivalent approach with Apache DS? I
>> > was
>> > > unable to find documentation around this.
>> >
>> > We have a class taht does update a Keytab file, it's not documented.
>> > There is a unit test that show how to use it from a piece of Java code :
>> >
>> >
>> http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-codec/src/test/java/org/apache/directory/server/kerberos/shared/keytab/KeytabTest.java?revision=1589929&view=markup
>> >
>> > It probbaly deserves some wrapper around it.
>> >
>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message