directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Laskey <brian.las...@gmail.com>
Subject Re: [ApacheDS] Generating keytab file for Websphere Kerberos configuration, now with KRB-ERROR in logs
Date Fri, 25 Jul 2014 13:39:28 GMT
Thanks all, I was able to generate a keytab file using the JUnit test as an
example.

When I try to use kinit with the generated keytab I am getting an error:
kinit: Generic preauthentication failure while getting initial credentials

I turned on DEBUG logging in ApacheDS, I see this:
[09:35:50] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] -
KrbError initial value :
KRB-ERROR : {
    pvno: 5
    msgType: KRB_ERROR
    sTime: 20140725133550Z
    susec: 0
    errorCode: Additional pre-authentication required
    realm: EXAMPLE.COM
    sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
EXAMPLE.COM'>realm: EXAMPLE.COM }
    eText: Additional pre-authentication required
    eData: 0x30 0x2D 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00
0x30 0x20 0xA1 0x03 0x02 0x01 0x13 0xA2 0x19 0x04 0x17 0x30 0x15 0x30 0x05
0xA0 0x03 0x02 0x01 0x11 0x30 0x05 0xA0 0x03 0x02 0x01 0x10 0x30 0x05 0xA0
0x03 0x02 0x01 0x03
}

Is there something I should look at for this.


On Thu, Jul 24, 2014 at 2:32 PM, Kiran Ayyagari <kayyagari@apache.org>
wrote:

> On Thu, Jul 24, 2014 at 9:06 PM, Brian Laskey <brian.laskey@gmail.com>
> wrote:
>
> > Thank you,
> >
> > I am trying out ApacheDS 2.0.0-M17 as you suggest. Configuration seems
> > easier there...
> >
> > Regarding the unit test. For my own wrapper I will need to write, in what
> > environment would I execute the class to get the keytab for a user? Do I
> > just run a main class in my own JVM? Does it need access to something on
> > the file system, or is there someway that I can deploy and invoke the
> code
> > from the ApacheDS server program?
> >
> > it doesn't need to read anything from the file system, but you may want
> to
> contact
> the server to get access to the kerberos keys of the user account for which
> this keytab
> is generated
>
> > Thanks
> >
> > Le 23/07/2014 23:17, Brian Laskey a écrit :
> > > I would like to try to use an existing Apache DS 1.5.7 server that my
> > team
> > > had, and add in the built in Kerberos server support (KDC). After
> > following
> > > a number of tutorials, I think I am somewhat there. I have principals
> in
> > > Apache DS under an example.com domain.
> >
> > I would seriously suggest you switch to a more recent version. 1.5.7 is
> > more than 4 years old, and a hell lot of work has been injected in the
> > server, including a complete rewrote of most of the kerberos code...
> > >
> > > My goal is to integrate with WebSphere Security Kerberos configuration
> > (WAS
> > > 8.5.0.1). As part of the information required by WebSphere you must
> > provide:
> > > - The Kerberos keytab file contains one or more Kerberos service
> > principal
> > > names and keys. This same file is used for both Kerberos authentication
> > and
> > > SPNEGO web authentication
> > >
> > > This seems to be a command line utility with the MIT krb5 server that
> > would
> > > do this (ktadd ...). Is there an equivalent approach with Apache DS? I
> > was
> > > unable to find documentation around this.
> >
> > We have a class taht does update a Keytab file, it's not documented.
> > There is a unit test that show how to use it from a piece of Java code :
> >
> >
> http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-codec/src/test/java/org/apache/directory/server/kerberos/shared/keytab/KeytabTest.java?revision=1589929&view=markup
> >
> > It probbaly deserves some wrapper around it.
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message