Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3C7A3186C0 for ; Tue, 9 Jun 2015 03:36:06 +0000 (UTC) Received: (qmail 45178 invoked by uid 500); 9 Jun 2015 03:36:06 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 45143 invoked by uid 500); 9 Jun 2015 03:36:05 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 45129 invoked by uid 99); 9 Jun 2015 03:36:05 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jun 2015 03:36:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 3C30D1A48EF for ; Tue, 9 Jun 2015 03:36:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.997 X-Spam-Level: ** X-Spam-Status: No, score=2.997 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id TP33FDjTgGbB for ; Tue, 9 Jun 2015 03:35:59 +0000 (UTC) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0072.outbound.protection.outlook.com [157.56.111.72]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 59A9E24D86 for ; Tue, 9 Jun 2015 03:35:58 +0000 (UTC) Received: from BLUPR05CA0048.namprd05.prod.outlook.com (10.141.20.18) by SN2PR0501MB831.namprd05.prod.outlook.com (25.160.14.141) with Microsoft SMTP Server (TLS) id 15.1.172.22; Tue, 9 Jun 2015 03:35:50 +0000 Received: from BY2FFO11OLC001.protection.gbl (2a01:111:f400:7c0c::179) by BLUPR05CA0048.outlook.office365.com (2a01:111:e400:855::18) with Microsoft SMTP Server (TLS) id 15.1.184.17 via Frontend Transport; Tue, 9 Jun 2015 03:35:49 +0000 Authentication-Results: spf=pass (sender IP is 149.173.1.93) smtp.mailfrom=sas.com; directory.apache.org; dkim=none (message not signed) header.d=none; Received-SPF: Pass (protection.outlook.com: domain of sas.com designates 149.173.1.93 as permitted sender) receiver=protection.outlook.com; client-ip=149.173.1.93; helo=mail.sas.com; Received: from mail.sas.com (149.173.1.93) by BY2FFO11OLC001.mail.protection.outlook.com (10.1.15.185) with Microsoft SMTP Server (TLS) id 15.1.190.9 via Frontend Transport; Tue, 9 Jun 2015 03:35:49 +0000 Received: from MERCMBX37R.na.SAS.com (10.16.20.49) by MERCMBX36D.na.SAS.com (10.36.20.22) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Mon, 8 Jun 2015 23:35:47 -0400 Received: from MERCMBX37R.na.SAS.com ([10.16.20.49]) by MERCMBX37R.na.SAS.com ([10.16.20.49]) with mapi id 15.00.1044.021; Mon, 8 Jun 2015 23:35:47 -0400 From: Ed Brown To: "users@directory.apache.org" Subject: Help Configuring LDAP/KERBEROS Needed Thread-Topic: Help Configuring LDAP/KERBEROS Needed Thread-Index: AdCiYXt16x1CMz4pSiGpCMru49ed7g== Date: Tue, 9 Jun 2015 03:35:46 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.16.28.240] Content-Type: multipart/alternative; boundary="_000_ac5aa96a0cf145a395b1f8540c0cd1e2MERCMBX37RnaSAScom_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1;BY2FFO11OLC001;1:lnZgslGSgq6aQUcKBrcpH+miinQZNRoGCG7Z8D+uTVESyHxdjd0sesrmZL7/a+L+BdE+QhDm8wKDdzjtABPpdk0H2CLZilETIcnWqjJPA3lpma4Hiie5J/0elAVBuVhnRXdh1EelQ85WmPIT7BBTsWIdhHHEosvtpGeVVllsfuyJpp+NF4yqcf3v/XhPBqEKqNGWr+Pt3HWjdyNT+3tQhixCCSDkl9TzxjWgrYgBGyPDUmYYVy68qsEmPEMBpXRJDHT/MC2Vk2lAmP/EeXewbw== X-Forefront-Antispam-Report: CIP:149.173.1.93;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(10009020)(438002)(189002)(199003)(15975445007)(102836002)(4546004)(24736003)(19617315012)(2900100001)(16236675004)(92566002)(108616004)(87936001)(450100001)(512954002)(33646002)(6806004)(50986999)(2501003)(62966003)(2656002)(77156002)(551544002)(106466001)(86362001)(46102003)(84326002)(54356999)(110136002)(19625215002)(107886002)(189998001)(2351001)(16796002)(77096005)(229853001)(19580405001)(19580395003)(19300405004)(19627235001);DIR:OUT;SFP:1101;SCL:1;SRVR:SN2PR0501MB831;H:mail.sas.com;FPR:;SPF:Pass;MLV:sfv;MX:1;A:1;LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN2PR0501MB831; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(520003)(3002001);SRVR:SN2PR0501MB831;BCL:0;PCL:0;RULEID:;SRVR:SN2PR0501MB831; X-Forefront-PRVS: 06022AA85F X-OriginatorOrg: sas.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jun 2015 03:35:49.3071 (UTC) X-MS-Exchange-CrossTenant-Id: b1c14d5c-3625-45b3-a430-9552373a0c2f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b1c14d5c-3625-45b3-a430-9552373a0c2f;Ip=[149.173.1.93];Helo=[mail.sas.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR0501MB831 --_000_ac5aa96a0cf145a395b1f8540c0cd1e2MERCMBX37RnaSAScom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I'm following the example on Kerberos integration located here: https://dir= ectory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html. The er= ror I get, which is at the bottom, indicates the default realm cannot be fo= und. Any pointers/help would be appreciated. TIA. According to DS Studio, I have a realm EXAMPLE.COM. The krbtgt user is: Krb5KeyVersionNumber=3D0 Krb5PrincipalName=3Dldap/example.net@EXAMPLE.COM Ou=3DTGT Uid=3Dldap The ldap user is: Krb5KeyVersionNumber=3D0 Krb5PrincipalName=3Dkrbtgt/EXAMPLE.COM@EXAMPLE.COM Ou=3DLDAP Uid=3Dkrbtgt Kerberos server: Port: 60088 Kerberos change password server: Port: 60464 Primary KDC Realse: EXAMPLE.COM Search Base DN: dc=3Dsecurity,dc=3Dexample,dc=3Dcom LDAP/LDAPS Servers: SASL Host: example.net SASL Principal ldap/example.net@EXAMPLE.COM Search Base DN: dc=3Dsecurity,dc=3Dexample,dc=3Dcom Authentication: User: dnelson Kerberos settings: Obtain TGBT from KDC Kerberos realm: EXAMPLE.COM KDC Host: example.net KDC port: 60888 Local hosts file: 127.0.0.1 localhost example.com example.net ::1 localhost example.com example.net When I authenticate, the follow error appears in the log file (after turnin= g on debug logging), specifying it can't find the default realm: [22:59:27] DEBUG [org.apache.directory.shared.kerberos.messages.Ticket] - T= icket encoding : 0x6D 0x82 0x02 ... [22:59:27] DEBUG [org.apache.directory.shared.kerberos.messages.Ticket] - T= icket initial value : Ticket : tkt-vno : 5 realm : EXAMPLE.COM sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'example.net'= > } enc-part : EncryptedData : { etype: aes128-cts-hmac-sha1-96 (17) cipher: 0x77 0xFF 0x5F ... } ... [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.EncryptionKeyInit] - EncryptionKey created [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.StoreKeyType] - keytype : aes128-cts-hmac-sha1-96 (17) [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.EncryptionKeyInit] - EncryptionKey created [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.StoreKeyType] - keytype : rc4-hmac (23) [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.EncryptionKeyInit] - EncryptionKey created [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.StoreKeyType] - keytype : aes256-cts-hmac-sha1-96 (18) [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.EncryptionKeyInit] - EncryptionKey created [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.StoreKeyType] - keytype : des-cbc-md5 (3) [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.EncryptionKeyInit] - EncryptionKey created [22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.= actions.StoreKeyType] - keytype : des3-cbc-sha1-kd (16) [22:59:28] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Un= expected exception forcing session to close: sending disconnect notice to c= lient. java.security.PrivilegedActionException: javax.security.sasl.SaslException:= Failure to initialize security context [Caused by GSSException: Invalid na= me provided (Mechanism level: KrbException: Cannot locate default realm)] Ed Brown --_000_ac5aa96a0cf145a395b1f8540c0cd1e2MERCMBX37RnaSAScom_--