You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Josh Clum <jo...@gmail.com> on 2014/04/09 21:44:09 UTC
Using AbstractKerberosITest
Hi,
I'm trying to set up an IT for one of my classes that inherits from using
the AbstractKerberosITest inside of apacheds-kerberos-test.
Here are the annotations on my class:
@RunWith(FrameworkRunner.class)
@CreateDS(name = "KerberosTcpIT-class",
partitions = {
@CreatePartition(name = "example", suffix = "dc=example,dc=com")},
additionalInterceptors = { KeyDerivationInterceptor.class })
@CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP") })
@CreateKdcServer(transports = { @CreateTransport( protocol = "TCP", port
= 6089) })
@ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
AbstractKerberosITest generates a krb5.conf that looks like this:
[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-cbc-sha1
default_tgs_enctypes = des3-cbc-sha1
permitted_enctypes = des3-cbc-sha1
default-checksum_type = hmac-sha1-des3
udp_preference_limit = 1
[realms]
EXAMPLE.COM = {
kdc = localhost:6089
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
To kinit, I'm using this command (hnelson is automatically added by
AbstractKerberosITest):
env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t /path/to/hnelson.keytab
hnelson@EXAMPLE.COM
And I get this error:
kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM
The kdc seems to running just fine:
➜ ~ lsof -i :6089
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
localhost:6089 (LISTEN)
➜ ~ telnet localhost 6089
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Do you have any thoughts as to what might be wrong?
Thanks,
Josh
Re: Using AbstractKerberosITest
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Apr 10, 2014 at 8:52 PM, Josh Clum <jo...@gmail.com> wrote:
> I'm using 2.0.0-M15. I think KdcConnection is being a little more helpful.
> Connecting like this:
>
> KdcConfig config = KdcConfig.getDefaultConfig();
> config.setUseUdp( false );
> config.setHostName("127.0.0.1");
> config.setKdcPort( kdcServer.getTcpPort() );
> config.setEncryptionTypes( kdcServer.getConfig().getEncryptionTypes() );
> config.setTimeout( Integer.MAX_VALUE );
> KdcConnection connection = new KdcConnection( config );
> ServiceTicket ticket = connection.getServiceTicket(USER_UID + "@" +
> REALM, USER_PASSWORD, "krbtgt/" + REALM + "@" + REALM);
>
> is at least giving me an error:
>
> 11:15:57,186 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No
> key for client uid=hnelson,ou=users,dc=example,dc=com
> 11:15:57,186 WARN [KerberosProtocolHandler]
> (KerberosProtocolHandler.java:241) The client or server has a null key (9)
> 11:15:57,187 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
> client or server has a null key (9)
> 11:15:57,269 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No
> key for client uid=hnelson,ou=users,dc=example,dc=com
> 11:15:57,269 WARN [KerberosProtocolHandler]
> (KerberosProtocolHandler.java:241) The client or server has a null key (9)
> 11:15:57,269 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
> client or server has a null key (9)
>
> I'm guessing I have to register/create a keytab with server for hnelson? I
> manually created a keytab for hnelson but I don't see a way to specify it
> using connection.getServiceTicket.
>
ok, looks like the user entry doesn't contain the kerberos keys
take a look at the KdcConnectionTest[1] and see what is going on with your
test case based on that.
[1]
http://svn.apache.org/repos/asf/directory/apacheds/trunk/kerberos-client/src/test/java/org/apache/directory/kerberos/client/KdcConnectionTest.java
>
>
>
>
>
> On Thu, Apr 10, 2014 at 9:29 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>>
>>
>>
>> On Thu, Apr 10, 2014 at 6:37 PM, Josh Clum <jo...@gmail.com> wrote:
>>
>>> Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping
>>> EXAMPLE.COM, but still no luck.
>>>
>>> I did notice that when i call kdcServer.isStarted() in my test, that it
>>> will always return false. It seems that the method that kdcServer.start();
>>> is not correctly setting the started flag. I tried manually kdcServer.stop();
>>> then kdcServer.start(); as another check.
>>>
>> I doubt that, which version of the server are you using?
>>
>>>
>>> Is there any way to connect to the kdc other than just trying to kinit?
>>> Any other thoughts?
>>>
>>> you can use KdcConnection present in kerberos-client module to test
>>
>>>
>>> On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <jo...@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to set up an IT for one of my classes that inherits from
>>>>> using the AbstractKerberosITest inside of apacheds-kerberos-test.
>>>>>
>>>>> Here are the annotations on my class:
>>>>>
>>>>> @RunWith(FrameworkRunner.class)
>>>>> @CreateDS(name = "KerberosTcpIT-class",
>>>>> partitions = {
>>>>> @CreatePartition(name = "example", suffix =
>>>>> "dc=example,dc=com")},
>>>>> additionalInterceptors = { KeyDerivationInterceptor.class })
>>>>> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP")
>>>>> })
>>>>> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP",
>>>>> port = 6089) })
>>>>>
>>>>> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>>>>>
>>>>>
>>>>> AbstractKerberosITest generates a krb5.conf that looks like this:
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = EXAMPLE.COM
>>>>> default_tkt_enctypes = des3-cbc-sha1
>>>>> default_tgs_enctypes = des3-cbc-sha1
>>>>> permitted_enctypes = des3-cbc-sha1
>>>>> default-checksum_type = hmac-sha1-des3
>>>>> udp_preference_limit = 1
>>>>> [realms]
>>>>> EXAMPLE.COM = {
>>>>> kdc = localhost:6089
>>>>> }
>>>>> [domain_realm]
>>>>> .example.com = EXAMPLE.COM
>>>>> example.com = EXAMPLE.COM
>>>>>
>>>>> To kinit, I'm using this command (hnelson is automatically added by
>>>>> AbstractKerberosITest):
>>>>>
>>>>> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t
>>>>> /path/to/hnelson.keytab hnelson@EXAMPLE.COM
>>>>>
>>>>> And I get this error:
>>>>>
>>>>> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>>>>> EXAMPLE.COM
>>>>>
>>>>> The kdc seems to running just fine:
>>>>>
>>>>> ➜ ~ lsof -i :6089
>>>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE
>>>>> NAME
>>>>> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
>>>>> localhost:6089 (LISTEN)
>>>>> ➜ ~ telnet localhost 6089
>>>>> Trying ::1...
>>>>> telnet: connect to address ::1: Connection refused
>>>>> Trying 127.0.0.1...
>>>>> Connected to localhost.
>>>>>
>>>>> Do you have any thoughts as to what might be wrong?
>>>>>
>>>>> nope, am able to get the ticket using the same config (but with a
>>>> standalone server)
>>>> looks like some DNS issue, can you map EXAMPLE.COM to loopback address
>>>> in your hosts file and see
>>>>
>>>>> Thanks,
>>>>>
>>>>> Josh
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Kiran Ayyagari
>>>> http://keydap.com
>>>>
>>>
>>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Using AbstractKerberosITest
Posted by Josh Clum <jo...@gmail.com>.
I'm using 2.0.0-M15. I think KdcConnection is being a little more helpful.
Connecting like this:
KdcConfig config = KdcConfig.getDefaultConfig();
config.setUseUdp( false );
config.setHostName("127.0.0.1");
config.setKdcPort( kdcServer.getTcpPort() );
config.setEncryptionTypes( kdcServer.getConfig().getEncryptionTypes() );
config.setTimeout( Integer.MAX_VALUE );
KdcConnection connection = new KdcConnection( config );
ServiceTicket ticket = connection.getServiceTicket(USER_UID + "@" +
REALM, USER_PASSWORD, "krbtgt/" + REALM + "@" + REALM);
is at least giving me an error:
11:15:57,186 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No key
for client uid=hnelson,ou=users,dc=example,dc=com
11:15:57,186 WARN [KerberosProtocolHandler]
(KerberosProtocolHandler.java:241) The client or server has a null key (9)
11:15:57,187 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
client or server has a null key (9)
11:15:57,269 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No key
for client uid=hnelson,ou=users,dc=example,dc=com
11:15:57,269 WARN [KerberosProtocolHandler]
(KerberosProtocolHandler.java:241) The client or server has a null key (9)
11:15:57,269 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
client or server has a null key (9)
I'm guessing I have to register/create a keytab with server for hnelson? I
manually created a keytab for hnelson but I don't see a way to specify it
using connection.getServiceTicket.
On Thu, Apr 10, 2014 at 9:29 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>
>
> On Thu, Apr 10, 2014 at 6:37 PM, Josh Clum <jo...@gmail.com> wrote:
>
>> Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping EXAMPLE.COM,
>> but still no luck.
>>
>> I did notice that when i call kdcServer.isStarted() in my test, that it
>> will always return false. It seems that the method that kdcServer.start();
>> is not correctly setting the started flag. I tried manually kdcServer.stop();
>> then kdcServer.start(); as another check.
>>
> I doubt that, which version of the server are you using?
>
>>
>> Is there any way to connect to the kdc other than just trying to kinit?
>> Any other thoughts?
>>
>> you can use KdcConnection present in kerberos-client module to test
>
>>
>> On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>>
>>>
>>>
>>>
>>> On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <jo...@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm trying to set up an IT for one of my classes that inherits from
>>>> using the AbstractKerberosITest inside of apacheds-kerberos-test.
>>>>
>>>> Here are the annotations on my class:
>>>>
>>>> @RunWith(FrameworkRunner.class)
>>>> @CreateDS(name = "KerberosTcpIT-class",
>>>> partitions = {
>>>> @CreatePartition(name = "example", suffix = "dc=example,dc=com")},
>>>> additionalInterceptors = { KeyDerivationInterceptor.class })
>>>> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP")
>>>> })
>>>> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP",
>>>> port = 6089) })
>>>>
>>>> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>>>>
>>>>
>>>> AbstractKerberosITest generates a krb5.conf that looks like this:
>>>>
>>>> [libdefaults]
>>>> default_realm = EXAMPLE.COM
>>>> default_tkt_enctypes = des3-cbc-sha1
>>>> default_tgs_enctypes = des3-cbc-sha1
>>>> permitted_enctypes = des3-cbc-sha1
>>>> default-checksum_type = hmac-sha1-des3
>>>> udp_preference_limit = 1
>>>> [realms]
>>>> EXAMPLE.COM = {
>>>> kdc = localhost:6089
>>>> }
>>>> [domain_realm]
>>>> .example.com = EXAMPLE.COM
>>>> example.com = EXAMPLE.COM
>>>>
>>>> To kinit, I'm using this command (hnelson is automatically added by
>>>> AbstractKerberosITest):
>>>>
>>>> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t
>>>> /path/to/hnelson.keytab hnelson@EXAMPLE.COM
>>>>
>>>> And I get this error:
>>>>
>>>> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>>>> EXAMPLE.COM
>>>>
>>>> The kdc seems to running just fine:
>>>>
>>>> ➜ ~ lsof -i :6089
>>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>>>> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
>>>> localhost:6089 (LISTEN)
>>>> ➜ ~ telnet localhost 6089
>>>> Trying ::1...
>>>> telnet: connect to address ::1: Connection refused
>>>> Trying 127.0.0.1...
>>>> Connected to localhost.
>>>>
>>>> Do you have any thoughts as to what might be wrong?
>>>>
>>>> nope, am able to get the ticket using the same config (but with a
>>> standalone server)
>>> looks like some DNS issue, can you map EXAMPLE.COM to loopback address
>>> in your hosts file and see
>>>
>>>> Thanks,
>>>>
>>>> Josh
>>>>
>>>>
>>>
>>>
>>> --
>>> Kiran Ayyagari
>>> http://keydap.com
>>>
>>
>>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: Using AbstractKerberosITest
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Apr 10, 2014 at 6:37 PM, Josh Clum <jo...@gmail.com> wrote:
> Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping EXAMPLE.COM,
> but still no luck.
>
> I did notice that when i call kdcServer.isStarted() in my test, that it
> will always return false. It seems that the method that kdcServer.start();
> is not correctly setting the started flag. I tried manually kdcServer.stop();
> then kdcServer.start(); as another check.
>
I doubt that, which version of the server are you using?
>
> Is there any way to connect to the kdc other than just trying to kinit?
> Any other thoughts?
>
> you can use KdcConnection present in kerberos-client module to test
>
> On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>>
>>
>>
>> On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <jo...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I'm trying to set up an IT for one of my classes that inherits from
>>> using the AbstractKerberosITest inside of apacheds-kerberos-test.
>>>
>>> Here are the annotations on my class:
>>>
>>> @RunWith(FrameworkRunner.class)
>>> @CreateDS(name = "KerberosTcpIT-class",
>>> partitions = {
>>> @CreatePartition(name = "example", suffix = "dc=example,dc=com")},
>>> additionalInterceptors = { KeyDerivationInterceptor.class })
>>> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP") })
>>> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP",
>>> port = 6089) })
>>>
>>> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>>>
>>>
>>> AbstractKerberosITest generates a krb5.conf that looks like this:
>>>
>>> [libdefaults]
>>> default_realm = EXAMPLE.COM
>>> default_tkt_enctypes = des3-cbc-sha1
>>> default_tgs_enctypes = des3-cbc-sha1
>>> permitted_enctypes = des3-cbc-sha1
>>> default-checksum_type = hmac-sha1-des3
>>> udp_preference_limit = 1
>>> [realms]
>>> EXAMPLE.COM = {
>>> kdc = localhost:6089
>>> }
>>> [domain_realm]
>>> .example.com = EXAMPLE.COM
>>> example.com = EXAMPLE.COM
>>>
>>> To kinit, I'm using this command (hnelson is automatically added by
>>> AbstractKerberosITest):
>>>
>>> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t /path/to/hnelson.keytab
>>> hnelson@EXAMPLE.COM
>>>
>>> And I get this error:
>>>
>>> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>>> EXAMPLE.COM
>>>
>>> The kdc seems to running just fine:
>>>
>>> ➜ ~ lsof -i :6089
>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>>> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
>>> localhost:6089 (LISTEN)
>>> ➜ ~ telnet localhost 6089
>>> Trying ::1...
>>> telnet: connect to address ::1: Connection refused
>>> Trying 127.0.0.1...
>>> Connected to localhost.
>>>
>>> Do you have any thoughts as to what might be wrong?
>>>
>>> nope, am able to get the ticket using the same config (but with a
>> standalone server)
>> looks like some DNS issue, can you map EXAMPLE.COM to loopback address
>> in your hosts file and see
>>
>>> Thanks,
>>>
>>> Josh
>>>
>>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Using AbstractKerberosITest
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Apr 10, 2014 at 6:37 PM, Josh Clum <jo...@gmail.com> wrote:
> Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping EXAMPLE.COM,
> but still no luck.
>
> I did notice that when i call kdcServer.isStarted() in my test, that it
> will always return false. It seems that the method that kdcServer.start();
> is not correctly setting the started flag. I tried manually kdcServer.stop();
> then kdcServer.start(); as another check.
>
I doubt that, which version of the server are you using?
>
> Is there any way to connect to the kdc other than just trying to kinit?
> Any other thoughts?
>
> you can use KdcConnection present in kerberos-client module to test
>
> On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>>
>>
>>
>> On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <jo...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I'm trying to set up an IT for one of my classes that inherits from
>>> using the AbstractKerberosITest inside of apacheds-kerberos-test.
>>>
>>> Here are the annotations on my class:
>>>
>>> @RunWith(FrameworkRunner.class)
>>> @CreateDS(name = "KerberosTcpIT-class",
>>> partitions = {
>>> @CreatePartition(name = "example", suffix = "dc=example,dc=com")},
>>> additionalInterceptors = { KeyDerivationInterceptor.class })
>>> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP") })
>>> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP",
>>> port = 6089) })
>>>
>>> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>>>
>>>
>>> AbstractKerberosITest generates a krb5.conf that looks like this:
>>>
>>> [libdefaults]
>>> default_realm = EXAMPLE.COM
>>> default_tkt_enctypes = des3-cbc-sha1
>>> default_tgs_enctypes = des3-cbc-sha1
>>> permitted_enctypes = des3-cbc-sha1
>>> default-checksum_type = hmac-sha1-des3
>>> udp_preference_limit = 1
>>> [realms]
>>> EXAMPLE.COM = {
>>> kdc = localhost:6089
>>> }
>>> [domain_realm]
>>> .example.com = EXAMPLE.COM
>>> example.com = EXAMPLE.COM
>>>
>>> To kinit, I'm using this command (hnelson is automatically added by
>>> AbstractKerberosITest):
>>>
>>> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t /path/to/hnelson.keytab
>>> hnelson@EXAMPLE.COM
>>>
>>> And I get this error:
>>>
>>> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>>> EXAMPLE.COM
>>>
>>> The kdc seems to running just fine:
>>>
>>> ➜ ~ lsof -i :6089
>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>>> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
>>> localhost:6089 (LISTEN)
>>> ➜ ~ telnet localhost 6089
>>> Trying ::1...
>>> telnet: connect to address ::1: Connection refused
>>> Trying 127.0.0.1...
>>> Connected to localhost.
>>>
>>> Do you have any thoughts as to what might be wrong?
>>>
>>> nope, am able to get the ticket using the same config (but with a
>> standalone server)
>> looks like some DNS issue, can you map EXAMPLE.COM to loopback address
>> in your hosts file and see
>>
>>> Thanks,
>>>
>>> Josh
>>>
>>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Using AbstractKerberosITest
Posted by Josh Clum <jo...@gmail.com>.
Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping EXAMPLE.COM,
but still no luck.
I did notice that when i call kdcServer.isStarted() in my test, that it
will always return false. It seems that the method that kdcServer.start();
is not correctly setting the started flag. I tried manually kdcServer.stop();
then kdcServer.start(); as another check.
Is there any way to connect to the kdc other than just trying to kinit? Any
other thoughts?
On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>
>
> On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <jo...@gmail.com> wrote:
>
>> Hi,
>>
>> I'm trying to set up an IT for one of my classes that inherits from using
>> the AbstractKerberosITest inside of apacheds-kerberos-test.
>>
>> Here are the annotations on my class:
>>
>> @RunWith(FrameworkRunner.class)
>> @CreateDS(name = "KerberosTcpIT-class",
>> partitions = {
>> @CreatePartition(name = "example", suffix = "dc=example,dc=com")},
>> additionalInterceptors = { KeyDerivationInterceptor.class })
>> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP") })
>> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP",
>> port = 6089) })
>>
>> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>>
>>
>> AbstractKerberosITest generates a krb5.conf that looks like this:
>>
>> [libdefaults]
>> default_realm = EXAMPLE.COM
>> default_tkt_enctypes = des3-cbc-sha1
>> default_tgs_enctypes = des3-cbc-sha1
>> permitted_enctypes = des3-cbc-sha1
>> default-checksum_type = hmac-sha1-des3
>> udp_preference_limit = 1
>> [realms]
>> EXAMPLE.COM = {
>> kdc = localhost:6089
>> }
>> [domain_realm]
>> .example.com = EXAMPLE.COM
>> example.com = EXAMPLE.COM
>>
>> To kinit, I'm using this command (hnelson is automatically added by
>> AbstractKerberosITest):
>>
>> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t /path/to/hnelson.keytab
>> hnelson@EXAMPLE.COM
>>
>> And I get this error:
>>
>> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>> EXAMPLE.COM
>>
>> The kdc seems to running just fine:
>>
>> ➜ ~ lsof -i :6089
>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
>> localhost:6089 (LISTEN)
>> ➜ ~ telnet localhost 6089
>> Trying ::1...
>> telnet: connect to address ::1: Connection refused
>> Trying 127.0.0.1...
>> Connected to localhost.
>>
>> Do you have any thoughts as to what might be wrong?
>>
>> nope, am able to get the ticket using the same config (but with a
> standalone server)
> looks like some DNS issue, can you map EXAMPLE.COM to loopback address
> in your hosts file and see
>
>> Thanks,
>>
>> Josh
>>
>>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: Using AbstractKerberosITest
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <jo...@gmail.com> wrote:
> Hi,
>
> I'm trying to set up an IT for one of my classes that inherits from using
> the AbstractKerberosITest inside of apacheds-kerberos-test.
>
> Here are the annotations on my class:
>
> @RunWith(FrameworkRunner.class)
> @CreateDS(name = "KerberosTcpIT-class",
> partitions = {
> @CreatePartition(name = "example", suffix = "dc=example,dc=com")},
> additionalInterceptors = { KeyDerivationInterceptor.class })
> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP") })
> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP", port
> = 6089) })
>
> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>
>
> AbstractKerberosITest generates a krb5.conf that looks like this:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> default_tkt_enctypes = des3-cbc-sha1
> default_tgs_enctypes = des3-cbc-sha1
> permitted_enctypes = des3-cbc-sha1
> default-checksum_type = hmac-sha1-des3
> udp_preference_limit = 1
> [realms]
> EXAMPLE.COM = {
> kdc = localhost:6089
> }
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> To kinit, I'm using this command (hnelson is automatically added by
> AbstractKerberosITest):
>
> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t /path/to/hnelson.keytab
> hnelson@EXAMPLE.COM
>
> And I get this error:
>
> kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM
>
> The kdc seems to running just fine:
>
> ➜ ~ lsof -i :6089
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
> localhost:6089 (LISTEN)
> ➜ ~ telnet localhost 6089
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
>
> Do you have any thoughts as to what might be wrong?
>
> nope, am able to get the ticket using the same config (but with a
standalone server)
looks like some DNS issue, can you map EXAMPLE.COM to loopback address
in your hosts file and see
> Thanks,
>
> Josh
>
>
--
Kiran Ayyagari
http://keydap.com