You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by "Ali, Saqib" <do...@gmail.com> on 2016/09/29 22:38:58 UTC
[Studio] Apache Directory Studio not able to authenticate using
GSSAPI (Kerberos)
I have a Ubuntu machine that is configured SSSD for Authentication to
Active Directory Kerberos Domain.
The Kerberos setup works well on this machine. No issues accessing AD
protected File Shares.
However when I try to configure Apache Directory Studio to use GSSAPI
(Kerberos) to connect to the Active Directory LDAP port (636), I get
the following exception:
The authentication failed
- javax.security.auth.login.LoginException: Unable to obtain
Principal Name for authentication
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.auth.login.LoginException: Unable to obtain Principal
Name for authentication
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1657)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1543)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:444)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1171)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:457)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:303)
at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:79)
at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:127)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)
Caused by: javax.security.auth.login.LoginException: Unable to obtain
Principal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1644)
... 8 more
javax.security.auth.login.LoginException: Unable to obtain Principal
Name for auth
Re: [Studio] Apache Directory Studio not able to authenticate using
GSSAPI (Kerberos)
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
On 10/15/2016 03:29 PM, Stefan Seelmann wrote:
> On 10/15/2016 11:14 AM, Ali, Saqib wrote:
>> Hello everyone,
>>
>> Any help with this?
>
> Not yet.
>
> I started to build a test environment (I plan Docker containers with a
> KDC) but didn't finish yet. But I'm not able to test against an Active
> Directory because I don't have one available.
I'm done with the tests and I'm happy that it works. I run an ApacheDS
as KDC, do a kinit to get the TGT which is then stored in credentials
cache in /tmp/krb5cc_1000. Then in Studio Kerberos connection properties
I configured "Use native TGT" and "Use native system configuration" and
finally the authentication worked.
While writing the tests I also got your error mesage "Unable to obtain
Principal Name for authentication". This means that Studio/Java cannot
read the credential cache. Please make sure that you run kinit and your
/tmp/krb5cc_uid exists and is readable. Another issue when I got this
error message within the Docker container was that there was no entry in
/etc/passwd for my user and then Java could not resolve user.name to the
uid.
I hope this helps you a bit to get a step further.
Kind Regards,
Stefan
Re: [Studio] Apache Directory Studio not able to authenticate using
GSSAPI (Kerberos)
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
On 10/15/2016 11:14 AM, Ali, Saqib wrote:
> Hello everyone,
>
> Any help with this?
Not yet.
I started to build a test environment (I plan Docker containers with a
KDC) but didn't finish yet. But I'm not able to test against an Active
Directory because I don't have one available.
There are also some Jiras regarding Kerberos/GSSAPI authentication [1],
[2], so I assume it's not working properly.
Kind Regards,
Stefan
[1] https://issues.apache.org/jira/browse/DIRSTUDIO-1066
[2] https://issues.apache.org/jira/browse/DIRSTUDIO-1103
Re: [Studio] Apache Directory Studio not able to authenticate using
GSSAPI (Kerberos)
Posted by "Ali, Saqib" <do...@gmail.com>.
Hello everyone,
Any help with this?
Thanks
On Sep 30, 2016 12:32 PM, "Ali, Saqib" <do...@gmail.com> wrote:
> Emmanuel,
>
> Here is the Java version:
>
> $ java -version
> java version "1.8.0_101"
> Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
>
>
>
> ----
>
>
>
>
> On Thu, Sep 29, 2016 at 10:41 PM, Emmanuel Lécharny <el...@gmail.com>
> wrote:
> > Le 30/09/16 à 00:38, Ali, Saqib a écrit :
> >> I have a Ubuntu machine that is configured SSSD for Authentication to
> >> Active Directory Kerberos Domain.
> >>
> >> The Kerberos setup works well on this machine. No issues accessing AD
> >> protected File Shares.
> >>
> >> However when I try to configure Apache Directory Studio to use GSSAPI
> >> (Kerberos) to connect to the Active Directory LDAP port (636), I get
> >> the following exception:
> >
> > What JVM are you using (and which version) ?
> >
>
Re: [Studio] Apache Directory Studio not able to authenticate using
GSSAPI (Kerberos)
Posted by "Ali, Saqib" <do...@gmail.com>.
Emmanuel,
Here is the Java version:
$ java -version
java version "1.8.0_101"
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
----
On Thu, Sep 29, 2016 at 10:41 PM, Emmanuel Lécharny <el...@gmail.com> wrote:
> Le 30/09/16 à 00:38, Ali, Saqib a écrit :
>> I have a Ubuntu machine that is configured SSSD for Authentication to
>> Active Directory Kerberos Domain.
>>
>> The Kerberos setup works well on this machine. No issues accessing AD
>> protected File Shares.
>>
>> However when I try to configure Apache Directory Studio to use GSSAPI
>> (Kerberos) to connect to the Active Directory LDAP port (636), I get
>> the following exception:
>
> What JVM are you using (and which version) ?
>
Re: [Studio] Apache Directory Studio not able to authenticate using
GSSAPI (Kerberos)
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 30/09/16 � 00:38, Ali, Saqib a �crit :
> I have a Ubuntu machine that is configured SSSD for Authentication to
> Active Directory Kerberos Domain.
>
> The Kerberos setup works well on this machine. No issues accessing AD
> protected File Shares.
>
> However when I try to configure Apache Directory Studio to use GSSAPI
> (Kerberos) to connect to the Active Directory LDAP port (636), I get
> the following exception:
What JVM are you using (and which version) ?