You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by eugene <eu...@gmail.com> on 2012/07/26 14:48:55 UTC
qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Well the setup is pretty much in the subject of the message.
Here is what I did more:
0. Specify the needed params in krb5.conf (mainly the kdc and realms is
important), important here is that
: kinit user@OURDOMAIN.COM works fine! I do get a Ticket Granting Ticket
(which I can see with klist).
1. On the AD side I mapped the user to the SPN. (setspn -A
qpidd/vmvmrg@OURDOMAIN.COM user)
2. Generated the keytab with ktpas on the AD box:
ktpass -out c:\temp\qpidd.keytab
-princ qpidd/vmvmrg@OURDOMAIN.COM
-mapUser user
-mapOp set
-pass ******
-crypto DES-CBC-MD5
-pType KRB5_NT_PRINCIPAL
+DesOnly
3. Put the keytab file in /etc
4. Invoke a sample connection. String URL for connection is:
"amqp://ananymous:guest@clientid/testpath?brokerlist='tcp://10.1.10.89:5672?sasl_mechs='GSSAPI'&sasl_protocol='qpidd'&sasl_server='vmvmrg''";
As a result I get:
AMQConnectionFailureException: Cannot connect to broker : connection-refused
: Authentication Failed (error code 320 : connection forced).
Seems (and may be I am wrong) like the params that I send in the connection
url are wrong.
Anyone with an opinion?
Thank You,
Eugene.
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by Gordon Sim <gs...@redhat.com>.
On 07/31/2012 12:39 PM, eugene wrote:
> And finally working :)
Fantastic!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by eugene <eu...@gmail.com>.
This is amazing!
And finally working :)
I re-created the keytab file once again and tried the qpid-perftest it's
working. Then I have tried the java client and that works also. :)
It seems that all these steps together made it happen.
Thank You for your precious time Gordon Sim!
Thank You,
Eugene.
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381p7581480.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by Gordon Sim <gs...@redhat.com>.
On 07/31/2012 10:15 AM, eugene wrote:
> It throws Authentication Failed, then I check the logs:
>
> info SASL: Starting authentication with mechanism: GSSAPI
> 2012-07-31 05:06:09 warning Failed to retrieve sasl username
> 2012-07-31 05:06:09 info SASL: Authentication failed (no username available
> yet):SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (No such file or directory)
>
> So I should specify the SASL username?
No, it will use the ticket cache. The statement about username in the
error above is simply stating that no username was available to log).
The 'No such file or directory' error is interesting though... I would
have guessed that was somehow a problem with accessing the keytab, but I
know you already checked permissions... are you running qpidd as root or
under the qpidd user? is SELinux running? I wonder if that is preventing
qpidd accessing the file?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by eugene <eu...@gmail.com>.
Hello Gordon,
There are more details from me if helpful. Seems like a bug in your
libraries (or a setting is missing) but not sure..
So after I do kinit vmvmrg, and then klist, I get this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vmvmrg@OURDOMAIN.COM
Valid starting Expires Service principal
07/31/12 04:58:46 07/31/12 14:58:41 krbtgt/OURDOMAIN.COM@OURDOMAIN.COM
renew until 08/01/12 04:58:46
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Then I issue : kvno qpidd/vmvmrg@OURDOMAIN.COM and then klist shows this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vmvmrg@OURDOMAIN.COM
Valid starting Expires Service principal
07/31/12 04:58:46 07/31/12 14:58:41 krbtgt/OURDOMAIN.COM@OURDOMAIN.COM
renew until 08/01/12 04:58:46
07/31/12 05:01:19 07/31/12 14:58:41 qpidd/vmvmrg@OURDOMAIN.COM
renew until 08/01/12 04:58:46
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Yup, I have the second ticket now, so it should work.
Start the broker:
qpidd --auth yes --realm OURDOMAIN.COM --log-enable debug+
And issue the qpid-perftest:
qpid-perftest --mechanism GSSAPI --broker vmvmrg --count 1 --trace
It throws Authentication Failed, then I check the logs:
info SASL: Starting authentication with mechanism: GSSAPI
2012-07-31 05:06:09 warning Failed to retrieve sasl username
2012-07-31 05:06:09 info SASL: Authentication failed (no username available
yet):SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (No such file or directory)
So I should specify the SASL username? I should send a Ticket, that the
whole point of Kerberos not Username..
Thank You,
Eugene.
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381p7581478.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by eugene <eu...@gmail.com>.
fun :)
googling does not help so far also..
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381p7581451.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by Gordon Sim <gs...@redhat.com>.
On 07/30/2012 02:34 PM, eugene wrote:
> I don't think this is true,
Very possible, I'm certainly no expert...
> see this:
>
> http://www.opensubscriber.com/message/kerberos@mit.edu/14923168.html
>
> This seems normal, except that the second entry is not created of course..
...so if there is no mapping in the domain_realms section, it will try
the default realm (which I assume is correctly specified). The question
would be then why it was unable to obtain a ticket for that domain,
which as I understand that post would be listed also by klist if obtained.
I don't know where the logs for the KDC on Active Directory are, but
they may shed some light.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by eugene <eu...@gmail.com>.
I don't think this is true, see this:
http://www.opensubscriber.com/message/kerberos@mit.edu/14923168.html
This seems normal, except that the second entry is not created of course..
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381p7581442.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by Gordon Sim <gs...@redhat.com>.
On 07/30/2012 01:51 PM, eugene wrote:
> There is one more interesting thing that confuses me now.
>
> After I run qpid--pertest.... and then issue a klist again, I get this:
>
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: vmvmrg@OURDOMAIN.COM
>
> Valid starting Expires Service principal
> 07/30/12 08:46:42 07/30/12 18:46:38 krbtgt/OURDOMAIN.COM@OURDOMAIN.COM
> renew until 07/31/12 08:46:42
> 07/30/12 08:47:05 07/30/12 18:46:38 qpidd/vmvmrg@
> renew until 07/31/12 08:46:42
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> Now I am pretty lost :) Where did the second entry came from? I have not
> issue any tickets...
That looks like the ticket to use qpidd, but it appears to be missing
the realm... I think you can fix that by adding a mapping to the
[domain_realm] section of your /etc/krb5.conf for the vmvmrg host.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by eugene <eu...@gmail.com>.
There is one more interesting thing that confuses me now.
After I run qpid--pertest.... and then issue a klist again, I get this:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vmvmrg@OURDOMAIN.COM
Valid starting Expires Service principal
07/30/12 08:46:42 07/30/12 18:46:38 krbtgt/OURDOMAIN.COM@OURDOMAIN.COM
renew until 07/31/12 08:46:42
07/30/12 08:47:05 07/30/12 18:46:38 qpidd/vmvmrg@
renew until 07/31/12 08:46:42
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Now I am pretty lost :) Where did the second entry came from? I have not
issue any tickets...
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381p7581438.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by eugene <eu...@gmail.com>.
Hello Gordon,
Ok, so each a time.
I would be glad to provide any details from the KDC(the windows 2003 Server
Box), but I have no idea which or where they are... :( I have enough right
to get them btw.
Here is the command that I run:
vmvmrg - is a user in AD and also (the same String "vmvmrg") is the box that
hosts MRG.
kinit vmvmrg
Password for vmvmrg@OURDOMAIN.COM:
[root@vmvmrg ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vmvmrg@OURDOMAIN.COM
Valid starting Expires Service principal
07/30/12 08:08:13 07/30/12 18:08:10 krbtgt/OURDOMAIN.COM@OURDOMAIN.COM
renew until 07/31/12 08:08:13
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@vmvmrg ~]# /usr/bin/qpid-perftest --mechanism GSSAPI --broker vmvmrg
--count 1
connection-forced: Authentication failed
2012-07-30 08:08:45 warning Broker closed connection: 320,
connection-forced: Authentication failed
[root@vmvmrg ~]#
Thank You,
Eugene.
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381p7581437.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by Gordon Sim <gs...@redhat.com>.
On 07/27/2012 08:39 AM, eugene wrote:
> Well yes I'm sorry I should have been a bit more verbose. Here are the
> details:
>
> 1. The command that I'm running:
>
> java -Djavax.security.auth.useSubjectCredsOnly=false
> -Djava.security.auth.login.config=myjass.conf -Dsun.security.krb5.debug=true
> -jar Kerberos.jar
>
> 1.1 I am running it with OpenJDK 1.6_22
> 1.2 The myjass.conf looks like this:
>
> com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> useTicketCache=true;
> };
>
> 2. The keyab file is called krb5.keytab (so I do not need to set the
> KRB5_KTNAME variable).
>
> 3. Yes the keytab can be read by qpidd (as a matter of fact to make it sure
> I just "777"-ed the file anyway)
>
> 4. qpid.conf :
>
> auth=yes
> realm=OURDOMAIN.COM
Are there any logs available at your KDC that might shed some light?
Do you have the c++ client installed on the machine qpidd is running on?
If so, it might be worth an experiment to connect with that: kinit for
your test user then use e.g. qpid-perftest with --mechanism GSSAPI and
--broker vmvmrg (and --count 1, just for a simple test). If that works,
it would indicate some configuration issue for JMS, if it doesn't
(assuming the kinit passes), then it would indicate some problem with
qpidd authenticating itself.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by eugene <eu...@gmail.com>.
Well yes I'm sorry I should have been a bit more verbose. Here are the
details:
1. The command that I'm running:
java -Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=myjass.conf -Dsun.security.krb5.debug=true
-jar Kerberos.jar
1.1 I am running it with OpenJDK 1.6_22
1.2 The myjass.conf looks like this:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
2. The keyab file is called krb5.keytab (so I do not need to set the
KRB5_KTNAME variable).
3. Yes the keytab can be read by qpidd (as a matter of fact to make it sure
I just "777"-ed the file anyway)
4. qpid.conf :
auth=yes
realm=OURDOMAIN.COM
Here is the stack trace that I get:
Config name: /etc/krb5.conf
>>>KinitOptions cache name is /tmp/krb5cc_0
>>>DEBUG <CCacheInputStream> client principal is user@OURDOMAIN.COM
>>>DEBUG <CCacheInputStream> server principal is
krbtgt/OURDOMAIN.COM@OURDOMAIN.COM
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Fri Jul 27 03:28:43 EDT 2012
>>>DEBUG <CCacheInputStream> start time: Fri Jul 27 03:28:17 EDT 2012
>>>DEBUG <CCacheInputStream> end time: Fri Jul 27 13:28:43 EDT 2012
>>>DEBUG <CCacheInputStream> renew_till time: Sat Jul 28 03:28:17 EDT
2012
>>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL;
PRE_AUTH;
>>>DEBUG <CCacheInputStream>
Found ticket for user@OURDOMAIN.COM to go to
krbtgt/OURDOMAIN.COM@OURDOMAIN.COM expiring on Fri Jul 27 13:28:43 EDT 2012
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=VSH002.VIVATCONSULTING.COM UDP:88,
timeout=30000, number of retries =3, #bytes=1245
>>> KDCCommunication: kdc=VSH002.VIVATCONSULTING.COM UDP:88,
timeout=30000,Attempt =1, #bytes=1245
>>> KrbKdcReq send: #bytes read=1161
>>> KrbKdcReq send: #bytes read=1161
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 226562779
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 04 46 30 82 04 42 A0 03 02 01 05 A1
..n..F0..B......
0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 03
................
0020: 6A 61 82 03 66 30 82 03 62 A0 03 02 01 05 A1 15
ja..f0..b.......
0030: 1B 13 56 49 56 41 54 43 4F 4E 53 55 4C 54 49 4E ..OURDOMAI
0040: 47 2E 43 4F 4D A2 1A 30 18 A0 03 02 01 00 A1 11
N.COM..0........
0050: 30 0F 1B 05 71 70 69 64 64 1B 06 76 6D 76 6D 72
0...qpidd..vmvmr
0060: 67 A3 82 03 26 30 82 03 22 A0 03 02 01 03 A1 03
g...&0..".......
0070: 02 01 06 A2 82 03 14 04 82 03 10 2E 55 5F 15 CC
............U_..
0080: 23 6B 1E 6B 43 86 C5 63 62 58 1D EF 13 AD 0B 48
#k.kC..cbX.....H
0090: A1 90 AB 24 AE EF 22 5A 5C CF 88 0F 54 0B 19 E5
...$.."Z\...T...
00A0: 27 0C 4E F8 6A 2A 84 78 EC 8F 76 C5 5E 9E 0F 4B
'.N.j*.x..v.^..K
00B0: 7E CB D8 FD F7 7A 6F A2 D8 B5 B9 64 B4 5C 0C 41
.....zo....d.\.A
00C0: E6 A2 BA 15 CB 90 55 21 9A 94 5F 46 DE 54 19 11
......U!.._F.T..
00D0: F5 AE E1 C0 20 B0 39 1C E5 F5 51 A8 B4 90 CE D6 ....
.9...Q.....
00E0: 9F 06 FB EE 93 E3 8D B6 10 00 3D 10 75 7C 72 4A
..........=.u.rJ
00F0: 4F E1 7A 45 F9 5A 1B 3A 0E 1E DE 02 B4 E5 CB B6
O.zE.Z.:........
0100: 1D C8 23 CF BE 72 3E D0 CB A3 9F AE 17 B4 1D 73
..#..r>........s
0110: 1D C0 1F 46 19 75 26 1E C8 39 EE 4E E0 EC 4A E8
...F.u&..9.N..J.
0120: 8E DA A4 14 DC B9 41 9D CA 41 4F C9 65 74 6F B5
......A..AO.eto.
0130: 25 22 53 2F CC 84 C1 27 2E 45 B1 F2 BA 19 03 66
%"S/...'.E.....f
0140: 19 1D 39 31 F9 42 B8 20 EC A9 4A 47 40 60 5F F5 ..91.B.
..JG@`_.
0150: 32 E9 B5 DA B9 05 39 CB 08 18 34 43 D1 B3 C8 D1
2.....9...4C....
0160: 42 A6 30 03 6E 33 22 49 4E 59 E7 80 14 55 F8 A0
B.0.n3"INY...U..
0170: B6 1C FE 7E 87 B9 89 F3 E9 79 D2 AC F6 12 89 AC
.........y......
0180: 2D 2C CB FC 70 F6 E3 81 F9 54 56 38 93 EB C2 17
-,..p....TV8....
0190: 6B DB A0 65 9B F3 E2 A1 74 20 75 0F 6F 10 C6 8F k..e....t
u.o...
01A0: 2A 5C C4 56 E2 AF 3F 35 97 2A 02 33 58 A0 7F 1F
*\.V..?5.*.3X...
01B0: 5E 8A 7E 4A F6 78 98 C7 0C 37 E9 47 E3 D4 2D 26
^..J.x...7.G..-&
01C0: 3D E8 E3 4B 19 E3 09 46 73 B8 6D A7 C7 75 46 A2
=..K...Fs.m..uF.
01D0: 30 A0 78 0E 64 39 78 B5 66 FF 0D 40 0C F0 3A F5
0.x.d9x.f..@..:.
01E0: 47 CB 27 4C 65 22 54 F6 CD CC 4B 39 00 28 68 80
G.'Le"T...K9.(h.
01F0: 8F 89 B7 BF 39 FB 5D 75 0D FD 87 7E A8 35 35 C4
....9.]u.....55.
0200: DD 7C 11 09 2B 2E 24 A0 A5 45 AD E2 35 27 A9 73
....+.$..E..5'.s
0210: BF 74 95 86 25 19 06 70 0F 4A DC 39 B6 FA 55 94
.t..%..p.J.9..U.
0220: C8 9E 84 18 96 AB BC C8 C3 F4 B4 60 8D FF AF 51
...........`...Q
0230: BC EE EA 9A B3 5F 29 70 CF D0 F0 E1 8D 4B E4 DF
....._)p.....K..
0240: 5C 34 7F FA 93 C2 03 C7 A2 16 FE 1B 58 2A C6 68
\4..........X*.h
0250: FD EB 8F DE 10 53 84 B1 82 A0 D2 00 CA 4D 5D F8
.....S.......M].
0260: 2B 7A 92 98 9C B2 B4 E5 05 8D 36 11 EA 73 12 EC
+z........6..s..
0270: D2 63 D7 E0 F2 A5 11 01 31 B8 44 A5 A6 73 67 BD
.c......1.D..sg.
0280: 5B 7F 6E C5 9A 9F 7A EC 14 E7 57 67 C0 19 40 0C
[.n...z...Wg..@.
0290: D3 A8 D7 89 EC 61 C4 81 84 D0 AC EE 83 FE A9 E8
.....a..........
02A0: 11 28 87 8F C1 89 75 8B 5D E7 29 A9 B8 0B 1B AE
.(....u.].).....
02B0: 24 AB 1D 77 36 33 A6 FD BD 61 66 CF 06 E7 7A EB
$..w63...af...z.
02C0: 26 40 75 A0 A7 49 70 17 91 1D F8 2B A1 15 81 30
&@u..Ip....+...0
02D0: E4 C4 8F BE D5 BC D6 4B 69 3E 7A FC 38 EE 54 06
.......Ki>z.8.T.
02E0: C9 6B 3E B1 94 17 9B 55 9C 56 E5 AC 45 EF 87 89
.k>....U.V..E...
02F0: A4 40 C2 4C 17 A8 E9 DF AD E7 AC 1F 2A 95 3A 9E
.@.L........*.:.
0300: FC 00 3E 7C 3D AD 2F A6 6D EA E1 DB 0A 85 96 3A
..>.=./.m......:
0310: E1 A8 5A 16 09 EA CE 81 B9 46 D7 9B D7 D1 37 55
..Z......F....7U
0320: 95 43 97 2B 8A 9A 21 0B 7C 76 8C 6D 17 DB EB E7
.C.+..!..v.m....
0330: C6 F6 90 38 A6 F6 5F FD 49 8F 97 42 E0 D1 63 8C
...8.._.I..B..c.
0340: 56 BF 2A 41 E7 5D A4 46 5F 95 0A E5 B7 06 1A 26
V.*A.].F_......&
0350: E0 59 FB 3E 37 17 10 3F C5 0B B0 03 16 92 92 AD
.Y.>7..?........
0360: 3B 07 8B 73 7E D8 93 BB 6C 65 9F 4B 88 C3 57 BF
;..s....le.K..W.
0370: BB 30 75 E7 44 F8 DB 98 22 69 DF AC FD 69 EE BC
.0u.D..."i...i..
0380: 89 5C 4D 12 D5 86 E2 4E 0D BB B5 A4 81 BE 30 81
.\M....N......0.
0390: BB A0 03 02 01 03 A2 81 B3 04 81 B0 80 45 82 A2
.............E..
03A0: 72 19 DF A9 49 8D EF 02 C6 C4 C0 98 C6 63 75 DE
r...I........cu.
03B0: 8C 5F E9 07 19 64 70 07 2F FB 90 2A F3 E5 34 F4
._...dp./..*..4.
03C0: 0A B0 FE 43 1A 24 8F 7E 12 3A 88 5C B9 CC 37 C4
...C.$...:.\..7.
03D0: 91 23 A6 05 BB FB E5 FE 95 76 E3 0A 4C BF 35 10
.#.......v..L.5.
03E0: 75 A4 48 4A 45 AA B9 29 83 C9 45 AC 25 86 A2 BD
u.HJE..)..E.%...
03F0: FB E0 9C 04 36 02 25 37 DC 66 B8 47 95 06 14 AA
....6.%7.f.G....
0400: DA 80 30 73 1B 09 4D 1D 47 F1 FF EE 2B E8 E8 49
..0s..M.G...+..I
0410: BB 90 17 84 D4 F1 79 5E 49 8F 48 D3 68 FD D4 8E
......y^I.H.h...
0420: 4D F1 D3 B5 20 B9 2E B0 2F C4 96 A8 2D 9F 51 70 M...
.../...-.Qp
0430: 1C D0 83 6E CA 66 61 B3 1B 65 99 31 27 15 BF A6
...n.fa..e.1'...
0440: 98 28 4D DB BB 2E B5 BB 14 6E 86 F4 .(M......n..
Exception occurred: javax.jms.JMSException: Error creating connection:
connection-forced: Authentication failed
javax.jms.JMSException: Error creating connection: connection-forced:
Authentication failed
at
org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:102)
at
com.vivat.kerberos.KerberosConnection.main(KerberosConnection.java:49)
Caused by: org.apache.qpid.AMQConnectionFailureException:
connection-forced: Authentication failed [error code 320: connection forced]
at
org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:432)
at
org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:98)
... 1 more
Caused by: org.apache.qpid.AMQException: Cannot connect to broker:
connection-forced: Authentication failed [error code 320: connection forced]
at
org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:212)
at
org.apache.qpid.client.AMQConnection.makeBrokerConnection(AMQConnection.java:569)
at
org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:355)
... 2 more
Caused by: org.apache.qpid.transport.ConnectionException:
connection-forced: Authentication failed
at
org.apache.qpid.transport.ConnectionException.rethrow(ConnectionException.java:67)
at
org.apache.qpid.transport.Connection.connect(Connection.java:283)
at
org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:193)
... 4 more
Caused by: org.apache.qpid.transport.ConnectionException:
connection-forced: Authentication failed
at
org.apache.qpid.transport.Connection.closeCode(Connection.java:532)
at
org.apache.qpid.transport.ConnectionDelegate.connectionClose(ConnectionDelegate.java:76)
at
org.apache.qpid.transport.ConnectionDelegate.connectionClose(ConnectionDelegate.java:40)
at
org.apache.qpid.transport.ConnectionClose.dispatch(ConnectionClose.java:100)
at
org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:49)
at
org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:40)
at org.apache.qpid.transport.Method.delegate(Method.java:163)
at
org.apache.qpid.transport.Connection.received(Connection.java:387)
at
org.apache.qpid.transport.Connection.received(Connection.java:66)
at
org.apache.qpid.transport.network.Assembler.emit(Assembler.java:95)
at
org.apache.qpid.transport.network.Assembler.assemble(Assembler.java:181)
at
org.apache.qpid.transport.network.Assembler.frame(Assembler.java:129)
at
org.apache.qpid.transport.network.Frame.delegate(Frame.java:133)
at
org.apache.qpid.transport.network.Assembler.received(Assembler.java:100)
at
org.apache.qpid.transport.network.Assembler.received(Assembler.java:42)
at
org.apache.qpid.transport.network.InputHandler.next(InputHandler.java:187)
at
org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:103)
at
org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:42)
at
org.apache.qpid.transport.network.io.IoReceiver.run(IoReceiver.java:153)
at java.lang.Thread.run(Thread.java:679)
Why do I get Authentication Failed if kinit works just fine? I got a Ticket
Granting Ticket so why is there an error message about Authentication? This
smells a lot like something to do with keytab...
If there are other files you want to see, please do let me know.
Thank You,
Eugene.
--
View this message in context: http://apache-qpid-developers.2158895.n2.nabble.com/qpidd-0-14-Kerberos-Active-Directory-on-Windows-2003-Server-tp7581381p7581407.html
Sent from the Apache Qpid developers mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by Rajith Attapattu <ra...@gmail.com>.
As Gordon pointed out you need to specify a jass config file as follows
-Djava.security.auth.login.config=myjass.conf
The contents of the file should be (the lines in side "===")
===================================
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
===================================
Also pass in the following jvm argument to see whats going on.
-Dsun.security.krb5.debug=true
Regards,
Rajith
On Thu, Jul 26, 2012 at 10:09 AM, Gordon Sim <gs...@redhat.com> wrote:
> On 07/26/2012 01:48 PM, eugene wrote:
>>
>> Well the setup is pretty much in the subject of the message.
>>
>> Here is what I did more:
>>
>> 0. Specify the needed params in krb5.conf (mainly the kdc and realms is
>> important), important here is that
>> : kinit user@OURDOMAIN.COM works fine! I do get a Ticket Granting Ticket
>> (which I can see with klist).
>>
>> 1. On the AD side I mapped the user to the SPN. (setspn -A
>> qpidd/vmvmrg@OURDOMAIN.COM user)
>> 2. Generated the keytab with ktpas on the AD box:
>>
>> ktpass -out c:\temp\qpidd.keytab
>> -princ qpidd/vmvmrg@OURDOMAIN.COM
>> -mapUser user
>> -mapOp set
>> -pass ******
>> -crypto DES-CBC-MD5
>> -pType KRB5_NT_PRINCIPAL
>> +DesOnly
>>
>> 3. Put the keytab file in /etc
>>
>> 4. Invoke a sample connection. String URL for connection is:
>>
>>
>> "amqp://ananymous:guest@clientid/testpath?brokerlist='tcp://10.1.10.89:5672?sasl_mechs='GSSAPI'&sasl_protocol='qpidd'&sasl_server='vmvmrg''";
>>
>> As a result I get:
>> AMQConnectionFailureException: Cannot connect to broker :
>> connection-refused
>> : Authentication Failed (error code 320 : connection forced).
>>
>> Seems (and may be I am wrong) like the params that I send in the
>> connection
>> url are wrong.
>>
>> Anyone with an opinion?
>
>
> I don't know too much about the JMS client side. Are you specifying
> -Djavax.security.auth.useSubjectCredsOnly=false? what about
> -Djava.security.auth.login.config, any value for that?
>
> On the broker side, have you set KRB5_KTNAME to point at the correct keytab
> file for qpidd? Can qpidd read that file? Have you set the realm in
> /etc/qpidd.conf?
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> For additional commands, e-mail: dev-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
Re: qpidd 0.14 + Kerberos + Active Directory on Windows 2003 Server
Posted by Gordon Sim <gs...@redhat.com>.
On 07/26/2012 01:48 PM, eugene wrote:
> Well the setup is pretty much in the subject of the message.
>
> Here is what I did more:
>
> 0. Specify the needed params in krb5.conf (mainly the kdc and realms is
> important), important here is that
> : kinit user@OURDOMAIN.COM works fine! I do get a Ticket Granting Ticket
> (which I can see with klist).
>
> 1. On the AD side I mapped the user to the SPN. (setspn -A
> qpidd/vmvmrg@OURDOMAIN.COM user)
> 2. Generated the keytab with ktpas on the AD box:
>
> ktpass -out c:\temp\qpidd.keytab
> -princ qpidd/vmvmrg@OURDOMAIN.COM
> -mapUser user
> -mapOp set
> -pass ******
> -crypto DES-CBC-MD5
> -pType KRB5_NT_PRINCIPAL
> +DesOnly
>
> 3. Put the keytab file in /etc
>
> 4. Invoke a sample connection. String URL for connection is:
>
> "amqp://ananymous:guest@clientid/testpath?brokerlist='tcp://10.1.10.89:5672?sasl_mechs='GSSAPI'&sasl_protocol='qpidd'&sasl_server='vmvmrg''";
>
> As a result I get:
> AMQConnectionFailureException: Cannot connect to broker : connection-refused
> : Authentication Failed (error code 320 : connection forced).
>
> Seems (and may be I am wrong) like the params that I send in the connection
> url are wrong.
>
> Anyone with an opinion?
I don't know too much about the JMS client side. Are you specifying
-Djavax.security.auth.useSubjectCredsOnly=false? what about
-Djava.security.auth.login.config, any value for that?
On the broker side, have you set KRB5_KTNAME to point at the correct
keytab file for qpidd? Can qpidd read that file? Have you set the realm
in /etc/qpidd.conf?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org