You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Stephen Stroiazzo <ss...@aimrecyclinggroup.com> on 2013/01/18 23:01:19 UTC
Kerberos in ApacheDS2.0.0-M9
Would it be possible to throw together a quick page on properly configuring
Kerberos in the 2.0.0-M9 version of ApacheDS? Currently the default
settings for the LDAP and Kerberos servers are properly laid out in the
configuration pages, however the specific user accounts that they relate to
'krbtgt/EXAMPLE.COM@EXAMPLE.COM' and 'ldap/ldap.example.com@EXAMPLE.COM' no
longer appear.
If an updated .ldif could be attached somewhere in the new documentation
and include the default accounts and settings necessary to allow Kerberos
authentication through Apache Directory Studio - that would make things
much easier for new users such as myself.
I have not been having success while trying to alter the older 1.5 versions
of user accounts included in kdc-data.ldif and typically end up at a
"server not found in kerberos database (7)" error. This has come up on both
windows servers as well as ubuntu servers with modified host and krb5.conf
files. Additionally I have also been making sure to enable the
'keyDerivationInterceptor' as well as the kerberos server itself and
deleting/reimporting the user .ldif file to recreate the krb5 keys when
necessary - although these steps are no longer included with the new 2.0.0
documentation.
Below is the .ldif for dc=example,dc=com that I have been basing most of my
testing from, I've tried many small variations with the ldap and krbtgt
principal names however have been unable to find one which works properly.
In addition I have included a larger dump of the error message (as seen
from my windows server, although the ubuntu one appears identical) below
that - just in case.
Thanks,
Stephen
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
dc: example
o: example.com
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=hnelson,ou=users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0
dn: uid=krbtgt,ou=users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0
dn: uid=ldap,ou=users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: secret
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0
==========================================================
Error while opening connection
- java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
org.apache.directory.api.ldap.model.exception.LdapException:
java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
at
org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
at
org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459)
... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3783)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
by GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3693)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7) - Server not found in Kerberos
database)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 15 more
Caused by: KrbException: Server not found in Kerberos database (7) - Server
not found in Kerberos database
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
Source)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown
Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 18 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
... 24 more
java.security.PrivilegedActionException:
org.apache.directory.api.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - Server not found in Kerberos database)]
*Stephen Stroiazzo | Special Project Assistant | Information Technology | AIM
Holding LP
*
Re: Kerberos in ApacheDS2.0.0-M9
Posted by Kiran Ayyagari <ka...@apache.org>.
you need to change two things in the config entry
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
:
1. change the value of ads-searchbasedn to ou=users,dc=example,dc=com in
the entry
2. change the value of ads-saslprincipal to ldap/localhost@EXAMPLE.COM
additionally check the values of ads-krbencryptiontypes in the config entry
ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
restart the server and try again
HTH
On Sat, Jan 19, 2013 at 3:31 AM, Stephen Stroiazzo <
sstroiazzo@aimrecyclinggroup.com> wrote:
> Would it be possible to throw together a quick page on properly configuring
> Kerberos in the 2.0.0-M9 version of ApacheDS? Currently the default
> settings for the LDAP and Kerberos servers are properly laid out in the
> configuration pages, however the specific user accounts that they relate to
> 'krbtgt/EXAMPLE.COM@EXAMPLE.COM' and 'ldap/ldap.example.com@EXAMPLE.COM'
> no
> longer appear.
>
> If an updated .ldif could be attached somewhere in the new documentation
> and include the default accounts and settings necessary to allow Kerberos
> authentication through Apache Directory Studio - that would make things
> much easier for new users such as myself.
>
> I have not been having success while trying to alter the older 1.5 versions
> of user accounts included in kdc-data.ldif and typically end up at a
> "server not found in kerberos database (7)" error. This has come up on both
> windows servers as well as ubuntu servers with modified host and krb5.conf
> files. Additionally I have also been making sure to enable the
> 'keyDerivationInterceptor' as well as the kerberos server itself and
> deleting/reimporting the user .ldif file to recreate the krb5 keys when
> necessary - although these steps are no longer included with the new 2.0.0
> documentation.
>
> Below is the .ldif for dc=example,dc=com that I have been basing most of my
> testing from, I've tried many small variations with the ldap and krbtgt
> principal names however have been unable to find one which works properly.
> In addition I have included a larger dump of the error message (as seen
> from my windows server, although the ubuntu one appears identical) below
> that - just in case.
>
> Thanks,
> Stephen
>
> dn: dc=example,dc=com
> objectClass: dcObject
> objectClass: organization
> objectClass: top
> dc: example
> o: example.com
>
> dn: ou=users,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: users
>
> dn: uid=hnelson,ou=users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: krb5principal
> objectClass: krb5kdcentry
> cn: Horatio Nelson
> sn: Nelson
> uid: hnelson
> userPassword: secret
> krb5PrincipalName: hnelson@EXAMPLE.COM
> krb5KeyVersionNumber: 0
>
> dn: uid=krbtgt,ou=users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: krb5principal
> objectClass: krb5kdcentry
> cn: KDC Service
> sn: Service
> uid: krbtgt
> userPassword: secret
> krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> krb5KeyVersionNumber: 0
>
> dn: uid=ldap,ou=users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: krb5principal
> objectClass: krb5kdcentry
> cn: LDAP
> sn: Service
> uid: ldap
> userPassword: secret
> krb5PrincipalName: ldap/localhost@EXAMPLE.COM
> krb5KeyVersionNumber: 0
>
> ==========================================================
>
> Error while opening connection
> - java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
> org.apache.directory.api.ldap.model.exception.LdapException:
> java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361)
> at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446)
> at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
> at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
> at
>
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
> at
>
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> at
>
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
> at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> Caused by: java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Unknown Source)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459)
> ... 8 more
> Caused by: org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3783)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463)
> ... 11 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
> by GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
> Source)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3693)
> ... 13 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Server not found in Kerberos database (7) - Server not found in Kerberos
> database)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> ... 15 more
> Caused by: KrbException: Server not found in Kerberos database (7) - Server
> not found in Kerberos database
> at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
> Source)
> at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown
> Source)
> at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> ... 18 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
> ... 24 more
>
> java.security.PrivilegedActionException:
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7) - Server not found in Kerberos database)]
>
>
>
>
> *Stephen Stroiazzo | Special Project Assistant | Information Technology |
> AIM
> Holding LP
> *
>
--
Kiran Ayyagari
http://keydap.com