[jira] [Commented] (DIRSTUDIO-789) Kerberos integration does not recognize "dns_lookup_kdc = true"

["Pierre-Arnaud Marcelot (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223518#comment-13223518 ] 

Pierre-Arnaud Marcelot commented on DIRSTUDIO-789:
--------------------------------------------------

Hi Stef,

Could you test using JNDI as Network Provider (instead of the Apache Directory LDAP API) to see if the behavior is identical?

Thanks!
                
> Kerberos integration does not recognize "dns_lookup_kdc = true"
> ---------------------------------------------------------------
>
>                 Key: DIRSTUDIO-789
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-789
>             Project: Directory Studio
>          Issue Type: Bug
>          Components: studio-connection
>    Affects Versions: 2.0.0-M2
>         Environment: Linux stef-desktop.thewalter.lan 3.2.5-3.fc16.x86_64 #1 SMP Thu Feb 9 01:24:38 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>            Reporter: Stef Walter
>
> The kerberos integration does not support an /etc/krb5.conf where the KDC's of the realms are not included. For example, an /etc/krb5.conf that looks like:
> ----------------------------------------------------
> [libdefaults]
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
> [realms]
>   AD.THEWALTER.LAN = {
>   }
> [domain_realm]
>  .ad.thewalter.lan = AD.THEWALTER.LAN
>  ad.thewalter.lan = AD.THEWALTER.LAN
> ----------------------------------------------------
> Results in the error.
> The authentication failed
>  - java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
>   org.apache.directory.shared.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1593)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1485)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> 	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:308)
> 	at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
> 	at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
> 	at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
> Caused by: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:416)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1583)
> 	... 8 more
> Caused by: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3900)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:177)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1587)
> 	... 11 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3810)
> 	... 13 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
> 	... 14 more
> Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
> 	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
> 	at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
> 	at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
> 	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
> 	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
> 	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
> 	... 17 more
>   java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
> If I add a "kdc = dc.ad.thewalter.lan:88" to the /etc/krb5.conf in the appropriate place in the realms section, then the error goes away and we can log in. It looks like Dirstudio (or one of its libraries) does not support dns_lookup_kdc settings in /etc/krb5.conf
> I'm using the nightly snapshot from today (later than 2.0.0 M2). And my kerberos settings are "Use native TGT" and "Use native system configuration".

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira