You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ed Brown <Ed...@sas.com> on 2015/06/09 05:35:46 UTC
Help Configuring LDAP/KERBEROS Needed
Hi,
I'm following the example on Kerberos integration located here: https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html. The error I get, which is at the bottom, indicates the default realm cannot be found. Any pointers/help would be appreciated.
TIA.
According to DS Studio, I have a realm EXAMPLE.COM.
The krbtgt user is:
Krb5KeyVersionNumber=0
Krb5PrincipalName=ldap/example.net@EXAMPLE.COM<ma...@EXAMPLE.COM>
Ou=TGT
Uid=ldap
The ldap user is:
Krb5KeyVersionNumber=0
Krb5PrincipalName=krbtgt/EXAMPLE.COM@EXAMPLE.COM<ma...@EXAMPLE.COM>
Ou=LDAP
Uid=krbtgt
Kerberos server:
Port: 60088
Kerberos change password server:
Port: 60464
Primary KDC Realse: EXAMPLE.COM
Search Base DN: dc=security,dc=example,dc=com
LDAP/LDAPS Servers:
SASL Host: example.net
SASL Principal ldap/example.net@EXAMPLE.COM<ma...@EXAMPLE.COM>
Search Base DN: dc=security,dc=example,dc=com
Authentication:
User: dnelson
Kerberos settings: Obtain TGBT from KDC
Kerberos realm: EXAMPLE.COM
KDC Host: example.net
KDC port: 60888
Local hosts file:
127.0.0.1 localhost example.com example.net
::1 localhost example.com example.net
When I authenticate, the follow error appears in the log file (after turning on debug logging), specifying it can't find the default realm:
[22:59:27] DEBUG [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket encoding : 0x6D 0x82 0x02 ...
[22:59:27] DEBUG [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket initial value : Ticket :
tkt-vno : 5
realm : EXAMPLE.COM
sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'example.net'> }
enc-part : EncryptedData : {
etype: aes128-cts-hmac-sha1-96 (17)
cipher: 0x77 0xFF 0x5F ...
}
...
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : aes128-cts-hmac-sha1-96 (17)
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : rc4-hmac (23)
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : aes256-cts-hmac-sha1-96 (18)
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : des-cbc-md5 (3)
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[22:59:28] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : des3-cbc-sha1-kd (16)
[22:59:28] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.
java.security.PrivilegedActionException: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)]
Ed Brown
RE: Help Configuring LDAP/KERBEROS Needed
Posted by Ed Brown <Ed...@sas.com>.
Issue created: https://issues.apache.org/jira/browse/DIRSERVER-2072
Ed Brown
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Tuesday, June 09, 2015 10:45 AM
To: users@directory.apache.org
Subject: Re: Help Configuring LDAP/KERBEROS Needed
Le 09/06/15 16:10, Ed Brown a écrit :
> I solved the problem.
> I put a krb5.conf file in JAVA_HOME/jre/lib/security with the following:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
>
> [realms]
> EXAMPLE.COM = {
> kdc = localhost:6088
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> =========
>
> I didn't see this in the documentation and found it using Google. I ignored it days ago because I thought it wasn't needed in this case.
Definitively needed in the doco. Can you create a JIRA for that ?
Thanks !
Re: Help Configuring LDAP/KERBEROS Needed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 09/06/15 16:10, Ed Brown a écrit :
> I solved the problem.
> I put a krb5.conf file in JAVA_HOME/jre/lib/security with the following:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
>
> [realms]
> EXAMPLE.COM = {
> kdc = localhost:6088
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> =========
>
> I didn't see this in the documentation and found it using Google. I ignored it days ago because I thought it wasn't needed in this case.
Definitively needed in the doco. Can you create a JIRA for that ?
Thanks !
RE: Help Configuring LDAP/KERBEROS Needed
Posted by Ed Brown <Ed...@sas.com>.
I solved the problem.
I put a krb5.conf file in JAVA_HOME/jre/lib/security with the following:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = localhost:6088
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
=========
I didn't see this in the documentation and found it using Google. I ignored it days ago because I thought it wasn't needed in this case.
Ed Brown
-----Original Message-----
From: Kiran Ayyagari [mailto:kayyagari@apache.org]
Sent: Tuesday, June 09, 2015 4:17 AM
To: users@directory.apache.org
Subject: Re: Help Configuring LDAP/KERBEROS Needed
On Tue, Jun 9, 2015 at 11:35 AM, Ed Brown <Ed...@sas.com> wrote:
> Hi,
> I'm following the example on Kerberos integration located here:
> https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
> The error I get, which is at the bottom, indicates the default realm
> cannot be found. Any pointers/help would be appreciated.
>
> TIA.
>
> According to DS Studio, I have a realm EXAMPLE.COM.
> The krbtgt user is:
>
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=ldap/example.net@EXAMPLE.COM<mailto:ldap/
> example.net@EXAMPLE.COM>
> Ou=TGT
> Uid=ldap
>
> The ldap user is:
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=krbtgt/EXAMPLE.COM@EXAMPLE.COM<mailto:Krb5PrincipalN
> ame
> =krbtgt/EXAMPLE.COM@EXAMPLE.COM>
> Ou=LDAP
> Uid=krbtgt
>
> Kerberos server:
> Port: 60088
> Kerberos change password server:
> Port: 60464
> Primary KDC Realse: EXAMPLE.COM
> Search Base DN: dc=security,dc=example,dc=com
>
> LDAP/LDAPS Servers:
> SASL Host: example.net
> SASL Principal ldap/example.net@EXAMPLE.COM<mailto:ldap/
> example.net@EXAMPLE.COM>
> Search Base DN: dc=security,dc=example,dc=com
>
> Authentication:
> User: dnelson
> Kerberos settings: Obtain TGBT from KDC Kerberos realm: EXAMPLE.COM
> KDC Host: example.net KDC port: 60888
>
> Local hosts file:
> 127.0.0.1 localhost example.com example.net
> ::1 localhost example.com example.net
>
> config is looking good, can you restart the server and try?
>
> When I authenticate, the follow error appears in the log file (after
> turning on debug logging), specifying it can't find the default realm:
>
> [22:59:27] DEBUG
> [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket encoding : 0x6D 0x82 0x02 ...
> [22:59:27] DEBUG
> [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket initial value : Ticket :
> tkt-vno : 5
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap',
> 'example.net'> }
> enc-part : EncryptedData : {
> etype: aes128-cts-hmac-sha1-96 (17)
> cipher: 0x77 0xFF 0x5F ...
> }
>
> ...
>
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : aes128-cts-hmac-sha1-96 (17) [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : rc4-hmac (23)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : aes256-cts-hmac-sha1-96 (18) [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : des-cbc-md5 (3)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : des3-cbc-sha1-kd (16)
> [22:59:28] WARN [org.apache.directory.server.ldap.LdapProtocolHandler]
> - Unexpected exception forcing session to close: sending disconnect
> notice to client.
> java.security.PrivilegedActionException:
> javax.security.sasl.SaslException: Failure to initialize security
> context [Caused by GSSException: Invalid name provided (Mechanism level:
> KrbException: Cannot locate default realm)]
>
>
>
> Ed Brown
>
>
>
--
Kiran Ayyagari
http://keydap.com
RE: Help Configuring LDAP/KERBEROS Needed
Posted by Ed Brown <Ed...@sas.com>.
Hi,
Yes I restarted and I got the same error.
I forgot to include my environment:
Windows 7, SP1, 64 Bit
Oracle JDK 1.8.0_45
Apache DS 2.0 M19 (Not the latest because of a bug with DS Studio)
DS Studio 2.0.0
Ed Brown
Streaming Analytics Lead
office: 410.418.9910
mobile: 410.303.5336
Ed.Brown@sas.com
www.sas.com
SAS® … THE POWER TO KNOW®
-----Original Message-----
From: Kiran Ayyagari [mailto:kayyagari@apache.org]
Sent: Tuesday, June 09, 2015 4:17 AM
To: users@directory.apache.org
Subject: Re: Help Configuring LDAP/KERBEROS Needed
On Tue, Jun 9, 2015 at 11:35 AM, Ed Brown <Ed...@sas.com> wrote:
> Hi,
> I'm following the example on Kerberos integration located here:
> https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
> The error I get, which is at the bottom, indicates the default realm
> cannot be found. Any pointers/help would be appreciated.
>
> TIA.
>
> According to DS Studio, I have a realm EXAMPLE.COM.
> The krbtgt user is:
>
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=ldap/example.net@EXAMPLE.COM<mailto:ldap/
> example.net@EXAMPLE.COM>
> Ou=TGT
> Uid=ldap
>
> The ldap user is:
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=krbtgt/EXAMPLE.COM@EXAMPLE.COM<mailto:Krb5PrincipalN
> ame
> =krbtgt/EXAMPLE.COM@EXAMPLE.COM>
> Ou=LDAP
> Uid=krbtgt
>
> Kerberos server:
> Port: 60088
> Kerberos change password server:
> Port: 60464
> Primary KDC Realse: EXAMPLE.COM
> Search Base DN: dc=security,dc=example,dc=com
>
> LDAP/LDAPS Servers:
> SASL Host: example.net
> SASL Principal ldap/example.net@EXAMPLE.COM<mailto:ldap/
> example.net@EXAMPLE.COM>
> Search Base DN: dc=security,dc=example,dc=com
>
> Authentication:
> User: dnelson
> Kerberos settings: Obtain TGBT from KDC Kerberos realm: EXAMPLE.COM
> KDC Host: example.net KDC port: 60888
>
> Local hosts file:
> 127.0.0.1 localhost example.com example.net
> ::1 localhost example.com example.net
>
> config is looking good, can you restart the server and try?
>
> When I authenticate, the follow error appears in the log file (after
> turning on debug logging), specifying it can't find the default realm:
>
> [22:59:27] DEBUG
> [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket encoding : 0x6D 0x82 0x02 ...
> [22:59:27] DEBUG
> [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket initial value : Ticket :
> tkt-vno : 5
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap',
> 'example.net'> }
> enc-part : EncryptedData : {
> etype: aes128-cts-hmac-sha1-96 (17)
> cipher: 0x77 0xFF 0x5F ...
> }
>
> ...
>
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : aes128-cts-hmac-sha1-96 (17) [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : rc4-hmac (23)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : aes256-cts-hmac-sha1-96 (18) [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : des-cbc-md5 (3)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : des3-cbc-sha1-kd (16)
> [22:59:28] WARN [org.apache.directory.server.ldap.LdapProtocolHandler]
> - Unexpected exception forcing session to close: sending disconnect
> notice to client.
> java.security.PrivilegedActionException:
> javax.security.sasl.SaslException: Failure to initialize security
> context [Caused by GSSException: Invalid name provided (Mechanism level:
> KrbException: Cannot locate default realm)]
>
>
>
> Ed Brown
>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Help Configuring LDAP/KERBEROS Needed
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Jun 9, 2015 at 11:35 AM, Ed Brown <Ed...@sas.com> wrote:
> Hi,
> I'm following the example on Kerberos integration located here:
> https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
> The error I get, which is at the bottom, indicates the default realm cannot
> be found. Any pointers/help would be appreciated.
>
> TIA.
>
> According to DS Studio, I have a realm EXAMPLE.COM.
> The krbtgt user is:
>
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=ldap/example.net@EXAMPLE.COM<mailto:ldap/
> example.net@EXAMPLE.COM>
> Ou=TGT
> Uid=ldap
>
> The ldap user is:
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=krbtgt/EXAMPLE.COM@EXAMPLE.COM<mailto:Krb5PrincipalName
> =krbtgt/EXAMPLE.COM@EXAMPLE.COM>
> Ou=LDAP
> Uid=krbtgt
>
> Kerberos server:
> Port: 60088
> Kerberos change password server:
> Port: 60464
> Primary KDC Realse: EXAMPLE.COM
> Search Base DN: dc=security,dc=example,dc=com
>
> LDAP/LDAPS Servers:
> SASL Host: example.net
> SASL Principal ldap/example.net@EXAMPLE.COM<mailto:ldap/
> example.net@EXAMPLE.COM>
> Search Base DN: dc=security,dc=example,dc=com
>
> Authentication:
> User: dnelson
> Kerberos settings: Obtain TGBT from KDC
> Kerberos realm: EXAMPLE.COM
> KDC Host: example.net
> KDC port: 60888
>
> Local hosts file:
> 127.0.0.1 localhost example.com example.net
> ::1 localhost example.com example.net
>
> config is looking good, can you restart the server and try?
>
> When I authenticate, the follow error appears in the log file (after
> turning on debug logging), specifying it can't find the default realm:
>
> [22:59:27] DEBUG [org.apache.directory.shared.kerberos.messages.Ticket] -
> Ticket encoding : 0x6D 0x82 0x02 ...
> [22:59:27] DEBUG [org.apache.directory.shared.kerberos.messages.Ticket] -
> Ticket initial value : Ticket :
> tkt-vno : 5
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'example.net'>
> }
> enc-part : EncryptedData : {
> etype: aes128-cts-hmac-sha1-96 (17)
> cipher: 0x77 0xFF 0x5F ...
> }
>
> ...
>
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : aes128-cts-hmac-sha1-96 (17)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : rc4-hmac (23)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : aes256-cts-hmac-sha1-96 (18)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : des-cbc-md5 (3)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : des3-cbc-sha1-kd (16)
> [22:59:28] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
> Unexpected exception forcing session to close: sending disconnect notice to
> client.
> java.security.PrivilegedActionException:
> javax.security.sasl.SaslException: Failure to initialize security context
> [Caused by GSSException: Invalid name provided (Mechanism level:
> KrbException: Cannot locate default realm)]
>
>
>
> Ed Brown
>
>
>
--
Kiran Ayyagari
http://keydap.com