Kerberos integration does not recognize "dns_lookup_kdc = true"
---------------------------------------------------------------
Key: DIRSTUDIO-789
URL: https://issues.apache.org/jira/browse/DIRSTUDIO-789
Project: Directory Studio
Issue Type: Bug
Components: studio-connection
Affects Versions: 2.0.0-M2
Environment: Linux stef-desktop.thewalter.lan 3.2.5-3.fc16.x86_64 #1
SMP Thu Feb 9 01:24:38 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Reporter: Stef Walter
The kerberos integration does not support an /etc/krb5.conf where the KDC's of
the realms are not included. For example, an /etc/krb5.conf that looks like:
----------------------------------------------------
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
AD.THEWALTER.LAN = {
}
[domain_realm]
.ad.thewalter.lan = AD.THEWALTER.LAN
ad.thewalter.lan = AD.THEWALTER.LAN
----------------------------------------------------
Results in the error.
The authentication failed
- java.security.PrivilegedActionException:
org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm
AD.THEWALTER.LAN)]
org.apache.directory.shared.ldap.model.exception.LdapException:
java.security.PrivilegedActionException:
org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm
AD.THEWALTER.LAN)]
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1593)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1485)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:308)
at
org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
at
org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
at
org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: java.security.PrivilegedActionException:
org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm
AD.THEWALTER.LAN)]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:416)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1583)
... 8 more
Caused by: org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm
AD.THEWALTER.LAN)]
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3900)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:177)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1587)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
for realm AD.THEWALTER.LAN)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3810)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot
get kdc for realm AD.THEWALTER.LAN)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
... 14 more
Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
at
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
... 17 more
java.security.PrivilegedActionException:
org.apache.directory.shared.ldap.model.exception.LdapException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm
AD.THEWALTER.LAN)]
If I add a "kdc = dc.ad.thewalter.lan:88" to the /etc/krb5.conf in the
appropriate place in the realms section, then the error goes away and we can
log in. It looks like Dirstudio (or one of its libraries) does not support
dns_lookup_kdc settings in /etc/krb5.conf
I'm using the nightly snapshot from today (later than 2.0.0 M2). And my
kerberos settings are "Use native TGT" and "Use native system configuration".
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
