[
https://issues.apache.org/jira/browse/DIRSTUDIO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223633#comment-13223633
]
Stef Walter commented on DIRSTUDIO-789:
---------------------------------------
Sure. Using JNDI also fails with the following (slightly different) error ....
unless i add the "kdc = xxxx" line to /etc/krb5.conf, in which case
authentication works.
The authentication failed
- GSSAPI
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Cannot get kdc for realm
AD.THEWALTER.LAN)]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2593)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2567)
at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2563)
at
javax.naming.ldap.InitialLdapContext.reconnect(InitialLdapContext.java:190)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1199)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1193)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:107)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1076)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1305)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1100)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:253)
at
org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
at
org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
at
org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
for realm AD.THEWALTER.LAN)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot
get kdc for realm AD.THEWALTER.LAN)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
... 19 more
Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
at
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
... 22 more
GSSAPI
> Kerberos integration does not recognize "dns_lookup_kdc = true"
> ---------------------------------------------------------------
>
> Key: DIRSTUDIO-789
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-789
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-connection
> Affects Versions: 2.0.0-M2
> Environment: Linux stef-desktop.thewalter.lan 3.2.5-3.fc16.x86_64 #1
> SMP Thu Feb 9 01:24:38 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> Reporter: Stef Walter
>
> The kerberos integration does not support an /etc/krb5.conf where the KDC's
> of the realms are not included. For example, an /etc/krb5.conf that looks
> like:
> ----------------------------------------------------
> [libdefaults]
> dns_lookup_realm = true
> dns_lookup_kdc = true
> [realms]
> AD.THEWALTER.LAN = {
> }
> [domain_realm]
> .ad.thewalter.lan = AD.THEWALTER.LAN
> ad.thewalter.lan = AD.THEWALTER.LAN
> ----------------------------------------------------
> Results in the error.
> The authentication failed
> - java.security.PrivilegedActionException:
> org.apache.directory.shared.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
> for realm AD.THEWALTER.LAN)]
> org.apache.directory.shared.ldap.model.exception.LdapException:
> java.security.PrivilegedActionException:
> org.apache.directory.shared.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
> for realm AD.THEWALTER.LAN)]
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1593)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1485)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:308)
> at
> org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
> at
> org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
> at
> org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
> Caused by: java.security.PrivilegedActionException:
> org.apache.directory.shared.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
> for realm AD.THEWALTER.LAN)]
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:416)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1583)
> ... 8 more
> Caused by: org.apache.directory.shared.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
> for realm AD.THEWALTER.LAN)]
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3900)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:177)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1587)
> ... 11 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
> for realm AD.THEWALTER.LAN)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3810)
> ... 13 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Cannot get kdc for realm AD.THEWALTER.LAN)
> at
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
> at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
> at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
> ... 14 more
> Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
> at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
> at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
> at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
> at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
> at
> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
> at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
> at
> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
> at
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
> ... 17 more
> java.security.PrivilegedActionException:
> org.apache.directory.shared.ldap.model.exception.LdapException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
> for realm AD.THEWALTER.LAN)]
> If I add a "kdc = dc.ad.thewalter.lan:88" to the /etc/krb5.conf in the
> appropriate place in the realms section, then the error goes away and we can
> log in. It looks like Dirstudio (or one of its libraries) does not support
> dns_lookup_kdc settings in /etc/krb5.conf
> I'm using the nightly snapshot from today (later than 2.0.0 M2). And my
> kerberos settings are "Use native TGT" and "Use native system configuration".
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
