[jira] [Created] (DIRSTUDIO-900) Server not found in Kerberos database

Wed, 10 Apr 2013 16:25:19 -0700 

Frank Ren created DIRSTUDIO-900:
-----------------------------------

             Summary: Server not found in Kerberos database
                 Key: DIRSTUDIO-900
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-900
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-connection
    Affects Versions: 2.0.0-M6
         Environment: ubuntu 10.04 64bit (I don't think it was relevant.)
            Reporter: Frank Ren


Follow it to the last step here, 4.2 - Authenticate with Studio — Apache 
Directory

http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html

Please read the (1) error message, and (2) server log at the bottom.

Everything is Okay if tested against 4.1 - Authenticate with kinit on Linux — 
Apache Directory

http://directory.apache.org/apacheds/kerberos-ug/4.1-authenticate-kinit.html

renfeng@dreadnought:~$ kinit --version
kinit (Heimdal 1.2.1)
Copyright 1995-2008 Kungliga Tekniska H�gskolan
Send bug-reports to [email protected]
renfeng@dreadnought:~$ kinit test4
[email protected]'s Password: 
renfeng@dreadnought:~$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: [email protected]
    Cache version: 4

Server: krbtgt/[email protected]
Client: [email protected]
Ticket etype: aes128-cts-hmac-sha1-96
Ticket length: 253
Auth time:  Apr 11 07:10:58 2013
End time:   Apr 11 17:10:58 2013
Ticket flags: forwardable, proxiable, initial, pre-authenticated
Addresses: addressless


Nothing abnormal in server log.

[07:10:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[07:10:58] WARN 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
Additional pre-authentication required (25)
[07:10:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional 
pre-authentication required (25)


The problem must have been caused by reverse dns lookup. When the following 
line was inserted into /etc/hosts, the problem is gone.

121.228.65.198  dreadnought.romeo-foxtrot.com


Conclusion: a reverse dns lookup when apacheds studio authenticates agains 
kerberos server is unexpected, and should be unnecessary.


----

(1) error message
Error while opening connection
 - java.security.PrivilegedActionException: 
org.apache.directory.api.ldap.model.exception.LdapException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Server not found in Kerberos 
database (7) - Server not found in Kerberos database)]
org.apache.directory.api.ldap.model.exception.LdapException: 
java.security.PrivilegedActionException: 
org.apache.directory.api.ldap.model.exception.LdapException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Server not found in Kerberos 
database (7) - Server not found in Kerberos database)]
        at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469)
        at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361)
        at 
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446)
        at 
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
        at 
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
        at 
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
        at 
org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
        at 
org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
        at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.PrivilegedActionException: 
org.apache.directory.api.ldap.model.exception.LdapException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Server not found in Kerberos 
database (7) - Server not found in Kerberos database)]
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:416)
        at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459)
        ... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Server not found in Kerberos 
database (7) - Server not found in Kerberos database)]
        at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3825)
        at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176)
        at 
org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463)
        ... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Server not found 
in Kerberos database (7) - Server not found in Kerberos database)]
        at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
        at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3735)
        ... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server 
not found in Kerberos database (7) - Server not found in Kerberos database)
        at 
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
        at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
        ... 14 more
Caused by: KrbException: Server not found in Kerberos database (7) - Server not 
found in Kerberos database
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205)
        at 
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
        at 
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
        at 
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:556)
        at 
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
        ... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
        ... 23 more

java.security.PrivilegedActionException: 
org.apache.directory.api.ldap.model.exception.LdapException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Server not found in Kerberos 
database (7) - Server not found in Kerberos database)]

----

(2) server log

[06:56:08] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[06:56:08] WARN 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
Additional pre-authentication required (25)
[06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional 
pre-authentication required (25)
[06:56:08] WARN 
[org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - No server 
entry found for kerberos principal name ldap/[email protected]
[06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - No server entry 
found for kerberos principal name ldap/[email protected]
[06:56:08] WARN 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
Server not found in Kerberos database (7)
[06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - Server not found 
in Kerberos database (7)
[06:56:08] ERROR 
[org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler] - 
ERR_169 failed to unbind session properly
org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException: 
ERR_268 Cannot find a partition for 
        at 
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:927)
        at 
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:794)
        at 
org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:266)
        at 
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:690)
        at 
org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1159)
        at 
org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1230)
        at 
org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1073)
        at 
org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:50)
        at 
org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:38)
        at 
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:219)
        at 
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
        at 
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
        at 
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
        at 
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
        at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
        at 
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
        at 
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
        at java.lang.Thread.run(Thread.java:679)


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to