I'm using 2.0.0-M15. I think KdcConnection is being a little more helpful.
Connecting like this:
KdcConfig config = KdcConfig.getDefaultConfig();
config.setUseUdp( false );
config.setHostName("127.0.0.1");
config.setKdcPort( kdcServer.getTcpPort() );
config.setEncryptionTypes( kdcServer.getConfig().getEncryptionTypes() );
config.setTimeout( Integer.MAX_VALUE );
KdcConnection connection = new KdcConnection( config );
ServiceTicket ticket = connection.getServiceTicket(USER_UID + "@" +
REALM, USER_PASSWORD, "krbtgt/" + REALM + "@" + REALM);
is at least giving me an error:
11:15:57,186 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No key
for client uid=hnelson,ou=users,dc=example,dc=com
11:15:57,186 WARN [KerberosProtocolHandler]
(KerberosProtocolHandler.java:241) The client or server has a null key (9)
11:15:57,187 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
client or server has a null key (9)
11:15:57,269 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No key
for client uid=hnelson,ou=users,dc=example,dc=com
11:15:57,269 WARN [KerberosProtocolHandler]
(KerberosProtocolHandler.java:241) The client or server has a null key (9)
11:15:57,269 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
client or server has a null key (9)
I'm guessing I have to register/create a keytab with server for hnelson? I
manually created a keytab for hnelson but I don't see a way to specify it
using connection.getServiceTicket.
On Thu, Apr 10, 2014 at 9:29 AM, Kiran Ayyagari <[email protected]>wrote:
>
>
>
> On Thu, Apr 10, 2014 at 6:37 PM, Josh Clum <[email protected]> wrote:
>
>> Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping EXAMPLE.COM,
>> but still no luck.
>>
>> I did notice that when i call kdcServer.isStarted() in my test, that it
>> will always return false. It seems that the method that kdcServer.start();
>> is not correctly setting the started flag. I tried manually kdcServer.stop();
>> then kdcServer.start(); as another check.
>>
> I doubt that, which version of the server are you using?
>
>>
>> Is there any way to connect to the kdc other than just trying to kinit?
>> Any other thoughts?
>>
>> you can use KdcConnection present in kerberos-client module to test
>
>>
>> On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <[email protected]>wrote:
>>
>>>
>>>
>>>
>>> On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <[email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm trying to set up an IT for one of my classes that inherits from
>>>> using the AbstractKerberosITest inside of apacheds-kerberos-test.
>>>>
>>>> Here are the annotations on my class:
>>>>
>>>> @RunWith(FrameworkRunner.class)
>>>> @CreateDS(name = "KerberosTcpIT-class",
>>>> partitions = {
>>>> @CreatePartition(name = "example", suffix = "dc=example,dc=com")},
>>>> additionalInterceptors = { KeyDerivationInterceptor.class })
>>>> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP")
>>>> })
>>>> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP",
>>>> port = 6089) })
>>>>
>>>> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>>>>
>>>>
>>>> AbstractKerberosITest generates a krb5.conf that looks like this:
>>>>
>>>> [libdefaults]
>>>> default_realm = EXAMPLE.COM
>>>> default_tkt_enctypes = des3-cbc-sha1
>>>> default_tgs_enctypes = des3-cbc-sha1
>>>> permitted_enctypes = des3-cbc-sha1
>>>> default-checksum_type = hmac-sha1-des3
>>>> udp_preference_limit = 1
>>>> [realms]
>>>> EXAMPLE.COM = {
>>>> kdc = localhost:6089
>>>> }
>>>> [domain_realm]
>>>> .example.com = EXAMPLE.COM
>>>> example.com = EXAMPLE.COM
>>>>
>>>> To kinit, I'm using this command (hnelson is automatically added by
>>>> AbstractKerberosITest):
>>>>
>>>> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t
>>>> /path/to/hnelson.keytab [email protected]
>>>>
>>>> And I get this error:
>>>>
>>>> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>>>> EXAMPLE.COM
>>>>
>>>> The kdc seems to running just fine:
>>>>
>>>> ➜ ~ lsof -i :6089
>>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>>>> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
>>>> localhost:6089 (LISTEN)
>>>> ➜ ~ telnet localhost 6089
>>>> Trying ::1...
>>>> telnet: connect to address ::1: Connection refused
>>>> Trying 127.0.0.1...
>>>> Connected to localhost.
>>>>
>>>> Do you have any thoughts as to what might be wrong?
>>>>
>>>> nope, am able to get the ticket using the same config (but with a
>>> standalone server)
>>> looks like some DNS issue, can you map EXAMPLE.COM to loopback address
>>> in your hosts file and see
>>>
>>>> Thanks,
>>>>
>>>> Josh
>>>>
>>>>
>>>
>>>
>>> --
>>> Kiran Ayyagari
>>> http://keydap.com
>>>
>>
>>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
