On Thu, Apr 10, 2014 at 8:52 PM, Josh Clum <[email protected]> wrote:
> I'm using 2.0.0-M15. I think KdcConnection is being a little more helpful.
> Connecting like this:
>
> KdcConfig config = KdcConfig.getDefaultConfig();
> config.setUseUdp( false );
> config.setHostName("127.0.0.1");
> config.setKdcPort( kdcServer.getTcpPort() );
> config.setEncryptionTypes( kdcServer.getConfig().getEncryptionTypes() );
> config.setTimeout( Integer.MAX_VALUE );
> KdcConnection connection = new KdcConnection( config );
> ServiceTicket ticket = connection.getServiceTicket(USER_UID + "@" +
> REALM, USER_PASSWORD, "krbtgt/" + REALM + "@" + REALM);
>
> is at least giving me an error:
>
> 11:15:57,186 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No
> key for client uid=hnelson,ou=users,dc=example,dc=com
> 11:15:57,186 WARN [KerberosProtocolHandler]
> (KerberosProtocolHandler.java:241) The client or server has a null key (9)
> 11:15:57,187 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
> client or server has a null key (9)
> 11:15:57,269 ERROR [KERBEROS_LOG] (AuthenticationService.java:313) No
> key for client uid=hnelson,ou=users,dc=example,dc=com
> 11:15:57,269 WARN [KerberosProtocolHandler]
> (KerberosProtocolHandler.java:241) The client or server has a null key (9)
> 11:15:57,269 WARN [KERBEROS_LOG] (KerberosProtocolHandler.java:242) The
> client or server has a null key (9)
>
> I'm guessing I have to register/create a keytab with server for hnelson? I
> manually created a keytab for hnelson but I don't see a way to specify it
> using connection.getServiceTicket.
>
ok, looks like the user entry doesn't contain the kerberos keys
take a look at the KdcConnectionTest[1] and see what is going on with your
test case based on that.
[1]
http://svn.apache.org/repos/asf/directory/apacheds/trunk/kerberos-client/src/test/java/org/apache/directory/kerberos/client/KdcConnectionTest.java
>
>
>
>
>
> On Thu, Apr 10, 2014 at 9:29 AM, Kiran Ayyagari <[email protected]>wrote:
>
>>
>>
>>
>> On Thu, Apr 10, 2014 at 6:37 PM, Josh Clum <[email protected]> wrote:
>>
>>> Added "EXAMPLE.COM localhost" to /etc/hosts so now i can ping
>>> EXAMPLE.COM, but still no luck.
>>>
>>> I did notice that when i call kdcServer.isStarted() in my test, that it
>>> will always return false. It seems that the method that kdcServer.start();
>>> is not correctly setting the started flag. I tried manually
>>> kdcServer.stop();
>>> then kdcServer.start(); as another check.
>>>
>> I doubt that, which version of the server are you using?
>>
>>>
>>> Is there any way to connect to the kdc other than just trying to kinit?
>>> Any other thoughts?
>>>
>>> you can use KdcConnection present in kerberos-client module to test
>>
>>>
>>> On Thu, Apr 10, 2014 at 4:57 AM, Kiran Ayyagari <[email protected]>wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Thu, Apr 10, 2014 at 1:14 AM, Josh Clum <[email protected]> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to set up an IT for one of my classes that inherits from
>>>>> using the AbstractKerberosITest inside of apacheds-kerberos-test.
>>>>>
>>>>> Here are the annotations on my class:
>>>>>
>>>>> @RunWith(FrameworkRunner.class)
>>>>> @CreateDS(name = "KerberosTcpIT-class",
>>>>> partitions = {
>>>>> @CreatePartition(name = "example", suffix =
>>>>> "dc=example,dc=com")},
>>>>> additionalInterceptors = { KeyDerivationInterceptor.class })
>>>>> @CreateLdapServer(transports = { @CreateTransport(protocol = "LDAP")
>>>>> })
>>>>> @CreateKdcServer(transports = { @CreateTransport( protocol = "TCP",
>>>>> port = 6089) })
>>>>>
>>>>> @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
>>>>>
>>>>>
>>>>> AbstractKerberosITest generates a krb5.conf that looks like this:
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = EXAMPLE.COM
>>>>> default_tkt_enctypes = des3-cbc-sha1
>>>>> default_tgs_enctypes = des3-cbc-sha1
>>>>> permitted_enctypes = des3-cbc-sha1
>>>>> default-checksum_type = hmac-sha1-des3
>>>>> udp_preference_limit = 1
>>>>> [realms]
>>>>> EXAMPLE.COM = {
>>>>> kdc = localhost:6089
>>>>> }
>>>>> [domain_realm]
>>>>> .example.com = EXAMPLE.COM
>>>>> example.com = EXAMPLE.COM
>>>>>
>>>>> To kinit, I'm using this command (hnelson is automatically added by
>>>>> AbstractKerberosITest):
>>>>>
>>>>> env KRB5_CONFIG=/path/to/krb5.conf kinit -k -t
>>>>> /path/to/hnelson.keytab [email protected]
>>>>>
>>>>> And I get this error:
>>>>>
>>>>> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>>>>> EXAMPLE.COM
>>>>>
>>>>> The kdc seems to running just fine:
>>>>>
>>>>> ➜ ~ lsof -i :6089
>>>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE
>>>>> NAME
>>>>> java 98545 clumjo 201u IPv6 0x3b381b5f4ac2a677 0t0 TCP
>>>>> localhost:6089 (LISTEN)
>>>>> ➜ ~ telnet localhost 6089
>>>>> Trying ::1...
>>>>> telnet: connect to address ::1: Connection refused
>>>>> Trying 127.0.0.1...
>>>>> Connected to localhost.
>>>>>
>>>>> Do you have any thoughts as to what might be wrong?
>>>>>
>>>>> nope, am able to get the ticket using the same config (but with a
>>>> standalone server)
>>>> looks like some DNS issue, can you map EXAMPLE.COM to loopback address
>>>> in your hosts file and see
>>>>
>>>>> Thanks,
>>>>>
>>>>> Josh
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Kiran Ayyagari
>>>> http://keydap.com
>>>>
>>>
>>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>
--
Kiran Ayyagari
http://keydap.com
