RE: Could you help me to resolve the Kerberos error?

Thu, 20 Jun 2013 18:35:04 -0700 

PS:
   But I use simple LDAP protocol, the result is ok.
   So I suspect that there are some incorrectly configuration in AD.

   I want to know what is the requirement of  the Kerberos authentication, 
especially the configuration of AD and DNS.

   Thank you very much!

  The following section of code is a part of the entire project:

        LdapContext ctx = null;
        String ldapURL = "ldap://"; + adIp + ":" + DEFAULT_NON_SEC_PORT;


        Hashtable<String, String> env = new Hashtable<String, String>();
            env.put(Context.INITIAL_CONTEXT_FACTORY, 
"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, ldapURL);
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, adminAccount);
            env.put(Context.SECURITY_CREDENTIALS, adminPassword);
            env.put("java.naming.ldap.attributes.binary", "objectSid");

            ctx = new InitialLdapContext(env, null);


            SearchControls constraints = new SearchControls();
            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(CN=" + machineName + ")";

            NamingEnumeration<SearchResult> results = 
ctx.search(changeDomainInfo(domain), searchFilter, constraints);

          while (results.hasMoreElements())
            {
                SearchResult searchResult = (SearchResult)results.next();
                Attributes attrs = searchResult.getAttributes();

                if (attrs != null)
                {
                    Object attValue = attrs.get("objectSid").get();

                    return getSIDasStringOfBytes((byte[])attValue);
                }
            }
From: Zhutiemin
Sent: 2013年6月21日 9:19
To: 'Darek'
Cc: [email protected]
Subject: RE: Could you help me to resolve the Kerberos error?

Darek:
Thank you for your reply.

I will check the  and Conduct an experiment  to test it

I use Krb5LoginModule class to authenticate users using Kerberos protocols

It is defined in the configuration

AdServiceImplForKerberos {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE 
useTicketCache=FALSE refreshKrb5Config=TRUE;
};

And I implement the authentication by LoginContext class

The following section of code is a part of the entire project:

            LdapContext ctx = null;

            Hashtable<String, String> env = new Hashtable<String, String>();
                env.put(Context.INITIAL_CONTEXT_FACTORY, 
"com.sun.jndi.ldap.LdapCtxFactory");
                env.put(Context.PROVIDER_URL, ldapURL);
                env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
                env.put(Context.SECURITY_PRINCIPAL, adminAccount);
                env.put(Context.SECURITY_CREDENTIALS, adminPassword);
                env.put("java.naming.ldap.attributes.binary", "objectSid");
SearchControls constraints = new SearchControls();
                constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
                String searchFilter = "(CN=" + machineName + ")";
                                NamingEnumeration<SearchResult> results =
                    ctx.search(changeDomainInfo(domain), searchFilter, 
constraints);
                while (results.hasMoreElements())
                {
                    SearchResult searchResult = (SearchResult)results.next();
                    Attributes attrs = searchResult.getAttributes();

                    if (attrs != null)
                    {
                        Object attValue = attrs.get("objectSid").get();
                        return getSIDasStringOfBytes((byte[])attValue);
                    }
                }


From: Darek [mailto:[email protected]]
Sent: 2013年6月20日 22:27
To: Zhutiemin
Cc: [email protected]
Subject: Re: Could you help me to resolve the Kerberos error?

> Server not found in Kerberos database

You should make sure that the forward and reverse DNS for your java application 
machine's IP address match, and that the hostname of the system is exactly the 
same as the reverse DNS.

So if your system's IP is 1.2.3.4, a reverse DNS lookup would resolve to 
java.company.com, and the system's hostname would be java.company.com,

On 6/20/2013 1:01 AM, Zhutiemin wrote:

Dear MIT Kerberos Team:



My name is Tiemin Zhu, I am a software engineer of Huawei corporation .



I am getting following error with Kerberos Authentication. Could you help me to 
resolve this error?

But the result of LDAP Authentication is OK



Is this the configuration error in AD?



Do you have any document I could study?



Thanks so much!



This is the error:

[2013-05-25 03:34:01,765]--[ERROR]--[pool-1-thread-39]--[AdServiceImpl.java 
run() 920] - search fail.

javax.naming.AuthenticationException: GSSAPI [Root exception is 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Server not found in Kerberos 
database (7))]]

     at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)

     at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)

     at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

     at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

     at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

     at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

     at javax.naming.InitialContext.init(Unknown Source)

     at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)

     at 
com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:892)

     at 
com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:854)

     at java.security.AccessController.doPrivileged(Native Method)

     at javax.security.auth.Subject.doAs(Unknown Source)

     at 
com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByIp(AdServiceImpl.java:824)

     at 
com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByDomain(AdServiceImpl.java:787)

     at 
com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByMachineName(AdServiceImpl.java:734)

     at 
com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createInstance(CombineCreateInstanceTask.java:740)

     at 
com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createVm(CombineCreateInstanceTask.java:655)

     at 
com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.combineCreateInstance(CombineCreateInstanceTask.java:503)

     at 
com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.run(CombineCreateInstanceTask.java:317)

     at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

     at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)

     at java.util.concurrent.FutureTask.run(Unknown Source)

     at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown
 Source)

     at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
 Source)

     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

     at 
com.huawei.vds.common.utils.threadpool.VDSThreadFactory$Task.run(VDSThreadFactory.java:92)

     at java.lang.Thread.run(Unknown Source)

Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Server not found 
in Kerberos database (7))]

     at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown 
Source)

     ... 32 more

Caused by: GSSException: No valid credentials provided (Mechanism level: Server 
not found in Kerberos database (7))

     at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

     ... 33 more

Caused by: KrbException: Server not found in Kerberos database (7)

     at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

     at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

     at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

     at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown 
Source)

     at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

     ... 36 more

Caused by: KrbException: Identifier doesn't match expected value (906)

     at sun.security.krb5.internal.KDCRep.init(Unknown Source)

     at sun.security.krb5.internal.TGSRep.init(Unknown Source)

     at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)





Best regards!



phone. +86 02989184490

mobile. +86 15249061480

[email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]>

Tiemin Zhu







________________________________________________

Kerberos mailing list           [email protected]<mailto:[email protected]>

https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to