For an example of java client using GSSAPI to authentic to LDAP (Including AD and OpenLDAP servers) look at the JXplorer package and source.
Also see: http://old.nabble.com/Problem-using-Jxplorer-wih-GSSAPI-td24837250.html On Windows you need a krb5.ini listing the KDCs. Can you also specify what OS,Java versions and LDAP are being used for client, KDCs and LDAP servers. See inline comment below too. On 6/20/2013 8:28 PM, Zhutiemin wrote: > PS: > But I use simple LDAP protocol, the result is ok. > So I suspect that there are some incorrectly configuration in AD. > > I want to know what is the requirement of the Kerberos authentication, > especially the configuration of AD and DNS. > > Thank you very much! > > The following section of code is a part of the entire project: > > LdapContext ctx = null; > String ldapURL = "ldap://"; + adIp + ":" + DEFAULT_NON_SEC_PORT; > > > Hashtable<String, String> env = new Hashtable<String, String>(); > env.put(Context.INITIAL_CONTEXT_FACTORY, > "com.sun.jndi.ldap.LdapCtxFactory"); > env.put(Context.PROVIDER_URL, ldapURL); > env.put(Context.SECURITY_AUTHENTICATION, "simple"); > env.put(Context.SECURITY_PRINCIPAL, adminAccount); > env.put(Context.SECURITY_CREDENTIALS, adminPassword); > env.put("java.naming.ldap.attributes.binary", "objectSid"); > > ctx = new InitialLdapContext(env, null); > > > SearchControls constraints = new SearchControls(); > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); > String searchFilter = "(CN=" + machineName + ")"; > > NamingEnumeration<SearchResult> results = > ctx.search(changeDomainInfo(domain), searchFilter, constraints); > > while (results.hasMoreElements()) > { > SearchResult searchResult = (SearchResult)results.next(); > Attributes attrs = searchResult.getAttributes(); > > if (attrs != null) > { > Object attValue = attrs.get("objectSid").get(); > > return getSIDasStringOfBytes((byte[])attValue); > } > } > From: Zhutiemin > Sent: 2013年6月21日 9:19 > To: 'Darek' > Cc: [email protected] > Subject: RE: Could you help me to resolve the Kerberos error? > > Darek: > Thank you for your reply. > > I will check the and Conduct an experiment to test it > > I use Krb5LoginModule class to authenticate users using Kerberos protocols > > It is defined in the configuration > > AdServiceImplForKerberos { > com.sun.security.auth.module.Krb5LoginModule required client=TRUE > useTicketCache=FALSE refreshKrb5Config=TRUE; > }; > > And I implement the authentication by LoginContext class > > The following section of code is a part of the entire project: > > LdapContext ctx = null; > > Hashtable<String, String> env = new Hashtable<String, String>(); > env.put(Context.INITIAL_CONTEXT_FACTORY, > "com.sun.jndi.ldap.LdapCtxFactory"); > env.put(Context.PROVIDER_URL, ldapURL); > env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); > env.put(Context.SECURITY_PRINCIPAL, adminAccount); > env.put(Context.SECURITY_CREDENTIALS, adminPassword); Why the admin principal and password here? Normally GSSAPI uses existing credentials (Kerberos tickets) that the user has already obtained during login, bu using the windows runas or by using kinit. > env.put("java.naming.ldap.attributes.binary", "objectSid"); > SearchControls constraints = new SearchControls(); > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); > String searchFilter = "(CN=" + machineName + ")"; > NamingEnumeration<SearchResult> results = > ctx.search(changeDomainInfo(domain), searchFilter, > constraints); > while (results.hasMoreElements()) > { > SearchResult searchResult = (SearchResult)results.next(); > Attributes attrs = searchResult.getAttributes(); > > if (attrs != null) > { > Object attValue = attrs.get("objectSid").get(); > return getSIDasStringOfBytes((byte[])attValue); > } > } > > > From: Darek [mailto:[email protected]] > Sent: 2013年6月20日 22:27 > To: Zhutiemin > Cc: [email protected] > Subject: Re: Could you help me to resolve the Kerberos error? > >> Server not found in Kerberos database > > You should make sure that the forward and reverse DNS for your java > application machine's IP address match, and that the hostname of the system > is exactly the same as the reverse DNS. > > So if your system's IP is 1.2.3.4, a reverse DNS lookup would resolve to > java.company.com, and the system's hostname would be java.company.com, > > On 6/20/2013 1:01 AM, Zhutiemin wrote: > > Dear MIT Kerberos Team: > > > > My name is Tiemin Zhu, I am a software engineer of Huawei corporation . > > > > I am getting following error with Kerberos Authentication. Could you help me > to resolve this error? > > But the result of LDAP Authentication is OK > > > > Is this the configuration error in AD? > > > > Do you have any document I could study? > > > > Thanks so much! > > > > This is the error: > > [2013-05-25 03:34:01,765]--[ERROR]--[pool-1-thread-39]--[AdServiceImpl.java > run() 920] - search fail. > > javax.naming.AuthenticationException: GSSAPI [Root exception is > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7))]] > > at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) > > at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) > > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) > > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) > > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) > > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) > > at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) > > at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) > > at javax.naming.InitialContext.init(Unknown Source) > > at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source) > > at > com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:892) > > at > com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:854) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAs(Unknown Source) > > at > com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByIp(AdServiceImpl.java:824) > > at > com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByDomain(AdServiceImpl.java:787) > > at > com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByMachineName(AdServiceImpl.java:734) > > at > com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createInstance(CombineCreateInstanceTask.java:740) > > at > com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createVm(CombineCreateInstanceTask.java:655) > > at > com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.combineCreateInstance(CombineCreateInstanceTask.java:503) > > at > com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.run(CombineCreateInstanceTask.java:317) > > at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) > > at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) > > at java.util.concurrent.FutureTask.run(Unknown Source) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown > Source) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown > Source) > > at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown > Source) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > > at > com.huawei.vds.common.utils.threadpool.VDSThreadFactory$Task.run(VDSThreadFactory.java:92) > > at java.lang.Thread.run(Unknown Source) > > Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7))] > > at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) > > ... 32 more > > Caused by: GSSException: No valid credentials provided (Mechanism level: > Server not found in Kerberos database (7)) > > at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) > > at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) > > at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) > > ... 33 more > > Caused by: KrbException: Server not found in Kerberos database (7) > > at sun.security.krb5.KrbTgsRep.<init>(Unknown Source) > > at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) > > at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown > Source) > > at > sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) > > at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) > > ... 36 more > > Caused by: KrbException: Identifier doesn't match expected value (906) > > at sun.security.krb5.internal.KDCRep.init(Unknown Source) > > at sun.security.krb5.internal.TGSRep.init(Unknown Source) > > at sun.security.krb5.internal.TGSRep.<init>(Unknown Source) > > > > > > Best regards! > > > > phone. +86 02989184490 > > mobile. +86 15249061480 > > [email protected]<mailto:[email protected]><mailto:[email protected]><mailto:[email protected]> > > Tiemin Zhu > > > > > > > > ________________________________________________ > > Kerberos mailing list [email protected]<mailto:[email protected]> > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
