The issue was just resolved.
commit 5ffd0a280afd417539a2b474d0714a81db303b28
Author: Kai Zheng <[email protected]>
Date: Sat Nov 14 21:10:16 2015 +0800
DIRKRB-455 Configuring kdc_host in client krb5.conf doesn't work
-----Original Message-----
From: Marc Boorshtein [mailto:[email protected]]
Sent: Saturday, November 14, 2015 11:32 AM
To: [email protected]
Subject: Re: Getting started with the client API
Same issue, here's the krb5.conf:
[libdefaults]
kdc_udp_port = 88
kdc_host = freeipa.rhelent.lan
default_realm = RHELENT.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
RHELENT.LAN = {
kdc = freeipa.rhelent.lan:88
master_kdc = freeipa.rhelent.lan:88
admin_server = freeipa.rhelent.lan:749
default_domain = rhelent.lan
#pkinit_anchors = FILE:/etc/ipa/ca.crt }
[domain_realm]
.rhelent.lan = RHELENT.LAN
rhelent.lan = RHELENT.LAN
On Fri, Nov 13, 2015 at 10:27 PM, Zheng, Kai <[email protected]> wrote:
> Great you made clear about the issue. It seems that the keytab file
> option in KinitTool isn't converted or passed to KrbClient API call.
> We'll need a fix in Kerby codes. Maybe you could have a simple fixup
> in your workspace to proceed?
>
> For the krb5.conf, it looks like the items in [REALM] section aren't
> be able to loaded (a gap here). I just realized that most of krb5.conf
> files used in Kerby codes are for Oracle Java Kerberos support.
> Please add the following item in [libdefaults] section.
>
> kdc_host = your-kdc-host
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:[email protected]]
> Sent: Saturday, November 14, 2015 11:06 AM
> To: [email protected]
> Subject: Re: Getting started with the client API
>
> For kinit, its not a permissions issue, everything is owned by the
> same user. The issue appears to be in line 45 of
> AsRequestWithKeytab.java. Its looking for
>
> KrbOption.KEYTAB_FILE
>
> but koptions has "{USE_KEYTAB=USE_KEYTAB, NONE=NONE,
> CLIENT_PRINCIPAL=CLIENT_PRINCIPAL}"
>
> Here's my krb5.conf file:
>
> [libdefaults]
>
> kdc_udp_port = 88
>
> default_realm = RHELENT.LAN
>
> dns_lookup_realm = false
>
> dns_lookup_kdc = true
>
> rdns = false
>
> ticket_lifetime = 24h
>
> forwardable = yes
>
> udp_preference_limit = 0
>
>
> [realms]
>
> RHELENT.LAN = {
>
> kdc = freeipa.rhelent.lan:88
>
> master_kdc = freeipa.rhelent.lan:88
>
> admin_server = freeipa.rhelent.lan:749
>
> default_domain = rhelent.lan
>
> #pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
> [domain_realm]
>
> .rhelent.lan = RHELENT.LAN
>
> rhelent.lan = RHELENT.LAN
>
> Also, with the above krb5.conf file I have a new issue with the code,
> I get the following exception:
>
> Exception in thread "main" org.apache.kerby.kerberos.kerb.KrbException:
> Receiving response message failed
>
> at
> org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleReq
> uest(
> DefaultKrbHandler.java:45)
>
> at
>
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.do
> RequestTgtTicket(
> DefaultInternalKrbClient.java:74)
>
> at
>
> org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.r
> equestTgtTicket(
> AbstractInternalKrbClient.java:105)
>
> at
> org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithOptions(
> KrbClient.java:252)
>
> at
> org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithKeytab(
> KrbClient.java:194)
>
> at TestKerb.main(TestKerb.java:12)
>
> Caused by: java.net.PortUnreachableException
>
> at sun.nio.ch.DatagramChannelImpl.receive0(Native Method)
>
> at sun.nio.ch.DatagramChannelImpl.receiveIntoNativeBuffer(
> DatagramChannelImpl.java:414)
>
> at
> sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:400)
>
> at
> sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:345)
>
> at
> org.apache.kerby.kerberos.kerb.transport.KrbUdpTransport.receiveMessag
> e(
> KrbUdpTransport.java:60)
>
> at
> org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleReq
> uest(
> DefaultKrbHandler.java:43)
>
> ... 5 more
>
> Debugging the code made it look like kerby is trying to hit 127.0.0.1
> (which doesn't have the kerberos server running)
>
> On Fri, Nov 13, 2015 at 9:45 PM, Zheng, Kai <[email protected]> wrote:
>
> > Another thing to check is the keytab file permission. It may be
> > failed to access from your IDE. For simple, please make a copy to
> > /tmp/ and chmod a+r to it.
> >
> > -----Original Message-----
> > From: Zheng, Kai [mailto:[email protected]]
> > Sent: Saturday, November 14, 2015 10:41 AM
> > To: [email protected]
> > Subject: RE: Getting started with the client API
> >
> > Your setup looks fine.
> >
> > >> From inside of my IDE with the following parameters : "-conf /etc
> > >> -k
> > -t /Users/mlb/Documents/localdev.keytab
> > HTTP/[email protected]
> "
> >
> > OK. Since you're in your IDE, maybe you could set your breakpoint at
> > kerb.requestTgtWithKeytab() and check if the keytab file parameter
> > is correctly passed there?
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:[email protected]]
> > Sent: Saturday, November 14, 2015 10:25 AM
> > To: [email protected]
> > Subject: Re: Getting started with the client API
> >
> > >
> > >
> > >
> > > >> The next issue I'm having is getting my keytab to work. Here's
> > > >> the
> > > exception I get in the same code:
> > > It seemed the keytab isn't passed along to the place so it
> > > reported some client key or credential is needed. Maybe you could
> > > have a debug along the stacktrace?
> > >
> > > By the way, how did you generate the keytab file by which tool?
> > >
> >
> > Keytab was generated by free ipa:
> >
> > ipa-getkeytab -s freeipa.rhelent.lan -p
> > HTTP/[email protected] -k ./localdev.keytab
> >
> > Using MIT kerberos on OSX I'm able to initialize the keytab without
> issue:
> >
> > Marcs-MBP:Downloads mlb$ kinit -k -t
> > /Users/mlb/Documents/localdev.keytab
> > -V HTTP/[email protected]
> >
> > Placing tickets for 'HTTP/[email protected]' in cache
> > 'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6'
> >
> > Marcs-MBP:Downloads mlb$ klist
> >
> > Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6
> >
> > Principal: HTTP/[email protected]
> >
> >
> > Issued Expires Principal
> >
> > Nov 13 21:19:22 2015 Nov 14 21:19:22 2015
> > krbtgt/[email protected]
> >
> > Marcs-MBP:Downloads mlb$
> > Here's my code:
> >
> > KrbClient kerb = new KrbClient(new File("/etc"));
> >
> > kerb.init();
> >
> > TgtTicket tgt =
> > kerb.requestTgtWithKeytab("HTTP/[email protected]
> > ",
> > new File("/Users/mlb/Documents/localdev.keytab"));
> >
> >
> > >
> > > >> Now, I tried to load the keytab using the kinit that comes with
> > > >> kerby
> > > and I get a different error:
> > > Let's get this issue solved second. Looking at the NPE place as I
> > > did last time, it looks like your keytab file isn't correctly
> > > passed along. How did you invoke the Kerby kinit tool?
> > >
> > >
> > From inside of my IDE with the following parameters : "-conf /etc
> > -k -t /Users/mlb/Documents/localdev.keytab
> > HTTP/[email protected]
> "
> >
> >
> > > Regarding the krb5.conf file, we prefer the format used by MIT
> > > Kerberos, though currently the full support isn't done yet. The
> > > format used by the files you found should work with Kerby fine.
> > >
> > >
> > Let me try a krb5.conf file that doesn't share with multiple realms.
> >
> > Thanks
> > Marc
> >
>
