RE: Getting started with the client API

Sat, 14 Nov 2015 05:48:08 -0800 

The keytab issue was just resolved. Please check it.

commit 955a84585c937561750a761134711b0ad4fdfeff
Author: Kai Zheng <[email protected]>
Date:   Sat Nov 14 21:44:41 2015 +0800

    DIRKRB-456 KinitTool doesn't work to use keytab file

-----Original Message-----
From: Marc Boorshtein [mailto:[email protected]] 
Sent: Saturday, November 14, 2015 10:25 AM
To: [email protected]
Subject: Re: Getting started with the client API

>
>
>
> >> The next issue I'm having is getting my keytab to work.  Here's the
> exception I get in the same code:
> It seemed the keytab isn't passed along to the place so it reported 
> some client key or credential is needed. Maybe you could have a debug 
> along the stacktrace?
>
> By the way, how did you generate the keytab file by which tool?
>

Keytab was generated by free ipa:

ipa-getkeytab -s freeipa.rhelent.lan -p HTTP/[email protected] -k 
./localdev.keytab

Using MIT kerberos on OSX I'm able to initialize the keytab without issue:

Marcs-MBP:Downloads mlb$ kinit -k -t /Users/mlb/Documents/localdev.keytab
-V HTTP/[email protected]

Placing tickets for 'HTTP/[email protected]' in cache 
'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6'

Marcs-MBP:Downloads mlb$ klist

Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6

        Principal: HTTP/[email protected]


  Issued                Expires               Principal

Nov 13 21:19:22 2015  Nov 14 21:19:22 2015  krbtgt/[email protected]

Marcs-MBP:Downloads mlb$
Here's my code:

KrbClient kerb = new KrbClient(new File("/etc"));

kerb.init();

TgtTicket tgt = kerb.requestTgtWithKeytab("HTTP/[email protected]",
new File("/Users/mlb/Documents/localdev.keytab"));


>
> >> Now, I tried to load the keytab using the kinit that comes with 
> >> kerby
> and I get a different error:
> Let's get this issue solved second. Looking at the NPE place as I did 
> last time, it looks like your keytab file isn't correctly passed 
> along. How did you invoke the Kerby kinit tool?
>
>
From inside of my IDE with the following parameters : "-conf /etc  -k -t 
/Users/mlb/Documents/localdev.keytab HTTP/[email protected]"


> Regarding the krb5.conf file, we prefer the format used by MIT 
> Kerberos, though currently the full support isn't done yet. The format 
> used by the files you found should work with Kerby fine.
>
>
Let me try a krb5.conf file that doesn't share with multiple realms.

 Thanks
Marc

Reply via email to