Thanks Kai! We're making progress. Here's the current stack trace: Exception in thread "main" java.lang.NullPointerException
at org.apache.kerby.kerberos.kerb.client.request.AsRequest.getTicket( AsRequest.java:135) at org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequestTgtTicket( DefaultInternalKrbClient.java:76) at org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.requestTgtTicket( AbstractInternalKrbClient.java:105) at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithOptions( KrbClient.java:252) at org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgtWithKeytab( KrbClient.java:194) at TestKerb.main(TestKerb.java:12) Looking at the kerberos messages over the wire it looks like its setting the realm to EXAMPLE.COM even though the krb5.conf file has "default_realm = RHELENT.LAN" which is causing the KDC to fail. Trying to see if I can make that setting in the code instead of the krb5.conf file. Thanks Marc On Sat, Nov 14, 2015 at 8:47 AM, Zheng, Kai <[email protected]> wrote: > The keytab issue was just resolved. Please check it. > > commit 955a84585c937561750a761134711b0ad4fdfeff > Author: Kai Zheng <[email protected]> > Date: Sat Nov 14 21:44:41 2015 +0800 > > DIRKRB-456 KinitTool doesn't work to use keytab file > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Saturday, November 14, 2015 10:25 AM > To: [email protected] > Subject: Re: Getting started with the client API > > > > > > > > > >> The next issue I'm having is getting my keytab to work. Here's the > > exception I get in the same code: > > It seemed the keytab isn't passed along to the place so it reported > > some client key or credential is needed. Maybe you could have a debug > > along the stacktrace? > > > > By the way, how did you generate the keytab file by which tool? > > > > Keytab was generated by free ipa: > > ipa-getkeytab -s freeipa.rhelent.lan -p HTTP/[email protected] > -k ./localdev.keytab > > Using MIT kerberos on OSX I'm able to initialize the keytab without issue: > > Marcs-MBP:Downloads mlb$ kinit -k -t /Users/mlb/Documents/localdev.keytab > -V HTTP/[email protected] > > Placing tickets for 'HTTP/[email protected]' in cache > 'API:9C74982C-C9F1-43F1-912F-209C03BBEEE6' > > Marcs-MBP:Downloads mlb$ klist > > Credentials cache: API:9C74982C-C9F1-43F1-912F-209C03BBEEE6 > > Principal: HTTP/[email protected] > > > Issued Expires Principal > > Nov 13 21:19:22 2015 Nov 14 21:19:22 2015 krbtgt/[email protected] > > Marcs-MBP:Downloads mlb$ > Here's my code: > > KrbClient kerb = new KrbClient(new File("/etc")); > > kerb.init(); > > TgtTicket tgt = kerb.requestTgtWithKeytab("HTTP/[email protected] > ", > new File("/Users/mlb/Documents/localdev.keytab")); > > > > > > >> Now, I tried to load the keytab using the kinit that comes with > > >> kerby > > and I get a different error: > > Let's get this issue solved second. Looking at the NPE place as I did > > last time, it looks like your keytab file isn't correctly passed > > along. How did you invoke the Kerby kinit tool? > > > > > From inside of my IDE with the following parameters : "-conf /etc -k -t > /Users/mlb/Documents/localdev.keytab HTTP/[email protected]" > > > > Regarding the krb5.conf file, we prefer the format used by MIT > > Kerberos, though currently the full support isn't done yet. The format > > used by the files you found should work with Kerby fine. > > > > > Let me try a krb5.conf file that doesn't share with multiple realms. > > Thanks > Marc >
