I am attempting to make use of Kerberos authentication within Apache Directory Studio (into Apache DS - same machine) I have followed the instructions as given by http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
Major issue (see log) - *** No server entry found for kerberos principal name ldap/[email protected] *** Using - Apache Directory Studio Version 1.5.3.v20100330 Apache DS : 1.5.7 Operating System : Windows Server 2008 - 64bit Below is the output from the ApapcheDS log --------------------------------------- [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51686 CREATED: datagram [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51686 OPENED [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51686 RCVD: org.apache.directory.server.kerberos.shared.messages.kdcrequ...@a1d7b [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Received Authentication Service (AS) request: messageType: AS_REQ protocolVersionNumber: 5 clientAddress: 127.0.0.1 nonce: 1285341083 kdcOptions: clientPrincipal: [email protected] serverPrincipal: krbtgt/[email protected] encryptionType: aes128-cts-hmac-sha1-96 (17), rc4-hmac (23), des-cbc-crc (1), des3-cbc-sha1-kd (16), des-cbc-md5 (3) realm: EXAMPLE.COM from time: null till time: 19700101000000Z renew-till time: null hostAddresses: null [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Session will use encryption type des-cbc-md5 (3). [08:11:23] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry dn[n]: uid=hnelson,ou=users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: top uid: hnelson sn: Nelson krb5PrincipalName: [email protected] krb5Key: ... krb5Key: ... krb5Key: ... krb5Key: ... krb5KeyVersionNumber: 2 cn: Horatio Nelson userPassword: ... for kerberos principal name [email protected] [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Verifying using SAM subsystem. [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Verifying using encrypted timestamp. [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Entry for client principal [email protected] has no SAM type. Proceeding with standard pre-authentication. [08:11:23] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25) org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Additional pre-authentication required at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServic e.verifyEncryptedTimestamp(AuthenticationService.java:269) at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServic e.execute(AuthenticationService.java:107) at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messag eReceived(KerberosProtocolHandler.java:145) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageRece ived(DefaultIoFilterChain.java:713) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive d(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF ilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec eived(DefaultIoFilterChain.java:793) at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.f lush(ProtocolCodecFilter.java:375) at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCod ecFilter.java:229) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive d(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF ilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec eived(DefaultIoFilterChain.java:793) at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAda pter.java:119) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive d(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(De faultIoFilterChain.java:426) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHan dle(AbstractPollingConnectionlessIoAcceptor.java:436) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.process ReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$ 600(AbstractPollingConnectionlessIoAcceptor.java:56) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Accepto r.run(AbstractPollingConnectionlessIoAcceptor.java:360) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java: 64) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error: explanatory text: Additional pre-authentication required error code: 25 clientPrincipal: null client time: null serverPrincipal: krbtgt/[email protected] server time: 20100924151123Z [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51686 SENT: org.apache.directory.server.kerberos.shared.messages.errormess...@a030d6 [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51687 CREATED: datagram [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51687 OPENED [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51687 RCVD: org.apache.directory.server.kerberos.shared.messages.kdcrequ...@1e4eb5b [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Received Authentication Service (AS) request: messageType: AS_REQ protocolVersionNumber: 5 clientAddress: 127.0.0.1 nonce: 1285341084 kdcOptions: clientPrincipal: [email protected] serverPrincipal: krbtgt/[email protected] encryptionType: des-cbc-md5 (3) realm: EXAMPLE.COM from time: null till time: 19700101000000Z renew-till time: null hostAddresses: null [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Session will use encryption type des-cbc-md5 (3). [08:11:23] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry dn[n]: uid=hnelson,ou=users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: top uid: hnelson sn: Nelson krb5PrincipalName: [email protected] krb5Key: ... krb5Key: ... krb5Key: ... krb5Key: ... krb5KeyVersionNumber: 2 cn: Horatio Nelson userPassword: ... for kerberos principal name [email protected] [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Verifying using SAM subsystem. [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Verifying using encrypted timestamp. [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Entry for client principal [email protected] has no SAM type. Proceeding with standard pre-authentication. [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Pre-authentication by encrypted timestamp successful for [email protected]. [08:11:23] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry dn[n]: uid=krbtgt,ou=users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: top uid: krbtgt sn: Service krb5PrincipalName: krbtgt/[email protected] krb5Key: ... krb5Key: ... krb5Key: ... krb5Key: ... krb5KeyVersionNumber: 2 cn: KDC Service userPassword: ... for kerberos principal name krbtgt/[email protected] [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Ticket will be issued for access to krbtgt/[email protected]. [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Monitoring Authentication Service (AS) context: clockSkew 300000 clientAddress /127.0.0.1 principal [email protected] cn null realm null principal [email protected] SAM type null principal krbtgt/[email protected] cn null realm null principal krbtgt/[email protected] SAM type null Request key type des-cbc-md5 (3) Client key version 0 Server key version 0 [08:11:23] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServi ce] - Responding with Authentication Service (AS) reply: messageType: AS_REP protocolVersionNumber: 5 nonce: 1285341084 clientPrincipal: [email protected] client realm: EXAMPLE.COM serverPrincipal: krbtgt/[email protected] server realm: EXAMPLE.COM auth time: 20100924151123Z start time: null end time: 20100925151123Z renew-till time: null hostAddresses: null [08:11:23] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51687 SENT: org.apache.directory.server.kerberos.shared.messages.authenticationre...@13d d208 [08:11:24] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51688 CREATED: datagram [08:11:24] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51688 OPENED [08:11:24] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51688 RCVD: org.apache.directory.server.kerberos.shared.messages.kdcrequ...@1a8402c [08:11:24] DEBUG [org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] - Received Ticket-Granting Service (TGS) request: messageType: TGS_REQ protocolVersionNumber: 5 clientAddress: 127.0.0.1 nonce: 1285341085 kdcOptions: clientPrincipal: null serverPrincipal: ldap/[email protected] encryptionType: aes128-cts-hmac-sha1-96 (17), rc4-hmac (23), des-cbc-crc (1), des3-cbc-sha1-kd (16), des-cbc-md5 (3) realm: EXAMPLE.COM from time: null till time: 19700101000000Z renew-till time: null hostAddresses: null [08:11:24] DEBUG [org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] - Session will use encryption type des-cbc-md5 (3). [08:11:24] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry dn[n]: uid=krbtgt,ou=users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: top uid: krbtgt sn: Service krb5PrincipalName: krbtgt/[email protected] krb5Key: ... krb5Key: ... krb5Key: ... krb5Key: ... krb5KeyVersionNumber: 2 cn: KDC Service userPassword: ... for kerberos principal name krbtgt/[email protected] [08:11:24] DEBUG [org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] - Verifying body checksum type 'RSA_MD5'. [08:11:24] WARN [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - No server entry found for kerberos principal name ldap/[email protected] [08:11:24] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Server not found in Kerberos database (7) org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Server not found in Kerberos database at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosU tils.java:316) at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.g etRequestPrincipalEntry(TicketGrantingService.java:311) at org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService.e xecute(TicketGrantingService.java:104) at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messag eReceived(KerberosProtocolHandler.java:158) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageRece ived(DefaultIoFilterChain.java:713) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive d(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF ilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec eived(DefaultIoFilterChain.java:793) at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.f lush(ProtocolCodecFilter.java:375) at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCod ecFilter.java:229) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive d(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoF ilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageRec eived(DefaultIoFilterChain.java:793) at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAda pter.java:119) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceive d(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(De faultIoFilterChain.java:426) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHan dle(AbstractPollingConnectionlessIoAcceptor.java:436) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.process ReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$ 600(AbstractPollingConnectionlessIoAcceptor.java:56) at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Accepto r.run(AbstractPollingConnectionlessIoAcceptor.java:360) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java: 64) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: java.lang.NullPointerException at org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.ge tEntry(GetPrincipal.java:98) at org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal.ex ecute(GetPrincipal.java:82) at org.apache.directory.server.kerberos.shared.store.SingleBaseSearch.getPrinci pal(SingleBaseSearch.java:64) at org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore.ge tPrincipal(DirectoryPrincipalStore.java:71) at org.apache.directory.server.kerberos.shared.KerberosUtils.getEntry(KerberosU tils.java:312) ... 23 more [08:11:24] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error: explanatory text: Server not found in Kerberos database error code: 7 clientPrincipal: null client time: null serverPrincipal: krbtgt/[email protected] server time: 20100924151124Z [08:11:24] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:51688 SENT: org.apache.directory.server.kerberos.shared.messages.errormess...@1899213 Robert Krummenacker
