Re: GSSAPI Binds to Directory Studio

[Bill MacAllister]

--On Saturday, December 18, 2010 11:18:03 PM -0800 Bill MacAllister 
<w...@stanford.edu> wrote:

--On Saturday, December 18, 2010 12:05:39 PM +0100 Stefan Seelmann 
<seelm...@apache.org> wrote:

Hi Bill,

On Sat, Dec 18, 2010 at 12:28 AM, Bill MacAllister <w...@stanford.edu> wrote:

Looks like Directory Studio is not finding my ticket cache.  I would
expect it to follow the KRB5CCNAME environment variable.  Is there
some other way to point Directory Studio at my ticket cache?

Studio uses JNDI which uses JAAS underneath which doesn't look to the
KRB5CCNAME environment variable by default, see [1] for details.

There are several workarounds, the easiest should be to append the
following argument when starting Studio:

    -Duser.krb5ccname=$KRB5CCANME

You can also create an ".ApacheDirectoryStudio.ini" file in the Studio
installation directory (assumed you are using Linux) and put the
argument into it, but then you can't use the $KRB5CCANME variable.

Hope that helps,
Stefan


[1] http://bugs.sun.com/view_bug.do?bug_id=6832353

That worked great.  Well, at least I am able to bind to the directory
now.

Well, it was working great, but now I am getting the error "Unable to
obtain Princpal Name for authentication" whenever I attempt to connect.
(The complete error is at the end of this message.  Here is an example
session:

 % klist
 Ticket cache: FILE:/tmp/krb5cc_1000_As1ndf
 Default principal: w...@stanford.edu

 Valid starting     Expires            Service principal
 01/10/11 16:23:08  01/11/11 17:23:08  krbtgt/stanford....@stanford.edu
       renew until 01/17/11 16:23:08
 % echo $KRB5CCNAME
 FILE:/tmp/krb5cc_1000_As1ndf

 % ~/a_bin/ApacheDirectoryStudio/ApacheDirectoryStudio  
-Duser.krb5ccname=$KRB5CCNAME
 0    [main] INFO  org.apache.directory.studio.Application  - Entering Apache 
Directory Studio.
 45163 [main] INFO  org.apache.directory.studio.Application  - Exiting Apache 
Directory Studio.

This is failing on a ubuntu maverick system and on debian squeeze.
Both have openjdk installed.  I have tried installing sun-java6 with
the same results.

What am I missing?

Bill

--

Bill MacAllister
Infrastructure Delivery Group, Stanford University



Error while opening connection
 javax.naming.NamingException [Root exception is 
javax.security.auth.login.LoginException: Unable to obtain Princpal Name for 
authentication ]
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1153)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
        at 
org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
        at 
org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
        at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal 
Name for authentication
        at 
com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:750)
        at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:646)
        at 
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
        at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1149)
        ... 8 more

 javax.naming.NamingException [Root exception is 
javax.security.auth.login.LoginException: Unable to obtain Princpal Name for 
authentication ]