Having authenticated and got the ticket I'm now attempting an LDAP
search against the ADS that issued it:
ldapsearch -H ldap://<ADS address>:10389 -b "ou=users,dc=example,dc=com"
"(uid=hnelson)" -Y GSSAPI -O "maxssf=0"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Decoding error (-4)
However, after running the command I check my ticket cache and see that
I have a ticket for the ldap service:
klist -5fea
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
03/11/11 13:37:24 03/12/11 13:37:24 krbtgt/[email protected]
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
mode with HMAC/sha1
Addresses: (none)
03/11/11 13:37:32 03/12/11 13:37:24 ldap/<ADS address>@EXAMPLE.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
mode with HMAC/sha1
Addresses: (none)
The <ADS address> in the ticket is that same as the address of the LDAP
server in the orginal query, and also matches the saslHost in
server.xml. The saslPrincipal matches the ldap/<ADS
address>@EXAMPLE.COM value in the ticket, which is also present in the
krb5PrincipalName attribute in uid=ldap,ou=Users,dc=example,dc=com.
The server log shows the ticket being issued, but then throws an error:
[14:16:48] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice
to client.
java.security.PrivilegedActionException:
javax.security.sasl.SaslException: Failure to initialize security
context [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos Key)]
Any ideas of anything else I should check?
Thanks,
Rob
On 11/03/11 12:04, Rob Hebron wrote:
Solved it by removing:
forwardable = true
proxiable = true
from the krb5.conf file used.
Rob
On 11/03/11 10:44, Rob Hebron wrote:
Hi,
I'm experimenting with GSSAPI authentication against ApacheDS 1.5.7.
Following various guides I have it working such that I am successfully
issued a TGT using kinit (on Debian) - changes mainly involved enabling
crypto protocols in server.xml. However, when I try to authenticate with
a java client I get always get this error:
Kerberos username [rob]: [email protected]
Kerberos password for [email protected]:
default etypes for default_tkt_enctypes: 16.
default etypes for default_tkt_enctypes: 16.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=<kdc address> UDP:60088, timeout=30000, number
of retries =3, #bytes=134
>>> KDCCommunication: kdc=<kdc address> UDP:60088,
timeout=30000,Attempt =1, #bytes=134
>>> KrbKdcReq send: #bytes read=536
>>> KrbKdcReq send: #bytes read=536
>>> KdcAccessibility: remove<kdc address>:60088
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
Authentication failed:
Checksum failed
.. with no error logged on the server. I'm guessing that a checksum
verification has failed. This error is also logged when I try to
authenticate to ApacheDS server in Apache Directory Studio. I'm able to
log on to a production MIT KDC using the same java code with no problem.
A search hasn't turned up much - any ideas of what I could try?
Thanks,
Rob
