Would it be possible to throw together a quick page on properly configuring Kerberos in the 2.0.0-M9 version of ApacheDS? Currently the default settings for the LDAP and Kerberos servers are properly laid out in the configuration pages, however the specific user accounts that they relate to 'krbtgt/[email protected]' and 'ldap/[email protected]' no longer appear.
If an updated .ldif could be attached somewhere in the new documentation and include the default accounts and settings necessary to allow Kerberos authentication through Apache Directory Studio - that would make things much easier for new users such as myself. I have not been having success while trying to alter the older 1.5 versions of user accounts included in kdc-data.ldif and typically end up at a "server not found in kerberos database (7)" error. This has come up on both windows servers as well as ubuntu servers with modified host and krb5.conf files. Additionally I have also been making sure to enable the 'keyDerivationInterceptor' as well as the kerberos server itself and deleting/reimporting the user .ldif file to recreate the krb5 keys when necessary - although these steps are no longer included with the new 2.0.0 documentation. Below is the .ldif for dc=example,dc=com that I have been basing most of my testing from, I've tried many small variations with the ldap and krbtgt principal names however have been unable to find one which works properly. In addition I have included a larger dump of the error message (as seen from my windows server, although the ubuntu one appears identical) below that - just in case. Thanks, Stephen dn: dc=example,dc=com objectClass: dcObject objectClass: organization objectClass: top dc: example o: example.com dn: ou=users,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: users dn: uid=hnelson,ou=users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: Horatio Nelson sn: Nelson uid: hnelson userPassword: secret krb5PrincipalName: [email protected] krb5KeyVersionNumber: 0 dn: uid=krbtgt,ou=users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: KDC Service sn: Service uid: krbtgt userPassword: secret krb5PrincipalName: krbtgt/[email protected] krb5KeyVersionNumber: 0 dn: uid=ldap,ou=users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: LDAP sn: Service uid: ldap userPassword: secret krb5PrincipalName: ldap/[email protected] krb5KeyVersionNumber: 0 ========================================================== Error while opening connection - java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)] org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307) at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114) at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54) Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)] at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Unknown Source) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459) ... 8 more Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3783) at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176) at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463) ... 11 more Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3693) ... 13 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database) at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) ... 15 more Caused by: KrbException: Server not found in Kerberos database (7) - Server not found in Kerberos database at sun.security.krb5.KrbTgsRep.<init>(Unknown Source) at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) ... 18 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.TGSRep.init(Unknown Source) at sun.security.krb5.internal.TGSRep.<init>(Unknown Source) ... 24 more java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)] *Stephen Stroiazzo | Special Project Assistant | Information Technology | AIM Holding LP *
