RE: Help Configuring LDAP/KERBEROS Needed

Tue, 09 Jun 2015 07:11:50 -0700 

I solved the problem.
I put a krb5.conf file in JAVA_HOME/jre/lib/security with the following:

[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
                kdc = localhost:6088
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

=========

I didn't see this in the documentation and found it using Google. I ignored it 
days ago because I thought it wasn't needed in this case.

Ed Brown


-----Original Message-----
From: Kiran Ayyagari [mailto:[email protected]] 
Sent: Tuesday, June 09, 2015 4:17 AM
To: [email protected]
Subject: Re: Help Configuring LDAP/KERBEROS Needed

On Tue, Jun 9, 2015 at 11:35 AM, Ed Brown <[email protected]> wrote:

> Hi,
> I'm following the example on Kerberos integration located here:
> https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
> The error I get, which is at the bottom, indicates the default realm 
> cannot be found. Any pointers/help would be appreciated.
>
> TIA.
>
> According to DS Studio, I have a realm EXAMPLE.COM.
> The krbtgt user is:
>
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=ldap/[email protected]<mailto:ldap/
> [email protected]>
> Ou=TGT
> Uid=ldap
>
> The ldap user is:
> Krb5KeyVersionNumber=0
> Krb5PrincipalName=krbtgt/[email protected]<mailto:Krb5PrincipalN
> ame
> =krbtgt/[email protected]>
> Ou=LDAP
> Uid=krbtgt
>
> Kerberos server:
> Port: 60088
> Kerberos change password server:
> Port: 60464
> Primary KDC Realse: EXAMPLE.COM
> Search Base DN: dc=security,dc=example,dc=com
>
> LDAP/LDAPS Servers:
> SASL Host: example.net
> SASL Principal ldap/[email protected]<mailto:ldap/
> [email protected]>
> Search Base DN: dc=security,dc=example,dc=com
>
> Authentication:
> User: dnelson
> Kerberos settings: Obtain TGBT from KDC Kerberos realm: EXAMPLE.COM 
> KDC Host: example.net KDC port: 60888
>
> Local hosts file:
> 127.0.0.1              localhost example.com example.net
> ::1           localhost example.com example.net
>
> config is looking good, can you restart the server and try?

>
> When I authenticate, the follow error appears in the log file (after 
> turning on debug logging), specifying it can't find the default realm:
>
> [22:59:27] DEBUG 
> [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket encoding : 
> 0x6D 0x82 0x02 ...
> [22:59:27] DEBUG 
> [org.apache.directory.shared.kerberos.messages.Ticket] - Ticket initial value 
> : Ticket :
>   tkt-vno : 5
>   realm : EXAMPLE.COM
>   sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 
> 'example.net'> }
>   enc-part : EncryptedData : {
>     etype: aes128-cts-hmac-sha1-96 (17)
>     cipher: 0x77 0xFF 0x5F ...
> }
>
> ...
>
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : aes128-cts-hmac-sha1-96 (17) [22:59:28] DEBUG 
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : rc4-hmac (23)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : aes256-cts-hmac-sha1-96 (18) [22:59:28] DEBUG 
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : des-cbc-md5 (3)
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Encr
> yptionKeyInit]
> - EncryptionKey created
> [22:59:28] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.Stor
> eKeyType]
> - keytype : des3-cbc-sha1-kd (16)
> [22:59:28] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] 
> - Unexpected exception forcing session to close: sending disconnect 
> notice to client.
> java.security.PrivilegedActionException:
> javax.security.sasl.SaslException: Failure to initialize security 
> context [Caused by GSSException: Invalid name provided (Mechanism level:
> KrbException: Cannot locate default realm)]
>
>
>
> Ed Brown
>
>
>


--
Kiran Ayyagari
http://keydap.com

Reply via email to