My setup:
* Ubuntu 16.04
* Oracle JRE with JCE (1.8)
* ApacheDS back-end (apacheds-2.0.0-M23)
* Apache Directory Studio Version: 2.0.0.v20161101-M12
Using kinit (localhost)
Kerberos working with kinit on localhost (using FQDN).
* kinit <uid>@<realm>
With logging enabled I can see authentication against
* krb5PrincipalName=<uid>@<realm> => OK
* krb5PrincipalName=krbtgt/<realm>@<realm> => OK
Ticket Granted
Using Directory Studio (Windows):
!! Not working !!
>From debug log:
Authenticate against
* krb5PrincipalName=<uid>@<realm> => OK
* krb5PrincipalName=ldap/<realm>@<realm> => OK
* krb5PrincipalName=ldap/<host>@<realm> => OK
All good up to this point....
[17:36:24] DEBUG [org.apache.directory.server.KERBEROS_LOG] -
/173.174.45.64:52800 SENT:
>-------------------------------------------------------------------------------
KdcRep : TGS-REP
pvno : 5
msg-type : TGS_REP
crealm : MAGRATHEA.COM
cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'lhansford'> }
Ticket :
tkt-vno : 5
realm : MAGRATHEA.COM
sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'minime'> }....etc
Here is where it gets strange:
[17:36:24] DEBUG
[org.apache.directory.server.ldap.handlers.request.BindRequestHandler] -
Received: MessageType : BIND_REQUEST
Message ID : 1
BindRequest
Version : '3'
Name : ''
Sasl credentials
Mechanism :'GSSAPI'
Credentials : (omitted-for-safety)
[17:36:24] DEBUG [org.apache.directory.server.OPERATION_LOG] - >>
SearchOperation : SearchContext for Dn 'ou=users,ou=system', filter
:'(krb5PrincipalName=ldap/[email protected])'
[17:36:24] DEBUG
[org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation
Context: SearchContext for Dn 'ou=users,ou=system', filter
:'(krb5PrincipalName=ldap/[email protected])'
Which obviously fails since krb5PrincipalName=ldap/[email protected]
is a placeholder value. Stack trace:
java.lang.NullPointerException
at
org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.getEntry(GetPrincipal.java:93)
at
org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.execute(GetPrincipal.java:77)
at
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:171)
at
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:135)
at
org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:65)
at
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSaslAuth(BindRequestHandler.java:587)
at
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:640)
at
org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:66)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
I'm not new to networking or auth schemes but this is my first time with
Kerberos. Is this a bug? Why is ther a reference to SASL? (confogured SASL
just to see if the EXAMPLE.COM was present and it still is).
Thanks!
-Lamar
