Ok, found this is related to the Server SASL settings in Studio. Is this expected behavior? Isn't SASL an independent protocol?
----- Original Message ----- From: Lamar Hansford <[email protected]> To: "[email protected]" <[email protected]> Sent: Tuesday, January 24, 2017 5:58 PM Subject: Apache Directory Studio with Kerberos login My setup: * Ubuntu 16.04 * Oracle JRE with JCE (1.8) * ApacheDS back-end (apacheds-2.0.0-M23) * Apache Directory Studio Version: 2.0.0.v20161101-M12 Using kinit (localhost) Kerberos working with kinit on localhost (using FQDN). * kinit <uid>@<realm> With logging enabled I can see authentication against * krb5PrincipalName=<uid>@<realm> => OK * krb5PrincipalName=krbtgt/<realm>@<realm> => OK Ticket Granted Using Directory Studio (Windows): !! Not working !! >From debug log: Authenticate against * krb5PrincipalName=<uid>@<realm> => OK * krb5PrincipalName=ldap/<realm>@<realm> => OK * krb5PrincipalName=ldap/<host>@<realm> => OK All good up to this point.... [17:36:24] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /173.174.45.64:52800 SENT: >------------------------------------------------------------------------------- KdcRep : TGS-REP pvno : 5 msg-type : TGS_REP crealm : MAGRATHEA.COM cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'lhansford'> } Ticket : tkt-vno : 5 realm : MAGRATHEA.COM sname : { name-type: KRB_NT_UNKNOWN, name-string : <'ldap', 'minime'> }....etc Here is where it gets strange: [17:36:24] DEBUG [org.apache.directory.server.ldap.handlers.request.BindRequestHandler] - Received: MessageType : BIND_REQUEST Message ID : 1 BindRequest Version : '3' Name : '' Sasl credentials Mechanism :'GSSAPI' Credentials : (omitted-for-safety) [17:36:24] DEBUG [org.apache.directory.server.OPERATION_LOG] - >> SearchOperation : SearchContext for Dn 'ou=users,ou=system', filter :'(krb5PrincipalName=ldap/[email protected])' [17:36:24] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: SearchContext for Dn 'ou=users,ou=system', filter :'(krb5PrincipalName=ldap/[email protected])' Which obviously fails since krb5PrincipalName=ldap/[email protected] is a placeholder value. Stack trace: java.lang.NullPointerException at org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.getEntry(GetPrincipal.java:93) at org.apache.directory.server.protocol.shared.kerberos.GetPrincipal.execute(GetPrincipal.java:77) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.findPrincipal(GssapiMechanismHandler.java:171) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.getSubject(GssapiMechanismHandler.java:135) at org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler.handleMechanism(GssapiMechanismHandler.java:65) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSaslAuth(BindRequestHandler.java:587) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:640) at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:66) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) I'm not new to networking or auth schemes but this is my first time with Kerberos. Is this a bug? Why is ther a reference to SASL? (confogured SASL just to see if the EXAMPLE.COM was present and it still is). Thanks! -Lamar
