[jcifs] GSSException with jcifs-ext
David Pattison
david.pattison at siemens.com
Fri Jan 21 11:26:00 GMT 2005
Hi guys,
I finally managed to resolve my previous problem of the Server Principal error
by finding a post from this very board from June 04
(http://lists.samba.org/archive/jcifs/2004-June/003497.html) to be exact.
Although that was for a very early version of what I assume has become
jcifs-ext, its the only place I have found a good explanation of how to set up
Active Directory for Principals.
Anyways, adding in my server principal was easy enough, but now when I login
from a client machine, I get a stack trace originating at
sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject
(Krb5AcceptCredential.java:189), specifically "GSSException: No valid
credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials
failed)". A quick look on the Sun forums, revealed it has something to do with
way the .conf file is set up, but I've tried setting storeTicketCache and
storeKey to true for jcifs.spnego.initiate and storeKey and useKeyTab to true
for jcifs.spnego.accept. Should these be placed somewhere else, or is it
all wrong.
But heres the thing, via Ethereal, I do think that Kerberos authentication is
actually taking place. No Server Principal errors, no invalid encoding errors,
and the Negotiate protocol header now contains a huge amouont of data, enough
for 2 ethereal packets, which leads me to believe that it isnt the usual
Negotiate wrapped NTLM that Ive seen for the past few days in the same header.
The preceding 2 packets are a TGS-REQ and TGS-REP, but after the Negotiate
header is sent the only page returned is a 500 Internal Server Error page with
the GSSException stack trace.
My question is... well whats wrong? Am I actually being authenticated with
Kerberos, and does anyone know how to set up the accept parameters to work
correctly?
Thanks,
David
More information about the jcifs
mailing list