(no subject)
John L.Utz III
jutz at centeris.com
Wed Nov 2 06:31:47 GMT 2005
Hello,
I have a kerberos samba/java problem that you guys might be able to
help me with, the following code works fine on a windows xp box, but
fails on a linux box that i have joined to the domain via net ads join
What's interesting is that the LoginContext.login() *succeeds* on both windows and linux, the following output is identical on both boxes:
java GssSample
Debug is true storeKey true useTicketCache true useKeyTab false doNotPrompt false ticketCache is /tmp/krb5cc_0 KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
Principal is null
null credentials from Ticket Cache
Kerberos username [jutz]: join
Kerberos password for join: join
[Krb5LoginModule] user entered username: join
principal is join at CORPQA.CENTERIS.COM
Added server's keyKerberos Principal join at CORPQA.CENTERIS.COMKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: EA 6B 29 A8 83 A4 0B 9B
[Krb5LoginModule] added Krb5Principal join at CORPQA.CENTERIS.COM to Subject
Commit Succeeded
But then things go south on the linux box, be it OpenSuSE 10 or redhat enterprise linux 4:
When it trys to create the new InitialDirContext, this error is thrown, i'll stick the full trace at the bottom
KrbException: Server not found in Kerberos database (7)
However, i've add this guy already via net ads join, and i can see him in the Active Directory Users and Computers browser.
Can anybody hazard a guess as to why this is happening? is there any further debug information that i might be able to provide?
tnx!
johnu
Here be the code:
import java.util.Properties;
import java.util.Hashtable;
import java.security.PrivilegedAction;
import javax.security.auth.login.LoginContext;
import javax.security.auth.Subject;
import javax.naming.Context;
import com.sun.security.auth.callback.TextCallbackHandler;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.security.auth.login.LoginException;
/**
* Describe class GssSample here.
*
* *** IMPORTANT!!! This code wont work without the file "Auth.conf" that contains the following information:
*
* GSS { com.sun.security.auth.module.Krb5LoginModule required client=true debug=true storeKey=true useTicketCache=true ticketCache="/tmp/krb5cc_0";};
*
*
* Created: Tue Nov 1 11:36:30 2005
*
* @author <a href="mailto:jutz at jutz01">John L. Utz III</a>
* @version 1.0
*/
public class GssSample {
/**
* Creates a new <code>GssSample</code> instance.
*
*/
public GssSample() {
}
public static void main(String args[])
{
Properties p = new Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "CORPQA.CENTERIS.COM");
p.setProperty("java.security.krb5.kdc", "corpqa-dc1.corpqa.centeris.com");
p.setProperty("java.security.krb5.debug", "true");
p.setProperty("java.security.auth.login.config", "./Auth.conf");
System.setProperties(p);
LoginContext le = null;
try
{
le = new LoginContext("GSS",new TextCallbackHandler());
le.login();
}
catch(LoginException e)
{
System.err.println("Failed to login due to : " + e);
e.printStackTrace();
}
Subject.doAs(le.getSubject(), new JNDIAction(args));
}
}
class JNDIAction implements PrivilegedAction
{
private String args[];
public JNDIAction(String args[]) { this.args = (String[])args.clone(); }
public final Object run() {
try
{
jndiDo(args);
}
catch(NamingException e)
{
System.err.println("Failed to do jndiDo due to : " + e);
e.printStackTrace();
}
return null;
}
private static void jndiDo(String args[]) throws NamingException
{
Hashtable hEnv = new Hashtable(11);
hEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
hEnv.put(Context.PROVIDER_URL, "ldap://corpqa.centeris.com");
hEnv.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
DirContext dcAD = new InitialDirContext(hEnv);
dcAD.close();
}
}
here be the full stack trace from the failure case:
KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(DashoA12275:63)
at sun.security.krb5.KrbTgsReq.getReply(DashoA12275:222)
at sun.security.krb5.internal.az.a(DashoA12275:299)
at sun.security.krb5.internal.az.a(DashoA12275:111)
at sun.security.krb5.Credentials.acquireServiceCreds(DashoA12275:518)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:580)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:160)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:399)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
at JNDIAction.jndiDo(GssSample.java:94)
at JNDIAction.run(GssSample.java:77)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:320)
at GssSample.main(GssSample.java:62)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA12275:134)
at sun.security.krb5.internal.ae.a(DashoA12275:63)
at sun.security.krb5.internal.ae.<init>(DashoA12275:58)
at sun.security.krb5.KrbTgsRep.<init>(DashoA12275:49)
... 31 more
Failed to do jndiDo due to : javax.naming.AuthenticationException: GSSAPI [Root exception is com.sun.security.sasl.preview.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7))]]
javax.naming.AuthenticationException: GSSAPI [Root exception is com.sun.security.sasl.preview.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:399)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
at JNDIAction.jndiDo(GssSample.java:94)
at JNDIAction.run(GssSample.java:77)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:320)
at GssSample.main(GssSample.java:62)
Caused by: com.sun.security.sasl.preview.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:180)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
... 22 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:665)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:160)
... 23 more
More information about the samba-technical
mailing list