AW: Accepting secure context on Server without KDC-Login

Olfmatic olfmatic at web.de
Thu Sep 7 09:23:16 EDT 2006 

The problem is, my server application cannot reach the KDC. The KDC's host isn't resolved for the server. So if I call

lc.login()

I get an UnknownHostException because the KDC's hostname is unknown.

Thanks you for your help.

-----Ursprüngliche Nachricht-----
Von: Olfmatic [mailto:olfmatic at web.de]
Gesendet: Donnerstag, 7. September 2006 14:42
An: kerberos at mit.edu
Betreff: Accepting secure context on Server without KDC-Login


Hello,

Please help me, I still don't get it:
I want to accept a secure context on my server. As far as I learned, the server does not have to contact the KDC to do so, because the shared secret is stored in a keytab file created on the KDC and then stored at the server. But I made a different experience.

This is my code:

	Oid tKrb5Oid = new Oid("1.2.840.113554.1.2.2");
	GSSManager tGSSManager = GSSManager.getInstance();
	String tPrincName = "servicename/hostname at REALM";
	GSSName tServerName = tGSSManager.createName(tPrincName, GSSName.NT_USER_NAME);
	GSSCredential tServerCredential = tGSSManager.createCredential(tServerName,
		GSSCredential.INDEFINITE_LIFETIME, new Krb5MechFactory().getMechanismOid(),
		GSSCredential.ACCEPT_ONLY);
	GSSContext tSecureContext = tGSSManager.createContext(tServerName, tKrb5Oid, tServerCredential, GSSContext.DEFAULT_LIFETIME);
	byte [] tInToken = aToken;
	byte [] tOutToken = tSecureContext.acceptSecContext(tInToken, 0, tInToken.length);

If I execute this code in a PrivilegedAction after loggin in to the KDC with the Krb5LoginModule, everything is fine. Now what I want is the server to accept the secure context WITHOUT trying to contact the KDC. Do I have to login with the Krb5LoginModule even though? Or can the above code also be executed without prior KDC-Login?
But then how do I tell the server application where to find the keytab file? As far as I know, the keytab file is configured in the configuration of LoginModules:

JaasLogin {
    //Kerberos single-sign-on login module
    com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true keyTab=C:/krb5.keytab ;
};
 

But if i never call

    	LoginContext tLoginContext = new LoginContext("JaasLogin");
    	tLoginContext.login();
    	final Subject tSubject = tLoginContext.getSubject();

then how can the application know that it shall use a keytab and where to find it?

IF I login with the Krb5LoginModule, the server looks for the KDC which is not what I want.
IF I do not login with the Krb5LoginModule, I get the error message "Attempt to obtain new ACCEPT credentials failed", which seems clear to me because the server application doesn't know anything about the keytab file.
What do I have to do? Login or no Login?

Thanks for any help.

Florian

More information about the Kerberos mailing list