Java GSSAPI Server Failure
slushpupie at gmail.com
Thu May 10 23:12:48 EDT 2007
So Im trying to figure out what, if anything, I did wrong that my code
dosnt work for "simple" host names (host names with a single dot, like
foo.com or slushpupie.com).
I managed to reduce the code to around 40 lines to illistrate my
problem. When the following program is run with using a principal
containing a hostname with multiple dots (e.g. foo.bar.com) it
executes perfectly. However, with a simple hostname (like foo.com or
slushpupie.com) I get the following error:
$ java GetKeytab xmpp at slushpupie.com
serviceName: xmpp at slushpupie.com
Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null isInitiator true KeyTab is
/etc/jabber.keytab refreshKrb5Config is false principal is
xmpp/slushpupie.com tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/slushpupie.com at SLUSHPUPIE.COM
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B6 44 3E B5 C4 02 9E 23
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 83 44 76 08 C8 70
61 46 9B 29 C4 E6 C1 D5 0E 32 .#v..paF.).....2
0010: 4C 44 2F 85 0E 0B 46 5E
Added server's keyKerberos Principal
xmpp/slushpupie.com at SLUSHPUPIE.COMKey Version 3key EncryptionKey:
keyType=1 keyBytes (hex dump)=
0000: B6 44 3E B5 C4 02 9E 23
[Krb5LoginModule] added Krb5Principal
xmpp/slushpupie.com at SLUSHPUPIE.COM to Subject
Added server's keyKerberos Principal
xmpp/slushpupie.com at SLUSHPUPIE.COMKey Version 3key EncryptionKey:
keyType=16 keyBytes (hex dump)=
0000: 83 44 76 08 C8 70 61 46 9B 29 C4 E6 C1 D5 0E 32 .#v..paF.).....2
0010: 4C 44 2F 85 0E 0B 46 5E
[Krb5LoginModule] added Krb5Principal
xmpp/slushpupie.com at SLUSHPUPIE.COM to Subject
Commit Succeeded
GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos Key)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:75)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:77)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:45)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at GetKeytab.main(GetKeytab.java:27)
What I notice as odd, is in the debugging it seems to find the keytab
and principal ok, but fails to get any useful keys from it.
Here is the code:
import java.security.*;
import javax.security.sasl.*;
import javax.security.auth.*;
import javax.security.auth.login.*;
import org.ietf.jgss.*;
public class GetKeytab {
public static void main(String args[]) {
try {
System.setProperty("java.security.auth.login.config","gss.conf");
System.setProperty("sun.security.jgss.debug","true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
Oid KRB5_OID = new Oid("1.2.840.113554.1.2.2");
GSSManager mgr = GSSManager.getInstance();
GSSName serviceName= mgr.createName(
args[0],
GSSName.NT_HOSTBASED_SERVICE,
KRB5_OID);
System.out.println("serviceName:
"+serviceName.toString());
GSSCredential cred = mgr.createCredential(
serviceName,
GSSCredential.INDEFINITE_LIFETIME,
KRB5_OID,
GSSCredential.ACCEPT_ONLY);
GSSContext secCtx = mgr.createContext(cred);
System.out.println("Context lifetime:
"+secCtx.getLifetime());
} catch (Exception e) {
e.printStackTrace();
return;
}
}
}
gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true
keyTab="krb5.keytab" doNotPrompt=true useKeyTab=true
principal="xmpp/slushpupie.com at SLUSHPUPIE.COM" debug=true;
};
Note that I do change the principal in the gss.conf to match what
GetKeytab is being run with.
Any hints at all?
--
Jay Kline
More information about the Kerberos
mailing list