Java GSSAPI Server Failure

Seema Malkani Seema.Malkani at Sun.COM
Mon May 14 14:01:28 EDT 2007 

Please check the service principal name that you pass as args[0] in your 
code.

Here is an example:

Oid krb5 = new Oid("1.2.840.113554.1.2.2");
// create a host based service name
GSSName name = manager.createName("service at host",
                   GSSName.NT_HOSTBASED_SERVICE, krb5);

Seema

slushpupie at gmail.com wrote:
> So Im trying to figure out what, if anything, I did wrong that my code
> dosnt work for "simple" host names (host names with a single dot, like
> foo.com or slushpupie.com).
>
> I managed to reduce the code to around 40 lines to illistrate my
> problem.  When the following program is run with using a principal
> containing a hostname with multiple dots (e.g. foo.bar.com) it
> executes perfectly.  However, with a simple hostname (like foo.com or
> slushpupie.com) I get the following error:
>
>
> $ java GetKeytab xmpp at slushpupie.com
> serviceName: xmpp at slushpupie.com
> Debug is  true storeKey true useTicketCache false useKeyTab true
> doNotPrompt true ticketCache is null isInitiator true KeyTab is
> /etc/jabber.keytab refreshKrb5Config is false principal is
> xmpp/slushpupie.com tryFirstPass is false useFirstPass is false
> storePass is false clearPass is false
> principal's key obtained from the keytab
> Acquire TGT using AS Exchange
> principal is xmpp/slushpupie.com at SLUSHPUPIE.COM
> EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B6 44 3E B5 C4 02 9E 23
> EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 83 44 76 08 C8 70
> 61 46   9B 29 C4 E6 C1 D5 0E 32  .#v..paF.).....2
> 0010: 4C 44 2F 85 0E 0B 46 5E
> Added server's keyKerberos Principal
> xmpp/slushpupie.com at SLUSHPUPIE.COMKey Version 3key EncryptionKey:
> keyType=1 keyBytes (hex dump)=
> 0000: B6 44 3E B5 C4 02 9E 23
>
>                 [Krb5LoginModule] added Krb5Principal
> xmpp/slushpupie.com at SLUSHPUPIE.COM to Subject
> Added server's keyKerberos Principal
> xmpp/slushpupie.com at SLUSHPUPIE.COMKey Version 3key EncryptionKey:
> keyType=16 keyBytes (hex dump)=
> 0000: 83 44 76 08 C8 70 61 46   9B 29 C4 E6 C1 D5 0E 32  .#v..paF.).....2
> 0010: 4C 44 2F 85 0E 0B 46 5E
>
>                 [Krb5LoginModule] added Krb5Principal
> xmpp/slushpupie.com at SLUSHPUPIE.COM to Subject
> Commit Succeeded
>
> GSSException: No valid credentials provided (Mechanism level: Failed
> to find any Kerberos Key)
>         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:75)
>         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:77)
>         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
>         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
>         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:45)
>         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
>         at GetKeytab.main(GetKeytab.java:27)
>
>
>
> What I notice as odd, is in the debugging it seems to find the keytab
> and principal ok, but fails to get any useful keys from it.
>
> Here is the code:
>
> import java.security.*;
> import javax.security.sasl.*;
> import javax.security.auth.*;
> import javax.security.auth.login.*;
> import org.ietf.jgss.*;
>
> public class GetKeytab {
>         public static void main(String args[]) {
>                 try {
>
> System.setProperty("java.security.auth.login.config","gss.conf");
>                         System.setProperty("sun.security.jgss.debug","true");
>
> System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
>                         Oid KRB5_OID = new Oid("1.2.840.113554.1.2.2");
>                         GSSManager mgr = GSSManager.getInstance();
>                         GSSName serviceName= mgr.createName(
>                                 args[0],
>                                 GSSName.NT_HOSTBASED_SERVICE,
>                                 KRB5_OID);
>                         System.out.println("serviceName:
> "+serviceName.toString());
>                         GSSCredential cred = mgr.createCredential(
>                                 serviceName,
>                                 GSSCredential.INDEFINITE_LIFETIME,
>                                 KRB5_OID,
>                                 GSSCredential.ACCEPT_ONLY);
>                         GSSContext secCtx = mgr.createContext(cred);
>                         System.out.println("Context lifetime:
> "+secCtx.getLifetime());
>                 } catch (Exception e) {
>                         e.printStackTrace();
>                         return;
>                 }
>         }
> }
>
>
> gss.conf:
> com.sun.security.jgss.accept {
>   com.sun.security.auth.module.Krb5LoginModule required storeKey=true
> keyTab="krb5.keytab" doNotPrompt=true useKeyTab=true
> principal="xmpp/slushpupie.com at SLUSHPUPIE.COM" debug=true;
> };
>
> Note that I do change the principal in the gss.conf to match what
> GetKeytab is being run with.
>
> Any hints at all?
>
>

More information about the Kerberos mailing list