kerberos authentification
Houda Ghaza
houda.ghaza at yahoo.fr
Fri Jun 25 04:39:47 EDT 2010
hi all.
i enalbed kerberso in apacheDS according to this documentation:
but when i try to test a user authentication in Apache directory studio
i got this error:
L'authentification a échouée
javax.naming.NamingException [Root exception is
javax.security.auth.login.LoginException: The client or server has a
null key (9) - The client or server has a null key]
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1153)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
at
org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:80)
at org.apache.directory.studio.connection.ui.RunnableContextRunner
$1.run(RunnableContextRunner.java:123)
at org.eclipse.jface.operation.ModalContext
$ModalContextThread.run(ModalContext.java:113)
Caused by: javax.security.auth.login.LoginException: The client or
server has a null key (9) - The client or server has a null key
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1149)
... 8 more
Caused by: KrbException: The client or server has a null key (9) - The
client or server has a null key
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
... 21 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 25 more
javax.naming.NamingException [Root exception is
javax.security.auth.login.LoginException: The client or server has a
null key (9) - The client or server has a null key]
i maed a search on the web to know about it but without success.
here are my server.xml and krb5.conf files.
krb5.conf
----------------
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = localhost:60088
admin_server = server.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
---------------
server.xml : i uncommented de section related to kdc. and also
uncommented the interceptor.
---------------
.
.
.
<keyDerivationInterceptor/>
.
.
.
<kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
<transports>
<tcpTransport port="60088" nbThreads="4" backLog="50"/>
<udpTransport port="60088" nbThreads="4" backLog="50"/>
</transports>
<directoryService>#directoryService</directoryService>
</kdcServer>
.
.
.
<ldapServer id="ldapServer"
allowAnonymousAccess="false"
saslHost="localhost"
saslPrincipal="ldap/localhost at EXAMPLE.COM"
searchBaseDn="ou=users,ou=system"
maxTimeLimit="15000"
maxSizeLimit="1000">
<transports>
<tcpTransport address="0.0.0.0" port="10389" nbThreads="8"
backLog="50" enableSSL="false"/>
<tcpTransport address="localhost" port="10636" enableSSL="true"/>
</transports>
.
.
.
thank you for your ansewers.
More information about the Kerberos
mailing list