kerberos authentification

Houda Ghaza houda.ghaza at yahoo.fr
Fri Jun 25 04:39:47 EDT 2010 

hi all.
i enalbed kerberso in apacheDS according to this documentation:

but when i try to test a user authentication in Apache directory studio
i got this  error:
L'authentification a échouée
  javax.naming.NamingException [Root exception is
javax.security.auth.login.LoginException: The client or server has a
null key (9) - The client or server has a null key]
	at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1153)
	at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
	at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
	at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
	at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
	at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
	at
org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:80)
	at org.apache.directory.studio.connection.ui.RunnableContextRunner
$1.run(RunnableContextRunner.java:123)
	at org.eclipse.jface.operation.ModalContext
$ModalContextThread.run(ModalContext.java:113)
Caused by: javax.security.auth.login.LoginException: The client or
server has a null key (9) - The client or server has a null key
	at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
	at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1149)
	... 8 more
Caused by: KrbException: The client or server has a null key (9) - The
client or server has a null key
	at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
	at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
	at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
	at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
	... 21 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(Unknown Source)
	at sun.security.krb5.internal.ASRep.init(Unknown Source)
	at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
	... 25 more

  javax.naming.NamingException [Root exception is
javax.security.auth.login.LoginException: The client or server has a
null key (9) - The client or server has a null key]


i maed a search on the web to know about it but without success.
 here are my server.xml  and krb5.conf files.

krb5.conf
----------------
[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
                kdc = localhost:60088
		admin_server = server.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.LOCAL

[login]
        krb4_convert = true
        krb4_get_tickets = false

---------------
server.xml : i uncommented de section related to kdc. and also
uncommented the interceptor.
---------------
.
.
.
 <keyDerivationInterceptor/>
.
.
. 
<kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
    <transports>
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>
    </transports>
    <directoryService>#directoryService</directoryService>
  </kdcServer>
.
.
.
<ldapServer id="ldapServer"
            allowAnonymousAccess="false"
            saslHost="localhost"
            saslPrincipal="ldap/localhost at EXAMPLE.COM"
            searchBaseDn="ou=users,ou=system" 
            maxTimeLimit="15000"
            maxSizeLimit="1000">
    <transports>
      <tcpTransport address="0.0.0.0" port="10389" nbThreads="8"
backLog="50" enableSSL="false"/>
      <tcpTransport address="localhost" port="10636" enableSSL="true"/>
    </transports>
.
.
.


thank you for your ansewers.

More information about the Kerberos mailing list