Could you help me to resolve the Kerberos error?
Douglas E. Engert
deengert at anl.gov
Fri Jun 21 10:43:31 EDT 2013
Here is another good example of java ldap and gssapi and JAAS:
http://code.google.com/p/vt-middleware/wiki/vtldap
The VTLDAP package is used with Shibboleth...
On 6/20/2013 8:19 PM, Zhutiemin wrote:
> Darek:
> Thank you for your reply.
>
> I will check the and Conduct an experiment to test it
>
> I use Krb5LoginModule class to authenticate users using Kerberos protocols
>
> It is defined in the configuration
>
> AdServiceImplForKerberos {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=FALSE refreshKrb5Config=TRUE;
> };
>
> And I implement the authentication by LoginContext class
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
> env.put("java.naming.ldap.attributes.binary", "objectSid");
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> String searchFilter = "(CN=" + machineName + ")";
> NamingEnumeration<SearchResult> results =
> ctx.search(changeDomainInfo(domain), searchFilter, constraints);
> while (results.hasMoreElements())
> {
> SearchResult searchResult = (SearchResult)results.next();
> Attributes attrs = searchResult.getAttributes();
>
> if (attrs != null)
> {
> Object attValue = attrs.get("objectSid").get();
> return getSIDasStringOfBytes((byte[])attValue);
> }
> }
>
>
> From: Darek [mailto:fafaforza at gmail.com]
> Sent: 2013年6月20日 22:27
> To: Zhutiemin
> Cc: kerberos at mit.edu
> Subject: Re: Could you help me to resolve the Kerberos error?
>
>> Server not found in Kerberos database
>
> You should make sure that the forward and reverse DNS for your java application machine's IP address match, and that the hostname of the system is exactly the same as the reverse DNS.
>
> So if your system's IP is 1.2.3.4, a reverse DNS lookup would resolve to java.company.com, and the system's hostname would be java.company.com,
>
> On 6/20/2013 1:01 AM, Zhutiemin wrote:
>
> Dear MIT Kerberos Team:
>
>
>
> My name is Tiemin Zhu, I am a software engineer of Huawei corporation .
>
>
>
> I am getting following error with Kerberos Authentication. Could you help me to resolve this error?
>
> But the result of LDAP Authentication is OK
>
>
>
> Is this the configuration error in AD?
>
>
>
> Do you have any document I could study?
>
>
>
> Thanks so much!
>
>
>
> This is the error:
>
> [2013-05-25 03:34:01,765]--[ERROR]--[pool-1-thread-39]--[AdServiceImpl.java run() 920] - search fail.
>
> javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
>
> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
>
> at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
>
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
>
> at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
>
> at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
>
> at javax.naming.InitialContext.init(Unknown Source)
>
> at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
>
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:892)
>
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:854)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at javax.security.auth.Subject.doAs(Unknown Source)
>
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByIp(AdServiceImpl.java:824)
>
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByDomain(AdServiceImpl.java:787)
>
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByMachineName(AdServiceImpl.java:734)
>
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createInstance(CombineCreateInstanceTask.java:740)
>
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createVm(CombineCreateInstanceTask.java:655)
>
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.combineCreateInstance(CombineCreateInstanceTask.java:503)
>
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.run(CombineCreateInstanceTask.java:317)
>
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
>
> at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
>
> at java.util.concurrent.FutureTask.run(Unknown Source)
>
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
>
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
>
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
>
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>
> at com.huawei.vds.common.utils.threadpool.VDSThreadFactory$Task.run(VDSThreadFactory.java:92)
>
> at java.lang.Thread.run(Unknown Source)
>
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
>
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
>
> ... 32 more
>
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
>
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
>
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>
> ... 33 more
>
> Caused by: KrbException: Server not found in Kerberos database (7)
>
> at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
>
> at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
>
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
>
> at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
>
> at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
>
> ... 36 more
>
> Caused by: KrbException: Identifier doesn't match expected value (906)
>
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
>
> at sun.security.krb5.internal.TGSRep.init(Unknown Source)
>
> at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
>
>
>
>
>
> Best regards!
>
>
>
> phone. +86 02989184490
>
> mobile. +86 15249061480
>
> email.zhutiemin at huawei.com<mailto:email.zhutiemin at huawei.com><mailto:email.zhutiemin at huawei.com><mailto:email.zhutiemin at huawei.com>
>
> Tiemin Zhu
>
>
>
>
>
>
>
>
> ________________________________________________
>
> Kerberos mailing list Kerberos at mit.edu<mailto:Kerberos at mit.edu>
>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list