Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.0.0-M2 (2.0.0.v20120127)
-
None
-
None
-
Linux stef-desktop.thewalter.lan 3.2.5-3.fc16.x86_64 #1 SMP Thu Feb 9 01:24:38 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Description
The kerberos integration does not support an /etc/krb5.conf where the KDC's of the realms are not included. For example, an /etc/krb5.conf that looks like:
----------------------------------------------------
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
AD.THEWALTER.LAN = {
}
[domain_realm]
.ad.thewalter.lan = AD.THEWALTER.LAN
ad.thewalter.lan = AD.THEWALTER.LAN
----------------------------------------------------
Results in the error.
The authentication failed
- java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
org.apache.directory.shared.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1593)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1485)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:308)
at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:81)
at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:123)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:416)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1583)
... 8 more
Caused by: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3900)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:177)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1587)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3810)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
... 14 more
Caused by: KrbException: Cannot get kdc for realm AD.THEWALTER.LAN
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:141)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:114)
at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:188)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:204)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
... 17 more
java.security.PrivilegedActionException: org.apache.directory.shared.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm AD.THEWALTER.LAN)]
If I add a "kdc = dc.ad.thewalter.lan:88" to the /etc/krb5.conf in the appropriate place in the realms section, then the error goes away and we can log in. It looks like Dirstudio (or one of its libraries) does not support dns_lookup_kdc settings in /etc/krb5.conf
I'm using the nightly snapshot from today (later than 2.0.0 M2). And my kerberos settings are "Use native TGT" and "Use native system configuration".