Uploaded image for project: 'Directory Studio'
  1. Directory Studio
  2. DIRSTUDIO-900

Server not found in Kerberos database

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.0.0-M6 (2.0.0.v20130308)
    • None
    • studio-connection
    • ubuntu 10.04 64bit (I don't think it was relevant.)

    Description

      Follow it to the last step here, 4.2 - Authenticate with Studio — Apache Directory

      http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html

      Please read the (1) error message, and (2) server log at the bottom.

      Everything is Okay if tested against 4.1 - Authenticate with kinit on Linux — Apache Directory

      http://directory.apache.org/apacheds/kerberos-ug/4.1-authenticate-kinit.html

      renfeng@dreadnought:~$ kinit --version
      kinit (Heimdal 1.2.1)
      Copyright 1995-2008 Kungliga Tekniska H�gskolan
      Send bug-reports to heimdal-bugs@h5l.org
      renfeng@dreadnought:~$ kinit test4
      test4@ROMEO-FOXTROT.COM's Password:
      renfeng@dreadnought:~$ klist -v
      Credentials cache: FILE:/tmp/krb5cc_1000
      Principal: test4@ROMEO-FOXTROT.COM
      Cache version: 4

      Server: krbtgt/ROMEO-FOXTROT.COM@ROMEO-FOXTROT.COM
      Client: test4@ROMEO-FOXTROT.COM
      Ticket etype: aes128-cts-hmac-sha1-96
      Ticket length: 253
      Auth time: Apr 11 07:10:58 2013
      End time: Apr 11 17:10:58 2013
      Ticket flags: forwardable, proxiable, initial, pre-authenticated
      Addresses: addressless

      Nothing abnormal in server log.

      [07:10:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
      [07:10:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
      [07:10:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)

      The problem must have been caused by reverse dns lookup. When the following line was inserted into /etc/hosts, the problem is gone.

      121.228.65.198 dreadnought.romeo-foxtrot.com

      Conclusion: a reverse dns lookup when apacheds studio authenticates agains kerberos server is unexpected, and should be unnecessary.

      (1) error message
      Error while opening connection

      • java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)]
        org.apache.directory.api.ldap.model.exception.LdapException: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)]
        at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1469)
        at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1361)
        at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:446)
        at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1174)
        at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:459)
        at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:307)
        at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
        at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
        at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
        Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)]
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:416)
        at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1459)
        ... 8 more
        Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)]
        at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3825)
        at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:176)
        at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1463)
        ... 11 more
        Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
        at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3735)
        ... 13 more
        Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
        ... 14 more
        Caused by: KrbException: Server not found in Kerberos database (7) - Server not found in Kerberos database
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:556)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
        ... 17 more
        Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
        ... 23 more

      java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)]

      (2) server log

      [06:56:08] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
      [06:56:08] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
      [06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
      [06:56:08] WARN [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - No server entry found for kerberos principal name ldap/121.228.65.198@ROMEO-FOXTROT.COM
      [06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - No server entry found for kerberos principal name ldap/121.228.65.198@ROMEO-FOXTROT.COM
      [06:56:08] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Server not found in Kerberos database (7)
      [06:56:08] WARN [org.apache.directory.server.KERBEROS_LOG] - Server not found in Kerberos database (7)
      [06:56:08] ERROR [org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler] - ERR_169 failed to unbind session properly
      org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException: ERR_268 Cannot find a partition for
      at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:927)
      at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:794)
      at org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:266)
      at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:690)
      at org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1159)
      at org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1230)
      at org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1073)
      at org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:50)
      at org.apache.directory.server.ldap.handlers.request.UnbindRequestHandler.handle(UnbindRequestHandler.java:38)
      at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:219)
      at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
      at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
      at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
      at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
      at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
      at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
      at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
      at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
      at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
      at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
      at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
      at java.lang.Thread.run(Thread.java:679)

      Attachments

        Activity

          People

            Unassigned Unassigned
            renfeng Frank Ren
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: