I use CAS and Spnego-support,and KDC is 192.168.1.244,my realm is EXAMPLE.COM
I test my local Windows domain enviroment,and i can got ticket from Example.com
I test it by "kinit" command,but in CAS spnego enviroment,There is a exception Client not found in Kerberos database,and i already create it in C:\windows\krb5.ini,content like follow
krb5.ini
[libdefaults]
ticket_lifetime = 20000
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = false
forwardable = yes
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
# use "kdc =" if realm admins haven't put SRV records into DNS
EXAMPLE.COM = {
kdc = 192.168.1.244:88
#admin_server = 192.168.1.244:749
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example = EXAMPLE.COM
[logging]
kdc = CONSOLE
And the exception report like follow:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Co
nfig is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: HTTP/jack#EXAMPLE.COM
default etypes for default_tkt_enctypes: 23.
Acquire TGT using AS Exchange
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.1.244 UDP:88, timeout=30000, number of retries =3, #bytes=142
>>> KDCCommunication: kdc=192.168.1.244 UDP:88, timeout=30000,Attempt =1, #bytes=142
>>> KrbKdcReq send: #bytes read=96
>>> KrbKdcReq send: #bytes read=96
>>> KdcAccessibility: remove 192.168.1.244
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Dec 31 15:32:08 CST 2013 1388475128000
suSec is 348958
error code is 6
error Message is Client not found in Kerberos database
realm is EXAMPLE.COM
sname is krbtgt/EXAMPLE.COM
msgType is 30
[Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
at jcifs.spnego.Authentication.process(Authentication.java:235)
at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHand
ler.java:70)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostP
rocessingAuthenticationHandler.java:85)
...
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 176 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 180 more
but why client not found in kerberos database ?
kerberos should not be create on my local ? thx for point.
For me, this error occurred because my Krb5LoginModule configuration file was missing the following argument in the accept section:
isInitiator=false
Without that argument, the server was also trying to contact the KDC and get a ticket - but that should not happen - the server should have no need to contact the KDC.
Related
my code is
import javax.mail.Folder;
import javax.mail.Session;
import javax.mail.Store;
import javax.net.ssl.SSLContext;
import java.util.Properties;
....
....
Store store = null;
Folder mailFolder = null;
Properties props = System.getProperties();
props.setProperty("mail.store.protocol", "imaps");
try {
SSLContext ctx = SSLContext.getInstance("TLSv1.2");
ctx.init(null, null, null);
SSLContext.setDefault(ctx);
} catch (Exception e) {
e.printStackTrace();
}
props.setProperty("mail.imaps.sasl.enable", "true");
Session session2 = Session.getDefaultInstance(props);
session2.setDebug(true);
store = session2.getStore("imaps");
store.connect("mailtest.com", 993, "test", "test");
mailFolder = store.getDefaultFolder();
javax.mail.Folder[] f = mailFolder.list("*");
debug is:
DEBUG: setDebug: JavaMail version 1.4ea DEBUG: getProvider()
returning
javax.mail.Provider[STORE,imaps,com.sun.mail.imap.IMAPSSLStore,Sun
Microsystems, Inc] DEBUG: mail.imap.fetchsize: 16384 DEBUG: enable
SASL
OK mailtest.com A0 CAPABILITY
CAPABILITY IMAP4rev1 CHILDREN IDLE LITERAL+ MULTIAPPEND SPECIAL-USE NAMESPACE UIDPLUS QUOTA XLIST ID LOGINDISABLED AUTH=CRAM-MD5
AUTH=DIGEST-MD5 AUTH=GSSAPI ACL RIGHTS=texkbn A0 OK CAPABILITY
completed IMAP DEBUG: AUTH: CRAM-MD5 IMAP DEBUG: AUTH: DIGEST-MD5
IMAP DEBUG: AUTH: GSSAPI DEBUG: protocolConnect login,
host=mailtest.com, user=test, password= IMAP SASL DEBUG:
Mechanisms: CRAM-MD5 DIGEST-MD5 GSSAPI IMAP SASL DEBUG: callback
length: 2 IMAP SASL DEBUG: callback 0:
javax.security.auth.callback.NameCallback#663b1c53 IMAP SASL DEBUG:
callback 1: javax.security.auth.callback.PasswordCallback#32c0c194
IMAP SASL DEBUG: SASL client CRAM-MD5 A1 AUTHENTICATE CRAM-MD5
PDQwMjM2ODc1MTEuMTU2NjkxNDZAd2VibWFpbC5zaGlyYXp1LmFjLmlyPg== IMAP SASL DEBUG: challenge: 4023687511.15669146#mailtest.com : IMAP SASL
DEBUG: response: test 8127c2303f4866ee9e7e934227f10bc7 :
c3NvdGVzdDEgODEyN2MyMzAzZjQ4NjZlZTllN2U5MzQyMjdmMTBiYzc= A2 LIST ""
"*" A1 NO AUTHENTICATE failed A2 BAD Error: Unexpected item LIST
javax.mail.MessagingException: A2 BAD Error: Unexpected item LIST;
nested exception is:
com.sun.mail.iap.BadCommandException: A2 BAD Error: Unexpected item LIST
at com.sun.mail.imap.IMAPFolder.doCommand(IMAPFolder.java:2337)
at com.sun.mail.imap.DefaultFolder.list(DefaultFolder.java:62)
at com.liferay.portlet.action.NotificationPortlet.serveResource(NotificationPortlet.java:146)
The key:
A1 NO AUTHENTICATE failed
A2 BAD Error: Unexpected item LIST
The first line says you couldn't log in, for whatever reason. Because of that, the next command surprised the server. (The LIST command is only valid after successful login.)
I'm getting this execption every time I run the command :
kinit -k -t C:\Users\XXXX\user.keytab MYUSER
Here is the execption
C:\Users\XXXX>kinit -k -t C:\Users\XXXX\user.keytab MYUSER
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
My krb5.ini seems to be okay!
[libdefaults]
default_realm = XXXX.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
#default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
#default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
renew_lifetime = 7d
forwardable = true
ticket_lifetime = 24h
[realms]
XXXX.COM = {
admin_server = XXXX.com
kdc = XXXX.com
}
[domain_realm]
xxxx.com= XXXX.COM
What is the problem ?
It's complaining that you used an incompatible algorithm when creating the keytab. When creating the keytab. I usually use RC4-HMAC:
kutil
addent -password -p username#MYDOMAIN.COM -k 1 -e RC4-HMAC
wkt username.keytab
quit
Now it works fine.
I have installed MITKDC. I am enabling Kerberos using Existing MIT KDC From Ambari. While creating principals I am getting below error.
Failed to create principal, trinitylocal-071819#HUB.LOCAL - Failed to create a service principal for trinitylocal-071819#HUB.LOCAL
STDOUT: Authenticating as principal admin/admin#HUB.LOCAL with existing credentials.
STDERR: WARNING: no policy specified for trinitylocal-071819#HUB.LOCAL; defaulting to no policy
add_principal: Insufficient access to lock the database while creating "trinitylocal-071819#HUB.LOCAL".Administration credentials NOT DESTROYED.
I am able to create principals using kadmin.local.below commands also working. I am able to login to Kinit admin/admin also.
Klist command I have tried and I am able to log in.
Below are my krb5.conf and kdc.conf.
Below is my krb5.conf
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = HUB.LOCAL
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
HUB.LOCAL = {
admin_server = HOSTNAME
kdc = HOSTNAME
}
Below is my kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Solved it is Installation Issue. I didn't give proper REALM
I'm have installed krb5-appl-server and krb5-workstation; also config the krb5.conf in /etc/krb5.conf in KDC server
I have created a user root/admin in KDC
But when i'm on application server, type :
kadmin -p root/admin
they say : "missing parameters in krb5.conf required for kadmin client while initializing kadmin interface"
What's missing in krb5.conf ???
In krb5.conf in application :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = test.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
[domain_realm]
server.test.com = test.com
client.test.com = test.com
Tks :D
The first thing is that case matters in realm names so test.com and TEST.COM are not the same realm. Secondly, you don't have an admin server defined for the default realm in your krb5.conf
default_realm = test.com
The default_realm should match at least one realm in the realm section and should be the same as the realm name you used in setting up the server.
missing parameters in krb5.conf required for kadmin client while initializing kadmin interface is very misleading.
I was met with same mistake and found the error had nothing to do with the krb5.conf. Maybe the errror lies in your command line. In my case, I sent a wrong realm name to -r parameter.When I set it right, the error was gone.
**
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
**
I believe you should've replaced the EXAMPLE.COM with TEST.COM
I have some trouble in getting my kadmin to work. Everything is fine in kadmin.local, but whenever I use kadmin, it seems it is using the kadm5.acl file, but isn't.
I have in this file:
$ cat /var/kerberos/krb5kdc/kadm5.acl
*/admin#HADOOP.COM *
kadmin can connect to the kdc server correctly, and dns lookup and reverse dns is working also.
My krb5.conf is like this:
$ cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HADOOP.COM = {
admin_keytab = FILE: /var/kerberos/krb5kdc/kadm5.keytab
kadmind_port = 749
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
}
and $ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
HADOOP.COM = {
kdc = evl2400469.eu.verio.net:88
admin_server = evl2400469.eu.verio.net:749
default_domain = hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
So when I try to perform an operation such as add a principal, or get the list of principals I get :
kadmin: listprincs
get_principals: Operation requires ``list'' privilege while retrieving list.
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
I really don't know where is the problem in my configuration.
I even tried to get a ticket before using kadmin console:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
kadmin/admin#HADOOP.COM
Valid starting Expires Service principal 05/21/14
10:13:34 05/21/14 13:13:34 krbtgt/HADOOP.COM#HADOOP.COM
renew until 05/22/14 10:13:34
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Thanks a lot for your help on that :)
Try editing /var/kerberos/krb5kdc/kadm5.acl with
*/admin#HADOOP.COM *
The kadmind daemon needs to be restarted in order for changes in the ACL file to become active:
service kadmind restart