1

I am testing the JGSS sample on my local domain but have a problem with hostbased service. Below is the setup:

  1. obtain a keytab generated from command ktpass -princ myservice/host.my.example.com@MY.EXAMPLE.COM -mapuser krbsrv@my.example.com -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCILAL -pass krbpass -out myservice-host.keytab

  2. system admin run setspn -S myservice/host.my.example.com krbsrv to set SPN for active directory.

  3. from GssClient.java create the serverprincipal by: 

    GSSName serverName = manager.createName(serverPrinc, GSSName.NT_HOSTBASED_SERVICE);

    this will result in java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) exception.

  4. but if I call createName() with GSSName.NT_USER_NAME there will be no error.

  5. I have asked system admin and verified no duplicate for setspn -L krbsrv and setspln-X myservice/host.my.example.com.

So would there be anything I have messed up? The server is running on Solaris and client is running on Windows, both on Java 6u27.

Advice is greatly appreciated.

zjyuan
  • 21
  • 1
  • 3
  • Your Java version is old, upgrade! Enable debug flags to see what actual GSS name is built for the hostbased service. – Michael-O Apr 06 '14 at 13:39
  • Thanks @Michael-O for the reply. I tested with Java 7u51 and debug enabled, it is reporting the same error. From GssServer side it's printing the principal as `myservice@host.my.example.com@MY.EXAMPLE.COM`. – zjyuan Apr 07 '14 at 02:50
  • How does your SPN look like? Maybe you are supplying the wrong format. – Michael-O Apr 07 '14 at 07:23
  • I am seeing the same SPN string from jaas.conf, GssServer printout, GssClient printout. The intriguing part is GssClient will succeed in `initSecContext` if I change code to `manager.createName(serverPrinc, GSSName.NT_USER_NAME)` but not for `GSSName.NT_HOSTBASED_SERVICE`. – zjyuan Apr 08 '14 at 03:27
  • how does `serverPrinc` look like? – Michael-O Apr 08 '14 at 08:59
  • for `serverPrinc` I have tried both `myservice@host.my.example.com@MY.EXAMPLE.COM` and `myservice@host.my.example.com`. I suppose it should have the realm info. – zjyuan Apr 11 '14 at 10:49
  • No, it is always service@FQDN. – Michael-O Apr 11 '14 at 13:09

0 Answers0