1

I'm trying to get this tutorial to work: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part5.html

I'm running a Kerberos KDC on a VM and used this guide for setting it up: http://techpubs.spinlocksolutions.com/dklar/kerberos.html

I have set up two princripals: jessica@REALM.COM and host/jessica-ThinkPad-X220@REALM.COM and the key for the 2nd one is saved in a keytab which I copied from the VM to my test machine.

I can ping the KDC and get tickets with kinit.

I compiled all code examples (Jaas.java GssSpNegoServer.java and GssSpNegoClient.java) without changes from the tutorial.

This is my jaas-krb5.conf:

client {
com.sun.security.auth.module.Krb5LoginModule required
principal="jessica";
};

server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=krb5.keytab
principal="host/jessica-ThinkPad-X220";
};

I am starting the server with java -Djava.security.auth.login.config=jaas-krb5.conf GssSpNegoServer

Then, in another window, I am starting the client with java -Djava.security.auth.login.config=jaas-krb5.conf GssSpNegoClient host hostname which gives me the following error:

$ java -Djava.security.auth.login.config=jaas-krb5.conf GssSpNegoClient host jessica-ThinkPad-X220
Kerberos-Password for jessica: 
Authenticated principal: [jessica@REALM.COM]
Connected to address jessica-ThinkPad-X220/192.168.178.78
Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: No valid  credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER))
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at Jaas.loginAndAction(Jaas.java:53)
at GssSpNegoClient.main(GssSpNegoClient.java:56)
Caused by: GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at GssSpNegoClient$GssClientAction.run(GssSpNegoClient.java:129)
... 4 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
... 7 more
Caused by: KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
... 11 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
... 17 more

I don't know what I am doing wrong, can anybody help?

T-Heron
  • 5,385
  • 7
  • 26
  • 52
J. Horn
  • 19
  • 1
  • 3
  • 2
    Even if you don't use Hadoop you may want to read the awe-inspiring *"Hadoop and Kerberos - the Madness beyond the Gate"* and this page specifically: https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/errors.html – Samson Scharfrichter May 30 '16 at 18:13
  • I don't think that `host/` is "valid" principle prefix, at least most of SPNEGO-over-HTTP authenticators would not act like this. Server principle should begin with `HTTP/` e.g. `HTTP/myserver.mydomain.com@REALM`. I have found this post in relation to issue [HTTPCLIENT-1712](https://issues.apache.org/jira/browse/HTTPCLIENT-1712) – read issue comments for more information. Your exception perhaps means "no such principle found in KDC" because HTTP client will request ticket for principle in "standard" format I have mentioned above. – dma_k May 31 '17 at 14:25

1 Answers1

0

First check what server it is looking for in Kerberos logs (for me located in /var/log/auth.log). You'll see corresponding log in there:

krb5kdc[5157]: TGS_REQ (3 etypes {18 17 16}) x.x.x.x: LOOKING_UP_SERVER: authtime 0,  ex/admin@EXAMPLE for ex2/y.y.y.y@EXAMPLE, Server not found in Kerberos database

Make sure to change y.y.y.y to the hostname of corresponding system and also add the hostname into the hosts (i.e. /etc/hosts)

The UMA
  • 44
  • 3