I have set up a Kerberos server and OpenLDAP in RHEL5.5. I also have a RHEL6 machine as a client. I have run my Java program using jaas to query the OpenLDAP server from the Linux client.
I can query the OpenLDAP server if I copy the client's keytab to the client machine and use the following configuration options:
principal=wpingli
useKeyTab=true
keyTab="/home/wpingli/ker/java/wpingli_new.keytab";
I also can query the OpenLDAP server if I am prompted to input the user/password. This leads me to believe that my environment is OK.
However, I'm unable to query the server if I run my Java program after kinit:
klist
[wpingli@pli java]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: wpingli@XX.COM
Valid starting Expires Service principal
10/20/11 16:18:06 10/21/11 16:18:02 krbtgt/XX.COM@XX.COM
jaas configuration
GssExampleSUN{
com.sun.security.auth.module.Krb5LoginModule required
client=true
debug=true
doNotPrompt=true
useTicketCache=true
ticketCache="/tmp/krb5cc_500";
};
Exception:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is /tmp/krb5cc_500 isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is null
**null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain Princpal Name for authentication
Authentication attempt failedjavax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication**
How can I fix this?
Best Answer
Java doesn't necessarily support all encryption types supported by (presumably MIT)
kinit(libkrb5).It's possible to configure the encryption types used by
libkrb5in thekrb5.conffile (usually in/etc). For example (not necessarily the most secure ones):Which encryption types are supported will depend on the JRE vendor/version and its security providers.
Here is a link to the documentation for Java 6 (Oracle JRE):