java - Kerberos user principals in Keytab and KDC with JAAS -

- June 15, 2014

i'm building simple jaas loginmodule. uses following code:

public class jaas {     private static string name;     private static final boolean verbose = false;      public static void main(string[] args) throws exception {         if (args.length > 0) {             name = args[0];         } else {             name = "client";         }          // create action perform         privilegedexceptionaction action = new myaction();          loginandaction(name, action);     }      static void loginandaction(string name, privilegedexceptionaction action)         throws loginexception, privilegedactionexception {          // create callback handler         callbackhandler callbackhandler = new textcallbackhandler();          logincontext context = null;          try {             // create logincontext callback handler             context = new logincontext(name, callbackhandler);              // perform authentication             context.login();         } catch (loginexception e) {             system.err.println("login failed");             e.printstacktrace();             system.exit(-1);         }          // perform action authenticated user         subject subject = context.getsubject();         if (verbose) {             system.out.println(subject.tostring());         } else {             system.out.println("authenticated principal: " +                 subject.getprincipals());         }          subject.doas(subject, action);          context.logout();     }      // action perform     static class myaction implements privilegedexceptionaction {         myaction() {         }          public object run() throws exception {             // replace following action performed             // authenticated user             system.out.println("performing secure action ...");             return null;         }     } }

this run using:

java -djava.security.auth.login.config=jaas-krb5.conf jaas client

jaas-krb5:

client{     com.sun.security.auth.module.krb5loginmodule required     principal="name@host.com"; }; server{     com.sun.security.auth.module.krb5loginmodule required     usekeytab=true     storekey=true     keytab=mykeytab.keytab     principal="host.name.com"; };

and within mykeytab have following principal:

slot kvno principal ---- ---- ---------------------------------------------------------------------    1    4        name@host.com

so i've compiled , run when logging in error:

kerberos password name@host.com: //i enter password login failed

with stacktrace:

javax.security.auth.login.loginexception: cannot kdc realm host.com         @ com.sun.security.auth.module.krb5loginmodule.attemptauthentication(krb5loginmodule.java:696)         @ com.sun.security.auth.module.krb5loginmodule.login(krb5loginmodule.java:542)         @ sun.reflect.nativemethodaccessorimpl.invoke0(native method)         @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:39)         @ sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:25)         @ java.lang.reflect.method.invoke(method.java:597)         @ javax.security.auth.login.logincontext.invoke(logincontext.java:769)         @ javax.security.auth.login.logincontext.access$000(logincontext.java:186)         @ javax.security.auth.login.logincontext$4.run(logincontext.java:683)         @ java.security.accesscontroller.doprivileged(native method)         @ javax.security.auth.login.logincontext.invokepriv(logincontext.java:680)         @ javax.security.auth.login.logincontext.login(logincontext.java:579)         @ jaas.loginandaction(jaas.java:77)         @ jaas.main(jaas.java:61) caused by: krbexception: cannot kdc realm host.com         @ sun.security.krb5.krbkdcreq.send(krbkdcreq.java:195)         @ sun.security.krb5.krbkdcreq.send(krbkdcreq.java:174)         @ sun.security.krb5.krbasreq.send(krbasreq.java:431)         @ sun.security.krb5.credentials.sendasrequest(credentials.java:400)         @ sun.security.krb5.credentials.acquiretgt(credentials.java:350)         @ com.sun.security.auth.module.krb5loginmodule.attemptauthentication(krb5loginmodule.java:662)

my question is:

i think i've got fundamental misunderstanding on what's occurring between kdc/ keytab , user entry. understanding principal validated against, if so, how enter new principals , assign passwords?

my aim add test principal keytab , use running log in script.

it looks made 1 incorrect assumption.

principals username + kerberos realm (or active directory domain). might or might not same value dns domain. fundamentally different things. in particular case looks kerberos realm intranet.barcapint.com. keytab contains key name@host.com. because of jaas kerberos client ignores what's in keytab , falls default realm resolution. , seems realm domain mapping broken, cannot find kdc , fails error above. hence inner exception.

to fix above, first need fix domain realm mapping. how depends on operating systems. on unix systems should check /etc/krb5.conf on windows c:\windows\krb5.ini. might somewhere else. check this more info.

another thing is, need keytabs unattended servers. convenient way store kerberos keys. suggest first server , client working using textcallback have above. once got this, can proceed using keytab server.

Search This Blog

Post

java - Kerberos user principals in Keytab and KDC with JAAS -

Comments

Post a Comment

Popular posts from this blog

Fail to load namespace Spring Security http://www.springframework.org/security/tags -

sql - MySQL query optimization using coalesce -

unity3d - Unity local avoidance in user created world -