Reputation: 521
Kerberos user principals in Keytab and KDC with JAAS
I'm building a simple Jaas loginmodule. This uses the following code:
public class Jaas {
private static String name;
private static final boolean verbose = false;
public static void main(String[] args) throws Exception {
if (args.length > 0) {
name = args[0];
} else {
name = "client";
}
// Create action to perform
PrivilegedExceptionAction action = new MyAction();
loginAndAction(name, action);
}
static void loginAndAction(String name, PrivilegedExceptionAction action)
throws LoginException, PrivilegedActionException {
// Create a callback handler
CallbackHandler callbackHandler = new TextCallbackHandler();
LoginContext context = null;
try {
// Create a LoginContext with a callback handler
context = new LoginContext(name, callbackHandler);
// Perform authentication
context.login();
} catch (LoginException e) {
System.err.println("Login failed");
e.printStackTrace();
System.exit(-1);
}
// Perform action as authenticated user
Subject subject = context.getSubject();
if (verbose) {
System.out.println(subject.toString());
} else {
System.out.println("Authenticated principal: " +
subject.getPrincipals());
}
Subject.doAs(subject, action);
context.logout();
}
// Action to perform
static class MyAction implements PrivilegedExceptionAction {
MyAction() {
}
public Object run() throws Exception {
// Replace the following with an action to be performed
// by authenticated user
System.out.println("Performing secure action ...");
return null;
}
}
}
This is run using:
java -Djava.security.auth.login.config=jaas-krb5.conf Jaas client
jaas-krb5:
client{
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]";
};
server{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
KeyTab=myKeyTab.keytab
principal="host.name.com";
};
and within the myKeyTab we have the following principal:
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 4 [email protected]
So i've compiled and run but when logging in I always get an error:
Kerberos password for [email protected]: //I enter the password
Login failed
with the stacktrace:
javax.security.auth.login.LoginException: Cannot get kdc for realm Host.COM
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Jaas.loginAndAction(Jaas.java:77)
at Jaas.main(Jaas.java:61)
Caused by: KrbException: Cannot get kdc for realm Host.COM
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:174)
at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:400)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
My Question is:
I think I've got a fundamental misunderstanding on what's occurring between the KDC/ Keytab and the user entry. My understanding is that the principal is what is validated against, if so, how do I enter new principals and assign passwords?
My aim is to simply add a test principal to the keytab and use that for running this log in script.
Upvotes: 1
Views: 8147
Answers (1)
Reputation: 9481
It looks like you made one incorrect assumption.
Principals are username + Kerberos realm (or active directory domain). This might or might not be the same value as DNS domain. But fundamentally they are completely different things. In your particular case it looks like your kerberos realm is intranet.barcapint.com. However your keytab contains key for [email protected]. Because of this Jaas Kerberos client ignores what's in the keytab and falls back to the default realm resolution. And it seems your realm to domain mapping is broken, so it cannot find KDC and fails with the error above. Hence you get the inner exception.
To fix all the above, first you need to fix your domain to realm mapping. How to do it depends on the operating systems. On Unix systems you should check /etc/krb5.conf on Windows it is c:\windows\krb5.ini. But it might be somewhere else. Check this for more info.
Another thing is, you only need keytabs for unattended servers. It is just convenient way to store kerberos keys. I suggest first you get the server and client working using textcallback like you have above. Once you got this, you can proceed to using keytab for the server.
Upvotes: 3
Related Questions
- Is it possible to reference a keytab from the classpath in jaas.conf?
- Is there a way to connect to kerberized service using java client API with just credentials and not keytabs
- Using Java programmatically log in multiple kerberos realms with different keytabs
- Relative path for JAAS keytab configuration
- Ktab command list out the principals in the keytab file more than 1 time
- GSS JAAS can't read keystore/tab
- Java Kerberos authentication using Active Directory User Principal Name
- IBM Jdk Issue Kerberos: Cannot authenticate keytab with credsType=both in JAAS
- Kerberos Authentication keytab KVNO
- Kerberos authentication without JAAS?