Kerberos and 10.5.8

Hello all,
I'm in the process of binding the Macintoshes to the AD environment and I'm running into a bit of an anomaly. I have the process scripted and I'm using local MCX settings with a LaunchD that determines the users OU at login and then will run the appropriate script, depending upon their department that will do a mount of the network drive. This works fine, except for a couple of 10.5.8 snow laptops.
The login and mount script work fine from my machine (10.6.6) but not the users (10.5.8) and then not all 10.5.8 machines are having this issue.
The command I'm running is this:
cifs://dns.name.of.server/volume/dept/data
On 10.6, it simply passes the Kerberos ticket and mounts the network mount. On 10.5.8, I enter the password and it says the password is incorrect.
I've deleted the keychain, the preferences and have destroyed the current Kerberos ticket and got a new one. I've repaired permissions and I've repaired the keychain.
Can anyone help me out here?
Thank you in advanced.

Try the OS X Server forums. There should be one dealing with directory services, etc. Alternatively, search these forums for Kerberos and SSHD

Similar Messages

  • Single sign-on using Kerberos and Ldap

    I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
    The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
    I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
    I have the Kerberos authentication and part of the Ldap service working via pam & nss.
    ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
    BUT...
    id gives:- userID, groupID (primary group only)
    groups :- primary group only. (no secondary groups are listed)
    Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
    Thanks in advance for any help.

    After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
    Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
    Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
    //M.

  • Kerberos and SPNEGO

    I wan trying to do sso for Oracle UCM 11g which uses weblogic 10.3.4 using Kerberos and SPNEGO as stated in Oracle documentation
    I followed all steps on the following links
    http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/sso.htm#i1102021
    and
    http://download.oracle.com/docs/cd/E17904_01/doc.1111/e10792/c03_security.htm#CDDDIHBA
    My issue is strange there are no error no exception and SSO not working even if I added wrong info to krb5.conf or krb5login.conf, I have created JAAS configuration file, and I have specified krb5login.conf file location as a startup option in the WebLogic where I have added the following to startWeblogic.sh
    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
    what do you think I am facing here???

    Hi,
    Apply SAP Note 1045019 (Example 3) and provide for analysis the errors (in red) from the collected traces.
    Regards,
    Dimitar

  • How to create constrained or unconstrained Kerberos and know whether the back end is constrained or unconstrained Kerberos?

    Hello Community
        I am considering Kerberos Authenication but there seems to be
    2 kinds of Kerberos: constrained and unconstrained.
        Since when creating Kerberos you are only offered things like "Negotiate\Kerberos"
    Or "Negotiate" or "Setspn" the question is how do you create a constrained
    or unconstrained Kerberos and since the back end has to match how do you
    do you know whether the back end uses constrained or unconstrained Kerberos?
        Thank you
        Shabeaut

    Kerb is used for one of several scenarios:
    - connecting SP to SQL databases, which provides assurances around the connection between the SP service accounts and the SQL service accounts
    - connecting SP to external systems (such as SQL databases, which may be used by BCS, Excel, PerformancePoint, PowerPivot, etc).
    Constrained Delegation is not necessary for SP to use Kerb when connecting to SQL. it IS necessary for SP to talk to external systems (since Constrained Delegation is also known as "Kerberos with protocol transition", since it's
    transitioning a Claims based auth token to a kerberos based auth token).
    The difference is a setting in AD's Delegation tab, for the service account that will be collecting the users' login (presumably the webapp), and for the service account that will be performing the double-hop (presumably the service apps)... in addition
    to the kerb setting, you also need to specify EXACTLY which endpoints can be reached using the Kerb + CD... unconstrained delegation (the default) allows the Kerb token to be passed anywhere... constrained delegation only allows the Kerb token to be used
    by the places you specify (in the delegation tab)... such as the SQL server that the PerformancePoint scorecards will be querying.
    Links:
    - Microsoft's Kerberos guide : http://www.microsoft.com/en-us/download/details.aspx?id=23176
    - more links : http://www.sbrickey.com/Tech/Blog/Post/SharePoint_Troubleshooting_Kerberos_and_External_Data_from_Excel_Services
    - some health analyzers to find problems and recommend solutions : http://sdssharepointlibrary.codeplex.com/releases/view/92022
    Scott Brickey
    MCTS, MCPD, MCITP
    www.sbrickey.com
    Strategic Data Systems - for all your SharePoint needs

  • IChat 4, Kerberos and login issue

    When using Kerberos I can get a ticket for the connection, but after the ticket exchange I get prompted for another authentication request with ID and password.
    In the iChat server log I get the entry:
    Apr 14 16:47:59 <servername> jabberd/c2s[76194]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request)
    Anybody an idea?

    Yes, it is. FQN.
    I think a part of the issue is, that we use DNS Service entries.
    The machine has "server<xyz>" as DNS name. The chatserver uses the DNS service entry "chat<xyz>" with its own ip. "chat<xyz>" is set in the server admin.app, I added a xmpp/chat<xyz> princial to kerberos and the ticket is issued when I try to connect with ichat.
    Usernames used are <username>@chat<xyz>. These usernames work when kerberos is turned of (normal connection to 5223/ssl).
    Now, if I turn kerberos on, and leave the ichat server setting in ical client to chat<xyz> and but switch the usernames to <username>@server<xyz> I can log in via Kerberos. (In the case that I add chat<xyz> and server<xyz> to the ichat server Host Domains in server admin.app.
    Bit confusing.

  • Error while integrating with Kerberos and AD

    Hi,
    Implementing Kerberos as the Desktop Single Signon Solution
    Environment : Peoplesoft
    OS : Redhat Linux
    webserver: Weblogic 10.3.4
    appserver : tuxedo 10gr3
    While doing this implementation I was able to complete it successfully with the JDK linux has provided(1.6.0_22). However the weblogic comes preconfigured with jrockit jdk version1.6.0_24-R28.1.3-4.0.1. When I start the weblogic with jrockit jdk as java_home I am getting the following error.
    <Error> <HTTP> <BEA-101165> <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
    at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
    at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
    at javax.security.auth.login.LoginContext.<init>(LoginContext.java:334)
    at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
    at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:332)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.internal.FilterManager.loadFilter(FilterManager.java:98)
    at weblogic.servlet.internal.FilterManager.preloadFilters(FilterManager.java:59)
    at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1878)
    at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
    at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1508)
    at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:485)
    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
    at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:201)
    at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249)
    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
    at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28)
    at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:637)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
    at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:205)
    at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)
    at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
    at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
    at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:52)
    at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
    at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:31)
    at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
    at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:170)
    at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:124)
    at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:181)
    at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:97)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
    these are my runtime parameters
    java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
    The files krb5.conf and krbLogin.conf exists and have full access.
    With the error above it seems that it is not able to pick the configuration file. But just by changing the JAVA_HOME to /usr/java/jdk1.6_022 it starts working.
    I have raised this concern with Oracle almost a month before, but still haven't got any reply from them.
    Please help.
    Thanks and Regards
    Anirudha Singh

    Hi Faisal,
    Thanks for your reply.
    Yes I have given the complete path too.
    This is the full command line of the weblogic server. I had modifed it to test if it is trying to pick it up from any default location.
    java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
    The file is located in /etc folder and has 777 permissions.
    Thanks and Regards
    Anirudha Singh

  • Profile Manager, Push, Kerberos and other oddities

    Hey all,
    First time setting up a Mac Server on our network, thought we'd give Lion a try since we're seeing more and more Macs make their way into our ranks. I'm having issues with the following areas, hopefully someone could shed some light.
    Push
    I can't for the life of me get push to work behind our Firewall. I opened up TCP Port 5223 as outlined in the Apple Docs but that doesn't get me anywhere. Do I need to NAT that port to the lion server? I thought that push sent notifications down to individual machines and then they went and grabbed the new config from the server? How does a firewall with NAT know what machine to send the notification to? Any help would be appreciated.
    Also, what are you supposed to manage users with, the Work Group Manager or the Profile Manager. It seems like apple is moving away from the WGM style of management, although you can't do everything in PM, like setting up home folders etc. Very confusing to a novice.
    Email Addresses in Profile Manager configurations and Webmail.
    I might be missing something really simple here, but no matter what I do the Profile Manager spits out a default payload for email with our FQDN as the email address for the user ([email protected]). I have set the local alias and checked the checkbox to allow our example.com domain to work. Manually setting the email address to [email protected] works just find. I'm a bit bothered that everytime I push a configuration out to a device I'll have to go back in and manually change the email address. Has anyone figured out how to change that?
    In webmail it always lists the email address as [email protected] instead of [email protected]. You can go in and edit the identity and all is right with the world, but that's sort of a pain? Seems like common sense that you could set that as the default.
    Kerberos
    I was excited to get a Single Sign On solution going for our users since it would come in handy, however, straight out of the box it just doesn't work.I'm also not sure what to look for in the logs to make sure that things are working smoothly. I'm joinging the client machines to the server by going into users and clicking join. Selecting the server from the drop down and hitting submit. Do I have to set up a search order and all that jazz or is that set up automatically then.  I can see that I'm getting tickets with the Ticket Viewer but I'm still getting prompted for passwords in mail, ichat, AFP etc. Close to giving up on that front.
    Any help or general words of encouragement appreciated. 

    Push
    You've opened the secure iChat port to have push notifications working? Take a look here for the right ports:
    http://help.apple.com/advancedserveradmin/mac/10.7/#apdCA9A73CE-5F0C-4BDC-93E8-2 952C362FA3E.
    On that page are all port numbers you need to forward to your server.
    Email
    The addresses being displayed as [email protected] is a bug in Lion Server in my opinion, you can file a bug report at apple.com/feedback.
    Kerberos
    Is as poorly documented as invisible in OS X Lion Server. Single Sign-On is a great tool for making services more user-friendly, it should be top of mind at Apple. You can file an enhancement request at apple.com/feedback.
    Regards,
    Mark

  • Query on SSO using Kerberos and JAAS

    We have created a LAN of two computers one being an IIS server (windows 2000 Server) and the other the client (Windows 2000 PRO)
    When the server program and the applet is run on the server machine the authentication is done properly and the context is established.
    But now we want the other terminal to be the client.
    Now we have hosted the applet from the server and we are accessing the hosted page from the client terminal and now we get the following exception:
    javax.security.auth.login.LoginException: trainee.Trainee123.Local: trainee.Trainee123.Local
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:572)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
    at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at GSSClient.login(GSSClient.java:110)
    at GSSClientApplet.login(GSSClientApplet.java:127)
    at GSSClientApplet.access$000(GSSClientApplet.java:14)
    at GSSClientApplet$1.actionPerformed(GSSClientApplet.java:74)
    at java.awt.Button.processActionEvent(Button.java:381)
    at java.awt.Button.processEvent(Button.java:350)
    at java.awt.Component.dispatchEventImpl(Component.java:3639)
    at java.awt.Component.dispatchEvent(Component.java:3480)
    at java.awt.EventQueue.dispatchEvent(EventQueue.java:450)
    at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:197)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:150)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:144)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:136)
    at java.awt.EventDispatchThread.run(EventDispatchThread.java:99)
    Caused by: java.net.UnknownHostException: trainee.Trainee123.Local: trainee.Trainee123.Local
    at java.net.InetAddress.getAllByName0(InetAddress.java:999)
    at java.net.InetAddress.getAllByName0(InetAddress.java:969)
    at java.net.InetAddress.getAllByName(InetAddress.java:963)
    at java.net.InetAddress.getByName(InetAddress.java:883)
    at sun.security.krb5.internal.bg.<init>(DashoA6275:51)
    at sun.security.krb5.KrbKdcReq$KdcCommunication.run(DashoA6275:185)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.krb5.KrbKdcReq.send(DashoA6275:148)
    at sun.security.krb5.KrbAsReq.send(DashoA6275:401)
    at sun.security.krb5.KrbAsReq.send(DashoA6275:293)
    at sun.security.krb5.Credentials.acquireTGT(DashoA6275:332)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
    ... 24 more
    --(the server address being trainee.Trainee123.Local.)
    we referred the following site:
    http://www-128.ibm.com/developerworks/java/library/j-gss-sso/index.html
    Suggest some solution to this problem.

    Hi there,
    I need to implement a J2ee struts based web application where the authentication should be against the user profiles in the Windows Active Directory Services using JAAS.
    I do not know how to start and is it possible for you to throw some light on this. Like how kerberos works with ADS and others.
    Thanks,
    Diva

  • Trouble with Kerberos and SSH

    I'm working in a test environment to configure Solaris 10 hosts to authenticate against an Active Directory environment using LDAP and Kerberos. I have all of the hard parts done - I can login locally, ssh, telnet, ftp, etc to the Solaris 10 device using a username/password within the Active Directory.
    I am having trouble, however, getting SSH to forward Kerberos tickets for passwordless authentication. I can login locally to a Solaris box, run a klist to verify that I have a Kerberos ticket, and the ssh to another Solaris 10/Kerberos box, but I am still prompted for my password. Below is a snippet of SSH debug traffic:
    debug1: GSS-API error while calling GSS_Init_sec_context(): An invalid name was supplied
    service not available
    debug1: Skipping GSS-API mechanism kerberos_v5 (An invalid name was supplied
    service not available
    No amount of googling has been able to help me thus far. Perhaps you can.

    Apparantly my initial problem was related to hostname resolution; I initially was accessing everything by IP address because it was easier than setting up a DNS server in my testing environment. I have resolved those issues within my testing environment, but I still can't seem to get SSH to pass the Kerberos ticket along, or maybe SSHD isn't accepting it. This is what I see now, after getting a Kerberos ticket with kinit and attempting to ssh to another host:
    debug1: Next authentication method: gssapi-with-mic
    debug1: ssh_gssapi_init_ctx(<xxxxxxxxxxxxxxxxxxxx>)
    debug3: ssh_gssapi_import_name: snprintf() returned 41, expected 42
    debug2: we sent a gssapi-with-mic packet, wait for reply
    But it moves on to the next method, never receiving a reply. What's up?

  • Authen and Auth via kerberos and ldap (hosted on linux)

    Hello. I am trying to set up authentication via ldap and kerberos. I have usernames stored in a UNIX-style ldap server and kerberos running on the same machine. I am now trying to get the login window to use the ldap server for getting username/password and then to authenticate and get a ticket from kerberos. I have kerberos working (I can use kinit on the mac to get a ticket); if I have a ticket, I can use ldapsearch to get a dump of the ldap directory on the server. However, at the login window, there is no existing kerberos ticket for checking the ldap server, so it cannot be used and falls back to local login. How can I get a ticket or something that will function as such to kerberos so that login window can use the ldap server? Or, how can I get the login window to use the ldap server?
    Any links or other ideas would be appreciated.
    Thanks,
    Sean

    The user can be set in ST01 as the portal user for trace

  • JAAS, JGSS Kerberos  and windows 2000 newbie question

    Hi
    I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
    is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
    I have following code
    GSSManager manager = GSSManager.getInstance();
                   Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
                   Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
                   // Identify who the client wishes to be
                   GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
                   // Identify the name of the server. This uses a Kerberos specific
                   // name format.
                   GSSName serverName = manager.createName("krbsvr400/[email protected]",
                                                                     krb5PrincipalNameType);
              System.out.println("server name " +serverName.getStringNameType());
                   // Acquire credentials for the user
                   GSSCredential userCreds = manager.createCredential(userName,
                                                                     GSSCredential.DEFAULT_LIFETIME,
                                                                     krb5Mechanism,
                                                                     GSSCredential.INITIATE_ONLY);
                   // Instantiate and initialize a security context that will be
                   // established with the server
                   GSSContext context = manager.createContext(serverName,
                                                                          krb5Mechanism,
                                                                          userCreds,
                                                                          GSSContext.DEFAULT_LIFETIME);
    and krb5.ini file looks like below
    [libdefaults]
    default_realm = GL1AMR.PFIZER1.TEST
    default_tgs_enctypes = des-cbc-crc
    default_tkt_enctypes = des-cbc-crc
    forwardable = true
    proxiable = true
    [realms]
    GL1AMR.PFIZER1.TEST= {
    kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
    admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
    default_domain = gl1amr.pfizer1.test
    [domain_realm]
    .gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
    gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
    [login]
    krb4_convert = true
    krb4_get_tickets = true
    i get following error
    SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
         at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
         at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
         at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
    what am i missing

    My JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
    Error
    D:\Ramesh_Dump\KerbersTools>java GSSAPI
    GSSException: No valid credentials provided (Mechanism level: Failed to find any
    Kerberos Ticket)
    at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
    ial.java:133)
    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
    actory.java:72)
    at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
    java:149)
    at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
    at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
    at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
    at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
    :96)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
    78)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
    58)
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
    Client.java:155)
    at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
    va:136)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
    a:66)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
    67)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
    at javax.naming.InitialContext.init(InitialContext.java:223)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
    34)
    at GSSAPI.main(GSSAPI.java:34)
    Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
    exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
    SSException: No valid credentials provided]]
    JAVA CODE
    import java.util.Hashtable;
    import javax.naming.ldap.*;
    import javax.naming.directory.*;
    import javax.naming.*;
    import java.util.*;
    import java.util.Calendar.*;
    import java.text.*;
    public class GSSAPI {
         * @param args
         public static void main(String[] args) {
         Hashtable env = new Hashtable();
         String adminName = "[email protected]";//"[email protected]";
         String adminPassword = "Password12";
         String ldapURL = "ldap://172.20.55.97:389/";
         env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
         //set security credentials, note using simple cleartext authentication
         env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
         //env.put(Context.SECURITY_PRINCIPAL,adminName);
         //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
         //env.put("javax.security.sasl.server.authentication","true");
         //connect to my domain controller
         env.put(Context.PROVIDER_URL,ldapURL);
         try {
              //Create the initial directory context
              LdapContext ctx = new InitialLdapContext(env,null);
              //lets get the domain lockout duration policy
              Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
              //System.out.println("test arttr"+attrs.get(""));
              System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
              System.out.println("Duration: " + attrs.get("lockoutDuration").get());
              System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
              long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
              //Create the search controls           
              SearchControls searchCtls = new SearchControls();
              //Specify the attributes to return
              String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
              searchCtls.setReturningAttributes(returnedAtts);
              //Specify the search scope
              searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
              //Create the correct LDAP search filter
              //Win32 file time is based from 1/1/1601
              //Java date/time is based from 1/1/1970
              /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
              GregorianCalendar Today = new GregorianCalendar();
              long Win32Date = Win32Epoch.getTimeInMillis();
              long TodaysDate = Today.getTimeInMillis();
              long TimeSinceWin32Epoch = TodaysDate - Win32Date;
              long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
              System.out.println("Lockout (Long): " + lockoutDate);*/
              //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
              //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
              String searchFilter = "(objectclass=user)";
              //Specify the Base for the search
              String searchBase = "dc=globalv,dc=com";
              //initialize counter to total the results
              int totalResults = 0;
              //Search for objects using the filter
              NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
              //Loop through the search results
              while (answer.hasMoreElements()) {
                   SearchResult sr = (SearchResult)answer.next();
                   totalResults++;
                   System.out.println(">>>" + sr.getName());
                   // Print out some of the attributes, catch the exception if the attributes have no values
                   attrs = sr.getAttributes();
                   if (attrs != null) {
                        try {
                             System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
                             System.out.println(" mail: " + attrs.get("mail").get());
                             System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
                             //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
                        catch (NullPointerException e)     {
                             System.err.println("Problem listing attributes: " + e);
    //          System.out.println("Total results: " + totalResults);
              ctx.close();
         catch (NamingException e) {
              System.err.println("Problem searching directory: " + e);
    import java.util.Hashtable;
    import javax.naming.ldap.*;
    import javax.naming.directory.*;
    import javax.naming.*;
    import java.util.*;
    import java.util.Calendar.*;
    import java.text.*;
    public class GSSAPI {
         * @param args
         public static void main(String[] args) {
         Hashtable env = new Hashtable();
         String adminName = "[email protected]";//"[email protected]";
         String adminPassword = "Password12";
         String ldapURL = "ldap://172.20.55.97:389/";
         env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
         //set security credentials, note using simple cleartext authentication
         env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
         //env.put(Context.SECURITY_PRINCIPAL,adminName);
         //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
         //env.put("javax.security.sasl.server.authentication","true");
         //connect to my domain controller
         env.put(Context.PROVIDER_URL,ldapURL);
         try {
              //Create the initial directory context
              LdapContext ctx = new InitialLdapContext(env,null);
              //lets get the domain lockout duration policy
              Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
              //System.out.println("test arttr"+attrs.get(""));
              System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
              System.out.println("Duration: " + attrs.get("lockoutDuration").get());
              System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
              long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
              //Create the search controls           
              SearchControls searchCtls = new SearchControls();
              //Specify the attributes to return
              String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
              searchCtls.setReturningAttributes(returnedAtts);
              //Specify the search scope
              searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
              //Create the correct LDAP search filter
              //Win32 file time is based from 1/1/1601
              //Java date/time is based from 1/1/1970
              /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
              GregorianCalendar Today = new GregorianCalendar();
              long Win32Date = Win32Epoch.getTimeInMillis();
              long TodaysDate = Today.getTimeInMillis();
              long TimeSinceWin32Epoch = TodaysDate - Win32Date;
              long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
              System.out.println("Lockout (Long): " + lockoutDate);*/
              //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
              //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
              String searchFilter = "(objectclass=user)";
              //Specify the Base for the search
              String searchBase = "dc=globalv,dc=com";
              //initialize counter to total the results
              int totalResults = 0;
              //Search for objects using the filter
              NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
              //Loop through the search results
              while (answer.hasMoreElements()) {
                   SearchResult sr = (SearchResult)answer.next();
                   totalResults++;
                   System.out.println(">>>" + sr.getName());
                   // Print out some of the attributes, catch the exception if the attributes have no values
                   attrs = sr.getAttributes();
                   if (attrs != null) {
                        try {
                             System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
                             System.out.println(" mail: " + attrs.get("mail").get());
                             System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
                             //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
                        catch (NullPointerException e)     {
                             System.err.println("Problem listing attributes: " + e);
    //          System.out.println("Total results: " + totalResults);
              ctx.close();
         catch (NamingException e) {
              System.err.println("Problem searching directory: " + e);
    }

  • Network Shares, Mobile Clients, Kerberos and Single Sign On Woes

    Hi anybody,
    I'm sure there is a really simple answer to my network share problems but I just can't seem to get them to work. Does anybody understand OD/Kerberos/SSO?
    I am running 10.4.10 with DNS, AFP and OD.
    My DNS is correctly configured, I can resolve IP into name and back again on server and client machines and it's not using a .local domain.
    My OD is set up as a master with the correct LDAP search base settings, Netinfo is off for some reaseon but I can't turn it back on even if I wanted to. I have directory binding enabled as well as requiring clients to bind to directory.
    My AFP is set to enable Bonjour registration and Authentication is set to Kerberos.
    My client computers are able to access network accounts and my mobile clients are able to sync their home directories.
    All seams to be working exceptionally well except for access to the shared network folders.
    I am convinced that the network folder is set up correctly as I have RTFM many times and if I play with the acess settings such that anybody has read and write permisions, clients are able to access the data.
    However, I wan't to reach my networking Nirvana where I can control access to the network share depending on group id. This shouldn't be difficult but it does seem unatainable for me .....
    Having done a bit of trouble shooting and more reading, I can see that the clients are trying to access the share as an unauthenticated user ..... which is where it all goes wrong for me.
    I thought that Kerberos SSO would have sorted this out but I don't think the clients are even trying to authenticate with the server as thay use the local Netinfo database to log in.
    How do I get clients and mobile clients to do a Kerberised SSO at login?
    Anybody !
    Thanks in advance.

    bump?

  • FinalCutServer, Kerberos, and Printing Problems

    Has any one come across the inability to print when Windows Active Directory has Kerberos DES Encryption enabled on user account? Obviously we have a separate domain controller and print server. Users can press print but job doesn't show up to be released in papercut (printing authentication)

    Geoff,
    This sounds like a printer driver issue. Do you have the latest driver software? Have you contacted OCE? Have you tried uninstalling/reinstalling the driver?
    Neil

  • Kerberos and W2k3 authentication?

    Hi,
    I have a 10.4.8 Server as PDC and running kerberos (thus also KDC). In my domain I have a w2k3 server with both file sharing and terminal server. Terminal server includes a group from the PDC - works great and we can also connect without entering passwords to file sharing on 10.4.8 file server.
    But, with a 10.4.8 Client trying to log in to a W2k3 file sharing using SMB, I need to authenticate! Not needed when connecting from a 10.4.8 Client to a 10.4.8 Server of course.
    Kerberos tickets available.
    Why? How to change this?
    PS Windows XP clients does only need to authenticate once - at login - as far as I know today. DS

    Yes, the Windows computers will try to log in using the current user's username and password before asking the user to enter it. If the login username and password for your SMB share are the same as what the Windows clients use to log in to their computers, they won't be asked when they go to view the SMB volume. If, however, it's different, they will be asked.

  • Kerberos and Database control don't want to play

    I've got a problem - it's been with Oracle support for over 2 weeks now and have had no reply.
    Our infrastructure is 10.2.0.4 on Solaris. The requirement is having Kerberos enabled authentication for the database and management is via EM Database Control not Grid Control so each Database is managed individually and is self-contained.
    Kerberos was installed and is working fine. You can get a ticket and login OK. What became obvious, however, that by enabling Kerberos, Database Control partially breaks. I know you can't have Kerberos EM accounts setup but that's not what we need to do.The agent just can not connect to the local database. I've done a bit of trouble-shooting and it's pretty obvious what the issue is but sorting it out is a bit of a problem.
    Right, when you enable Kerberos, most of the settings are done in the sqlnet.ora file on the database server. The interesting setting here is the line :-
    SQLNET.AUTHENTICATION_SERVICES= (BEQ,KERBEROS5)
    Correct me if I'm right, but what this basically does is to say that any 'local' connections (eg sqlplus / as sysdba) just go in through the usual database/host group accounts (BEQ) whilst any other connections (sqlnet) go through Kerberos. This is where the problem looks as though it is. The EMAgent insists on using a full descriptor (host, port, sid etc..) and thus loops back through sqlnet and hits the Kerberos authentication brick wall and produces the standard Kerberos error :-
    Thread-8 ERROR vpxoci: ORA-12638: Credential retrieval failed
    vpxoci: Login 0xfdf08 failed, error=ORA-12638: Credential retrieval failed
    TargetManager: Exception in computing dynamic properties of {db1.server1.acme.co.uk, oracle_database },SystemTablespaceNumber::ORA-12638: Credential retrieval failed
    Thread-8 WARN vpxoci: OCI Error -- ErrorCode(12638): ORA-12638: Credential retrieval failed
    The connect descriptor being used by the agent is :-
    LOGIN = dbsnmp/<PW>@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server1.acme.co.uk)(PORT=1521))(CONNECT_DATA=(SID=DB1)))
    I've briefly edited the emoms.properties file to change the descriptor to IPC based and it still errors just the same. To duplicate this error we just created a normal database account "account1" identified internally and used these descriptors outside EM with sqlplus and it's just the same, so running :-
    sqlplus account1/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server1.acme.co.uk)(PORT=1521))(CONNECT_DATA=(SID=DB1)))
    gives exactly the same credentials error and :-
    # sqlplus account1/password
    connects just fine. BTW, if you edit the original sqlnet.ora file and change (BEQ,KERBEROS5) to (BEQ) or even just remove the line, it all works fine but obviously disables Kerberos which isn't an option.
    If someone has experienced this and knows a patch/fix or which configuration files to hand-edit I'd appreciate it.
    Thks

    user2664528 wrote:
    Our infrastructure is 10.2.0.4 on Solaris. The requirement is having Kerberos enabled authentication for the database and management is via EM Database Control not Grid Control so each Database is managed individually and is self-contained.Sorry that I have no resolution to the larger problem. (I wonder whether a discussion in the Grid Control forum might be useful as the GC folk hide out there ... http://forums.oracle.com/forums/category.jspa?categoryID=70)
    I am curious about the above statement since Grid Control does allow individual 'administrators' to be isolated to specific systems/configurations. That functionality is implemented using EE's Virtual Private Database capability and seems pretty solid to me.
    What goes wrong when you use the isolation capability in Grid Control?

Maybe you are looking for

  • How to include variable inside XML Fragment in assign ?

    HI..how are you today. i need to assign an XML Fragment...like this into a variable: <tns:pCmds>put @Encoded_Filename@</tns:pCmds> <tns:pCmds>bye</tns:pCmds> that Encoded_Filename is a variable..but of course..it is taking the whole put ...as a strin

  • Time Maghine Error

    For several months Time Machine has worked properly. Yesterday my backups began failing with the message: "Time Machine Error Unable to complete backup. An error occurred while creating the backup directory" I saw that there were many entries in thes

  • Animated drop-down menu buttons won't respond onRelease

    I created a drop-down menu movie clip. Within it are multiple buttons which change their alpha values. I'm having an impossible time of getting the buttons to respond to an onRelease from the maintimeline. for instance: stop(); _root.menu_mc.print_bt

  • Edit to tape with frame rate conversion

    Hi, I'm outputting a 23.976 sequence directly onto a 29.97 drop frame HDCAM SR tape. Seems to work fine, the 3:2 pulldown is there, timecode is OK. Since this project is to be delivered for a national television network, I'd like to know about any po

  • Share roll over in many pages

    Hi, Is there any way i can use my roll overs in many pages (as a master page) in order to save time?