Samba Active Directory, Kerberos on Solaris 10

I have fresh installs of Solaris 10 on Sparc and Intel boxes, with the
Software Companion.
I have downloaded krb5-1.4 from MIT. My LD_LIBRARY_PATH=/opt/sfw/bin:/usr/sfw/bin:/usr/local/ssl/lib
./configure works OK..
Make generates this error:
making all in lib/gssapi/krb5...
+ gawk -f ./../../../util/et/et_c.awk outfile=ettmp27001.c ettmp27001.et
mksh: Fatal error in reader Loop detected when expanding macro value '\#include <stdint.h>
...

Did you finally get it compiled?
I also got compilation error, but a little bit different-- the compilation stopped at making gssapi. It is an Fatal error with Makefile script.

Similar Messages

  • Unable to add Active Directory: Kerberos Client trace scenario configuraiton

    Hi,
    While trying to add Active Directory: Kerberos Client trace scenario configuraiton, I am getting this error message in the log (see below).
    What am I missing?
    Thanks
    Alex.
    6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on supplemental OPN: done
    6/24/2014 10:09:18 AM Warning Cannot create ETW manifest loader for Active Directory: Kerberos Client: The system cannot find the file specified. Please check that the manifest is properly installed
    6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: completed successfully
    6/24/2014 10:09:18 AM Error running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: Unexpected exception happened: The given key was not present in the dictionary. stacktrace:    at Microsoft.Opn.Runtime.Messaging.Etw.GeneratedOpnCacheManager.ImportEtwProviderMetadata(Guid
    providerId, EtwManifestResolver manifestResolver, Boolean reportConflicts)
    Product Technical Specialist in Identity Management, Microsoft Canada. http://blogs.msdn.com/alextch

    Active Directory: Kerberos Client is MOF based ETW provider.
    Looks like PEF/Message Analyzer version which your using doesn't have parsing of events from MOF based providers.
    We added support MOF based ETW providers in PEF/MA v1.0.2 . What is PEF/MA version your using?
    Alternatively, you can use LinkLayer/Firewall Trace Scenarios to get the Kerberos Network traffic or other Kerberos Manifest based ETW providers for example "Microsoft-Windows-Security-Kerberos" etw provider if these providers produce any ETW events.

  • Solaris 10 Active Directory problem

    I've been battling through the integration of Active Directory on our Solaris 10 systems, and have reached another brick wall. I am able to getent passwd <user> and kinit <user> without any problems, but any attempt to su or login via SSH shows the following:
    Apr 14 10:34:26 eddie su: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New password cannot be zero length
    Using Samba version 3.0.23b, connecting to Windows Server 2003, with SP1. I've tried various fixes, tried installing and uninstalling other versions of ldap, pam, and krb5.
    If anyone could shed some light on this error, it would be much appreciated.
    Cheers,
    Dave

    have you checked this link?
    http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp?cid=e5595

  • Cannot get "passwd" to work with pam_winbind (Active Directory/Samba)

    I've have a Samba Active Directory server and AD users can log in to linux boxes. I'd like them to be able to change their passwords from Linux.
    I've set up winbind and PAM and users can log in fine. However, users cannot change passwords.
    I used the PAM configuration as per the wiki, although I note that /etc/pam.d/passwd doesn't include the "system-auth" file that the Wiki instructions describe. I can either paste the "password" entries into /etc/pam.d/passwd or modify it to include "system-auth". I've tried both ways without any luck. Here is the PAM config I have (from the Wiki instructions):
    password [success=1 default=ignore] pam_localuser.so
    password [success=2 default=die] pam_winbind.so
    password [success=1 default=die] pam_unix.so sha512 shadow
    password requisite pam_deny.so
    password optional pam_permit.so
    and here is a typical session
    $ passwd
    Changing password for MYDOMAIN\myuser
    (current) NT password:
    Enter new NT password:
    Retype new NT password:
    passwd: Authentication failure
    passwd: password unchanged
    and the journal (I enabled debug in the above config)
    Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x4000)
    Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
    Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000021)
    Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): request wbcLogonUser succeeded
    Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' granted access
    Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
    Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x2000)
    Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
    Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000001)
    Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' denied access (incorrect password or invalid membership)
    Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 7 (PAM_AUTH_ERR)
    I've done a bit of searching and have seen others reporting the same "incorrect password or invalid membership" but nothing concreate on how this should be configured. So I'd really appreciate anyone who can share a working configuration...

    Hello,
    We are getting the same message output: "com.sco.tta.common.asadutils", but ours say: "com.sco.tta.common.asadutils.ExpiredEvaluationException: ErrEvalExpired\Session failed: Command execution failed"
    Does anyone know where can I get info about this output?
    cs0aluc, how did you get your error fixed?
    Thanks in advance.

  • Binding to Active Directory Problem. I am a Newb! probably something stupid

    Hey All,
    Trying to get my apple xsever to join our windows domain. I got it to bind and the user accounts show up on the machine but then it askes me to join it to the Active Directory Kerberos realm. I am confused.
    what i am trying to do is joint it to the windows domain for my admin account on the actual server and then set up local user accounts on the machine so when my mac users log in they authenticate using the local mac account and not the windows domain account. Does this make sense? From what i read macs authenticate using the local account before going to the windows account which is what i want. I am a total newb to this so forgive me for the stupid questions.
    cheers all,
    jess

    Hi
    set up the xserve as an Open directory Master
    will it place nice on the network
    with the rest of the windows servers that we have.
    There should be no problem in doing this. All you need to do is decide whether you want your Mac Server to run its own DNS Service or to use the existing DNS service being provided by the AD Server. Open Directory Master requires DNS Services running somewhere.
    i just want to have a mac studio of about 35 people be
    kind of an island within a sea of windows users. If
    there can be cross over there then fine.. but really
    i want the mac to work well with the apple server and
    if i can get the windows clients hooked up also then
    fine.
    There should be no problem with this.
    When you say studio do you mean a graphics design studio? Or are you talking about a video production studio? If the answer is yes to either one or both then perhaps a simple file server would do. An Open Directory Master is OK in this environment but your network needs to be up to job. Ideally gigabit ethernet certainly for video production and also if your studio are heavy photoshop users. You could get away with 100Base-T but with 35 heavy users editing files stored on the server as well as Home folders it may be a bit too much. If this is the situation in your studio you would be better placed working locally and saving the files back to the server at the end of the day. You would set up your users with names and passwords in the OD directory node. Your studio can use those account details to log on to the server to access share points but still work locally if they need to. If you start windows services on the mac server then there should be no reason for windows clients to access share points on the mac server as well. Be careful how you configure windows services as you already have existing PC servers on the network.
    As you have already stated your aim is to keep the macs completely separate from the PCs then consider connecting all your macs to a separate switch and have them running of a different IP address range and subnet mask. You could then use an intervening router to handle traffic between the two networks, this way you control cross platform access to shared resources. If you understand networks, routers etc then you should be able to accomplish this without too much trouble. Again searching the Server forums should give you plenty of ideas and advice on the best way to achieve what you want. As ever defining and deciding what you want you want the server to do is half the problem.

  • Principal Name for Active Directory "Domain Users"

    Hi,
    I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
    The system automatically recognized my Active Directory username. It worked.
    For authentication in my weblogic.xml I used
    <security-role-assignment>
    <role-name>admin</role-name>
    <principal-name>kursat</principal-name>
    <principal-name>fenerbahce</principal-name>
    </security-role-assignment>
    Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
    For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
    <principal-name>kursat</principal-name>
    <principal-name>fenerbahce</principal-name>
    I added
    <principal-name>Domain Users</principal-name>
    instead of writing all domain users.
    However I couldn't authenticate. I got the "Error 403--Forbidden"
    Is there anyone can help me?

    test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
    -Faisal
    http://www.weblogic-wonders.com

  • Solaris 10 authentication on Windows 2008 Active Directory

    Hi,
    Does anyone done it?
    I've do it against a Windows 2003 R2 Active Directory and now in production environment i'm having some issues with the password.
    I'm using only the Active Directory LDAP without Kerberos.
    I'm able to su to the user, getent passwd but everything that as password fails.
    I guess is some configuration issue in active directory, some sync stuff becouse the ldap bind is correctly done, is after the bind that fails.
    Bellow the sshd log with wrong user password.
    sshd[23965]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
    sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
    And with the correct user password.
    sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
    As you can see the bind is done but windows guys says everything is ok. This is a new implemantation both in Solaris side and Windows side.
    This is how ldapclient is configured.
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= CN=User Funcional Login de maquinas Unix CQ,OU=Utilizadores-Servicos,OU=Servicos-Transversais,OU=DOM,DC=Example,DC=com
    NS_LDAP_BINDPASSWD= {NS1}a1493f3c77c616
    NS_LDAP_SERVERS= 192.168.1.140, 192.168.1.141
    NS_LDAP_SEARCH_BASEDN= ou=dom,dc=example,dc=com
    NS_LDAP_AUTH= simple
    NS_LDAP_SEARCH_SCOPE= sub
    NS_LDAP_CACHETTL= 0
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_SEARCH_DESC= group:ou=dom,dc=example,dc=com?sub
    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=dom,dc=example,dc=com?sub
    NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=dom,dc=example,dc=com?sub
    NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
    NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
    NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
    NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
    NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
    NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
    The nsswitch.conf has files ldap on both passwd and groups.
    Best regards and thanks for the help you can give

    The problem was in pam.conf that had the module pam_ldap last in the order and it shouldn't be.
    This is how it should be.
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password sufficient pam_ldap.so.1
    other password required pam_authtok_store.so.1
    Authentication against 2008 Active Directory working fine now.

  • Authorisation Active Directory Win2003 users in Solaris 10

    Now I am having the task to configure kereberos authentication and ldap authorisation users of Win2003 Active Directory in Solaris 10.
    Kerberos authentication configured by native pam_krb5 according paper http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx and works fine.
    But I can't configure authorisation by native ldapclient library.
    Can you give steb-by-step guide about configuring native ldapclient and pam.conf for authorisation AD users on Solaris 10.
    ldaplist command return error
    bash-3.00# ldaplist
    ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)
    And snoop ldap return (10.25.66.222 - Solaris 10, 10.25.67.251 -AD-controller)
    bash-3.00# snoop ldap
    Using device /dev/pcn0 (promiscuous mode)
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Bind Request
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926 Bind Response Success
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926 Search ResDone Unavailable Critic
    al Extension
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Unbind Request
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.67.251 -> 10.25.66.222 LDAP R port=32926
    10.25.66.222 -> 10.25.67.251 LDAP C port=32926
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Bind Request
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Bind Response Success
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
    10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
    10.25.66.222 -> 10.25.67.251 LDAP C port=32927
    My current 'ldapclient list' is following:
    bash-3.00# ldapclient list
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=ldap_test,ou=Users,ou=Office,dc=corp,dc=com
    NS_LDAP_BINDPASSWD= {NS1}5e10c247a91661a5b4
    NS_LDAP_SERVERS= 10.25.67.251
    NS_LDAP_SEARCH_BASEDN= dc=corp,dc=com
    NS_LDAP_AUTH= simple
    NS_LDAP_SEARCH_REF= TRUE
    NS_LDAP_SEARCH_SCOPE= sub
    NS_LDAP_CACHETTL= 0
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
    NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:simple
    And pam.conf:
    # Authentication management
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth sufficient pam_krb5.so.1 debug
    login auth required pam_unix_cred.so.1
    login auth required pam_unix_auth.so.1
    login auth required pam_dial_auth.so.1
    # rlogin service (explicit because of pam_rhost_auth)
    dtlogin auth requisite pam_authtok_get.so.1
    dtlogin auth required pam_dhkeys.so.1
    dtlogin auth sufficient pam_krb5.so.1 debug
    dtlogin auth required pam_unix_cred.so.1
    dtlogin auth required pam_unix_auth.so.1
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth sufficient pam_krb5.so.1 debug
    other auth required pam_unix_cred.so.1
    other auth required pam_unix_auth.so.1
    passwd auth required pam_passwd_auth.so.1
    cron account required pam_unix_account.so.1
    other account requisite pam_roles.so.1
    other account required pam_unix_account.so.1
    other account required pam_krb5.so.1 debug
    other session required pam_unix_session.so.1
    other session sufficient pam_krb5.so.1 debug
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password sufficient pam_krb5.so.1 debug
    other password required pam_authtok_store.so.1

    I tried this, but i found the Solaris implementation to unstable and scarry, so i decided to go with VAS or Vintela from Quest:
    http://www.vintela.com
    it really works, unlike Suns LDAP implementations, and its easy too..
    7/M.

  • Help with Active Directory Integration and kerberos

    Hello,
    I’m encountering a bug preventing me to use Active Directory integration with kerberos :
    Our domain name is CORP.DOMAIN.COM.
    When we request the GC in this domain :
    bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
    Server: 1.2.1.6
    Address: 1.2.1.6#53
    ** server can't find gc.tcp.corp.domain.com: NXDOMAIN
    there is no answer.
    But when we request without corp, we find the servers :
    bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
    gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
    gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
    bash-3.00#
    Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
    Thank you.

    Hello
    the domain.com domain exist, but it's not our domain.
    so, when I put domain.com, it search with no result (nothing appends).
    our kdc.conf :
    [kdcdefaults]
    kdc_ports = 88,750
    [realms]
    CORP.DOMAIN.COM = {
    profile = /etc/krb5/krb5.conf
    database_name = /var/krb5/principal
    admin_keytab = /etc/krb5/kadm5.keytab
    acl_file = /etc/krb5/kadm5.acl
    kadmind_port = 749
    max_life = 8h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    default_principal_flags = +preauth
    krb.conf
    [libdefaults]
    default_realm = CORP.DOMAIN.COM
    default_checksum = rsa-md5
    [realms]
    CORP.DOMAIN.COM = {
    kdc = dc01.corp.domain.com
    kdc = dc02.corp.domain.com
    [domain_realm]
    .corp.domain.com = CORP.DOMAIN.COM
    corp.domain.com = CORP.DOMAIN.COM
    in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
    Thank you,

  • Windows client error joining with Samba 4.2 Active Directory server

    I have a basic samba 4.2 ADC setup on CentOS 7 and I get a RPC server not available whenever I attempt to join a windows client to the domain. The smb.conf is default on created during provisioning. All indicated pre-testing seems to work as expected. The windows client finds the domain and recognizes a valid user or not but the last step of joining the domain ends with the error "Unable to join the Domain RPC server not available. Does anyone have any ideas?
    Thanks Paul 
    This topic first appeared in the Spiceworks Community

    I have a scenario for you in active directory when two passwords may be valid:
    Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
    Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
    The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
    User1 decides to call the helpdesk and changes his password to "456".
    The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
    valid.
    If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
    emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
    Regards,
    ~JG
    Do rate helpful posts

  • WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

    Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
    a managed server using the node manager? I can boot the server without the AD
    authenticator and I can also boot the server using a script and successfully authenticate
    through AD. My AD control flag is set to OPTIONAL and I have also setup a default
    authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
    configuration works fine with weblogic running on W2K, but not on Solaris (it
    looks like the control flag is being ignored). Errors as follows
    ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
    <kernel identity> <> <000000> <FileLo
    gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
    ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
    <kernel identity> <> <000415> <System
    has file descriptor limits of - soft: 1,024, hard: 1,024>
    ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
    <kernel identity> <> <000416> <Using e
    ffective file descriptor limit of: 1,024 open sockets/files.>
    ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
    <kernel identity> <> <000418> <Allocat
    ing: 3 POSIX reader threads>
    ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
    <main> <kernel identity> <> <0003
    64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
    Problem instantiating
    Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
    thrown by the getAttribute method of the Dynam
    icMBean for the attribute Credential>
    weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
    Authentication Providerjavax.management.RuntimeOper
    ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
    for the attribute Credential
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
    at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
    at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
    at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
    at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
    at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
    at weblogic.Server.main(Server.java:31)
    ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
    <main> <kernel identity> <> <000
    342> <Unable to initialize the server: Fatal initialization exception
    Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
    instantiating Authentication Providerjavax.management.
    RuntimeOperationsException: RuntimeException thrown by the getAttribute method
    of the DynamicMBean for the attribute Credential
    weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
    Authentication Providerjavax.management.RuntimeOper
    ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
    for the attribute Credential
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
    at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
    at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
    at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
    at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
    at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
    at weblogic.Server.main(Server.java:31)

    Solved the problem. The 'domain root' directory specified in the remote start configuration,
    must contain a copy of the file 'SerializedSystemIni.dat' that was created along
    with the domain, in order to boot when an AD authenticator is configured. If an
    AD authenticator is not configured, no file is required. This was not a platform
    specific issue; on Win2K I had configured the 'domain root' remote start parameter
    to point to an existing domain root and not a new directory.
    "Andrew Walker" <[email protected]> wrote:
    >
    Has anyone managed to setup a WLS 7.0 Active Directory authenticator
    and booted
    a managed server using the node manager? I can boot the server without
    the AD
    authenticator and I can also boot the server using a script and successfully
    authenticate
    through AD. My AD control flag is set to OPTIONAL and I have also setup
    a default
    authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
    This
    configuration works fine with weblogic running on W2K, but not on Solaris
    (it
    looks like the control flag is being ignored). Errors as follows
    ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
    <main>
    <kernel identity> <> <000000> <FileLo
    gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
    ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
    <main>
    <kernel identity> <> <000415> <System
    has file descriptor limits of - soft: 1,024, hard: 1,024>
    ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
    <main>
    <kernel identity> <> <000416> <Using e
    ffective file descriptor limit of: 1,024 open sockets/files.>
    ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
    <main>
    <kernel identity> <> <000418> <Allocat
    ing: 3 POSIX reader threads>
    ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
    <server01>
    <main> <kernel identity> <> <0003
    64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
    Problem instantiating
    Authentication Providerjavax.management.RuntimeOperationsException:
    RuntimeException
    thrown by the getAttribute method of the Dynam
    icMBean for the attribute Credential>
    weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
    Authentication Providerjavax.management.RuntimeOper
    ationsException: RuntimeException thrown by the getAttribute method of
    the DynamicMBean
    for the attribute Credential
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
    at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
    at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
    at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
    at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
    at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
    at weblogic.Server.main(Server.java:31)
    ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
    <server01>
    <main> <kernel identity> <> <000
    342> <Unable to initialize the server: Fatal initialization exception
    Throwable: weblogic.security.service.SecurityServiceRuntimeException:
    Problem
    instantiating Authentication Providerjavax.management.
    RuntimeOperationsException: RuntimeException thrown by the getAttribute
    method
    of the DynamicMBean for the attribute Credential
    weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
    Authentication Providerjavax.management.RuntimeOper
    ationsException: RuntimeException thrown by the getAttribute method of
    the DynamicMBean
    for the attribute Credential
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
    at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
    at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
    at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
    at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
    at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
    at weblogic.Server.main(Server.java:31)

  • Authentication on Active Directory under Kerberos v5

    Hi!!
    I�m trying to authenticate a user in Active Directory (with kerberos v5) and I get this message error:
    C:\j2sdk1.4>java -Djava.security.auth.login.config=gsseg_jaas.conf -Djava.security.krb5.conf=krb5.conf -Dsun.security.kr
    b5.debug=true GssExample
    Parametros introducidos ...
    Nombre de usuario de Kerberos [AAL]: Administrador
    Contrase�a de Kerberos de Administrador: swtest03
    EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    KrbAsReq etypes are: 3 1
    KrbKdcReq send: kdc=192.168.80.109, port=88, timeout=30000, number of retries =3, #bytes=239
    KrbKdcReq send: #bytes read=125
    KDCRep: init() encoding tag is 126 req type is 11
    KRBError:sTime is Tue Mar 25 18:52:52 CET 2003 1048614772000
    suSec is 447772
    error code is 14
    realm is BRUJULATEST.LOCAL
    sname is krbtgt/BRUJULATEST.LOCAL
    eData provided.
    Authentication attempt failedjavax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:568)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at GssExample.main(GssExample.java:74)
    Caused by: KrbException: KDC has no support for encryption type (14)
    at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
    at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
    at sun.security.krb5.Credentials.acquireTGT(DashoA6275:333)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
    ... 12 more
    Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.af.a(DashoA6275:129)
    at sun.security.krb5.internal.au.a(DashoA6275:58)
    at sun.security.krb5.internal.au.<init>(DashoA6275:53)
    at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
    ... 15 more
    Is there anyone who can help me???
    Thanks to everybody!!

    I�ve got it!!!
    I can authenticate any user less than Administrator.
    But I can do it with a user, that I created, with administrator permissions.

  • Active Directory multi forest Kerberos authentication Tomcat

    Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
    Hi,
    I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
    There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
    I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
    There is also an error logged in Tomcat stdout.log file:
    70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
    If anyone has come across this situation, please share the solution.
    Thanks & Regards,
    Piotr
    Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

    Hi
    Is your enterprise is configured to a Java Active Directory?
    Then there can bemultiple causes:
    - The Java and the Central Management Server (CMS) are using encryption types that do not match.
    - The Service Principal Name in the CMC is incorrect
    Then to resolve this perform the following steps:
    - In the Central Configuration Manager, double-click the CMS, and note the service account used.
    - In Windows Domain users and computers, go to account properties for the CMS service account.
    - Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
    - Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
    - Restart the CMS server and log on.
    In a clustered CMS environment ensure that all CMS's are running under the same domain account.
    Hope this helps!!!
    Regards
    Sourashree

  • Solaris authentication with Active Directory

    Our shop is a mixed environment of Unix and Windows users. Many use both environments daily and there has been a desire to have a common authentication scheme. We have been able to successfully configure our RH Linux clients to authenticate against our Windows or NIS environment using pam and krb5, but have not been able to successfully adapt this to our Solaris (9/10) environment. Our Unix/Linux client environment is in a common NIS domain. We want to continue to use NIS for account management and add AD for authentication only i.e. if the username/password authenticates against AD or NIS, then the user login proceeds.
    On Solaris I have been able to successfully configure the /etc/krb5/krb5.conf file so that a kinit can be done successfully. klist list out the info and kdestroy removes it. However, figuring out how to properly configure the /etc/pam.conf file to use this login/rlogin/ssh authentication is not making any progress. Various attempts to add the pam_krb5.so.1 plugin in various sections of the file have not worked. Can you advise me on the proper configuration for this to work and or the means to get it working?

    Read up on Enterprise User Security (EUS), a feature of Oracle Enterprise Database.
    Mark Wilcox also has several posts related to OVD/AD/EUS integration on his blog:
    http://blogs.oracle.com/mwilcox/2008/09/clarifying_eus_and_kerberos.html
    A simple google search for oracle eus will also turn up a lot of useful info.
    And then there is Oracle's identity website, where there are white papers like this one:
    Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory
    http://www.oracle.com/us/products/middleware/identity-management/059380.pdf

  • Kerberos authentication with Active Directory

    I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
    I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
    How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
    I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
    import java.io.*;
    import javax.security.auth.callback.*;
    import javax.security.auth.login.*;
    import javax.security.auth.Subject;
    import com.sun.security.auth.callback.TextCallbackHandler;
    public class krb5ADLogin1 {
    public static void main(String[] args){
    LoginContext lc = null;
    try {
    lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
    lc.login();
    catch(Exception e){
    e.printStackTrace();
    Here is my config file:
    krb5ADLogin1 {
    com.sun.security.auth.module.Krb5LoginModule required;
    The command I use to start the program is:
    java -Djava.security.krb5.realm=mydomain.com
    -Djava.security.krb5.kdc=DomainController.mydomain.com
    -Djava.security.auth.login.config=sample.conf krb5ADLogin1

    Hi there ... the Sun web site has the following snippet:
    http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
    + javax.security.auth.login.LoginException: KrbException::
    Pre-authentication information was invalid (24) - Preauthentication failed
    Cause 1: The password entered is incorrect.
    Solution 1: Verify the password.
    Cause 2: If you are using the keytab to get the key (e.g., by
    setting the useKeyTab option to true in the Krb5LoginModule entry
    in the JAAS login configuration file), then the key might have
    changed since you updated the keytab.
    Solution 2: Consult your Kerberos documentation to generate a new
    keytab and use that keytab.
    Cause 3: Clock skew - If the time on the KDC and on the client
    differ significanlty (typically 5 minutes), this error can be
    returned.
    Solution 3: Synchronize the clocks (or have a system administrator
    do so).
    Good luck,
    -Derek

Maybe you are looking for

  • Bulleted Lists in Text Boxes?

    Hi all, Apologies if this has been asked before - I've searched but to no avail. Can one, in a text document, have a bulleted list in a text box? I've tried, but when the text to be bulleted in the text box is selected, the toolbar and the 'Format' d

  • The shared library is not compatible with this version of itunes

    I have a G3 running Jaguar (and iTunes 6) that hosts my MP3 collection. Until recently, this worked great as a shared library, happily showing up in iTunes on other machines on my network, including my Powerbook. Then I got iTunes 8 on my MacBook Pro

  • Can QT 7.3 Upgrade Be Making My Final Cut Pro Canvas Green?

    Here is a problem that has suddenly, with no apparent cause, appeared. I have read through dozens of posts complaining of a similar problems and hundreds of posts that offer advice on how to fix it. My system is FCP 5.0.4, running on a Power Mac G5 Q

  • Rotating video clips

    Hi All, I took a few videos in Italy and held the camera sideways.  You guessed it....I need to rotate them BEFORE putting them in the iMovie I am creating.  Can I do this?  If so, How???

  • How to set keyword automatic to capital in SQL Developer?

    for example: when type 'select' , the keyword change to 'SELECT'. :)