Samba Active Directory, Kerberos on Solaris 10
I have fresh installs of Solaris 10 on Sparc and Intel boxes, with the
Software Companion.
I have downloaded krb5-1.4 from MIT. My LD_LIBRARY_PATH=/opt/sfw/bin:/usr/sfw/bin:/usr/local/ssl/lib
./configure works OK..
Make generates this error:
making all in lib/gssapi/krb5...
+ gawk -f ./../../../util/et/et_c.awk outfile=ettmp27001.c ettmp27001.et
mksh: Fatal error in reader Loop detected when expanding macro value '\#include <stdint.h>
...
Did you finally get it compiled?
I also got compilation error, but a little bit different-- the compilation stopped at making gssapi. It is an Fatal error with Makefile script.
Similar Messages
-
Unable to add Active Directory: Kerberos Client trace scenario configuraiton
Hi,
While trying to add Active Directory: Kerberos Client trace scenario configuraiton, I am getting this error message in the log (see below).
What am I missing?
Thanks
Alex.
6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on supplemental OPN: done
6/24/2014 10:09:18 AM Warning Cannot create ETW manifest loader for Active Directory: Kerberos Client: The system cannot find the file specified. Please check that the manifest is properly installed
6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: completed successfully
6/24/2014 10:09:18 AM Error running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: Unexpected exception happened: The given key was not present in the dictionary. stacktrace: at Microsoft.Opn.Runtime.Messaging.Etw.GeneratedOpnCacheManager.ImportEtwProviderMetadata(Guid
providerId, EtwManifestResolver manifestResolver, Boolean reportConflicts)
Product Technical Specialist in Identity Management, Microsoft Canada. http://blogs.msdn.com/alextchActive Directory: Kerberos Client is MOF based ETW provider.
Looks like PEF/Message Analyzer version which your using doesn't have parsing of events from MOF based providers.
We added support MOF based ETW providers in PEF/MA v1.0.2 . What is PEF/MA version your using?
Alternatively, you can use LinkLayer/Firewall Trace Scenarios to get the Kerberos Network traffic or other Kerberos Manifest based ETW providers for example "Microsoft-Windows-Security-Kerberos" etw provider if these providers produce any ETW events. -
Solaris 10 Active Directory problem
I've been battling through the integration of Active Directory on our Solaris 10 systems, and have reached another brick wall. I am able to getent passwd <user> and kinit <user> without any problems, but any attempt to su or login via SSH shows the following:
Apr 14 10:34:26 eddie su: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New password cannot be zero length
Using Samba version 3.0.23b, connecting to Windows Server 2003, with SP1. I've tried various fixes, tried installing and uninstalling other versions of ldap, pam, and krb5.
If anyone could shed some light on this error, it would be much appreciated.
Cheers,
Davehave you checked this link?
http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp?cid=e5595 -
Cannot get "passwd" to work with pam_winbind (Active Directory/Samba)
I've have a Samba Active Directory server and AD users can log in to linux boxes. I'd like them to be able to change their passwords from Linux.
I've set up winbind and PAM and users can log in fine. However, users cannot change passwords.
I used the PAM configuration as per the wiki, although I note that /etc/pam.d/passwd doesn't include the "system-auth" file that the Wiki instructions describe. I can either paste the "password" entries into /etc/pam.d/passwd or modify it to include "system-auth". I've tried both ways without any luck. Here is the PAM config I have (from the Wiki instructions):
password [success=1 default=ignore] pam_localuser.so
password [success=2 default=die] pam_winbind.so
password [success=1 default=die] pam_unix.so sha512 shadow
password requisite pam_deny.so
password optional pam_permit.so
and here is a typical session
$ passwd
Changing password for MYDOMAIN\myuser
(current) NT password:
Enter new NT password:
Retype new NT password:
passwd: Authentication failure
passwd: password unchanged
and the journal (I enabled debug in the above config)
Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x4000)
Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000021)
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): request wbcLogonUser succeeded
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' granted access
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x2000)
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000001)
Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' denied access (incorrect password or invalid membership)
Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 7 (PAM_AUTH_ERR)
I've done a bit of searching and have seen others reporting the same "incorrect password or invalid membership" but nothing concreate on how this should be configured. So I'd really appreciate anyone who can share a working configuration...Hello,
We are getting the same message output: "com.sco.tta.common.asadutils", but ours say: "com.sco.tta.common.asadutils.ExpiredEvaluationException: ErrEvalExpired\Session failed: Command execution failed"
Does anyone know where can I get info about this output?
cs0aluc, how did you get your error fixed?
Thanks in advance. -
Binding to Active Directory Problem. I am a Newb! probably something stupid
Hey All,
Trying to get my apple xsever to join our windows domain. I got it to bind and the user accounts show up on the machine but then it askes me to join it to the Active Directory Kerberos realm. I am confused.
what i am trying to do is joint it to the windows domain for my admin account on the actual server and then set up local user accounts on the machine so when my mac users log in they authenticate using the local mac account and not the windows domain account. Does this make sense? From what i read macs authenticate using the local account before going to the windows account which is what i want. I am a total newb to this so forgive me for the stupid questions.
cheers all,
jessHi
set up the xserve as an Open directory Master
will it place nice on the network
with the rest of the windows servers that we have.
There should be no problem in doing this. All you need to do is decide whether you want your Mac Server to run its own DNS Service or to use the existing DNS service being provided by the AD Server. Open Directory Master requires DNS Services running somewhere.
i just want to have a mac studio of about 35 people be
kind of an island within a sea of windows users. If
there can be cross over there then fine.. but really
i want the mac to work well with the apple server and
if i can get the windows clients hooked up also then
fine.
There should be no problem with this.
When you say studio do you mean a graphics design studio? Or are you talking about a video production studio? If the answer is yes to either one or both then perhaps a simple file server would do. An Open Directory Master is OK in this environment but your network needs to be up to job. Ideally gigabit ethernet certainly for video production and also if your studio are heavy photoshop users. You could get away with 100Base-T but with 35 heavy users editing files stored on the server as well as Home folders it may be a bit too much. If this is the situation in your studio you would be better placed working locally and saving the files back to the server at the end of the day. You would set up your users with names and passwords in the OD directory node. Your studio can use those account details to log on to the server to access share points but still work locally if they need to. If you start windows services on the mac server then there should be no reason for windows clients to access share points on the mac server as well. Be careful how you configure windows services as you already have existing PC servers on the network.
As you have already stated your aim is to keep the macs completely separate from the PCs then consider connecting all your macs to a separate switch and have them running of a different IP address range and subnet mask. You could then use an intervening router to handle traffic between the two networks, this way you control cross platform access to shared resources. If you understand networks, routers etc then you should be able to accomplish this without too much trouble. Again searching the Server forums should give you plenty of ideas and advice on the best way to achieve what you want. As ever defining and deciding what you want you want the server to do is half the problem. -
Principal Name for Active Directory "Domain Users"
Hi,
I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
The system automatically recognized my Active Directory username. It worked.
For authentication in my weblogic.xml I used
<security-role-assignment>
<role-name>admin</role-name>
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
</security-role-assignment>
Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
I added
<principal-name>Domain Users</principal-name>
instead of writing all domain users.
However I couldn't authenticate. I got the "Error 403--Forbidden"
Is there anyone can help me?test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
-Faisal
http://www.weblogic-wonders.com -
Solaris 10 authentication on Windows 2008 Active Directory
Hi,
Does anyone done it?
I've do it against a Windows 2003 R2 Active Directory and now in production environment i'm having some issues with the password.
I'm using only the Active Directory LDAP without Kerberos.
I'm able to su to the user, getent passwd but everything that as password fails.
I guess is some configuration issue in active directory, some sync stuff becouse the ldap bind is correctly done, is after the bind that fails.
Bellow the sshd log with wrong user password.
sshd[23965]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
And with the correct user password.
sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
As you can see the bind is done but windows guys says everything is ok. This is a new implemantation both in Solaris side and Windows side.
This is how ldapclient is configured.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= CN=User Funcional Login de maquinas Unix CQ,OU=Utilizadores-Servicos,OU=Servicos-Transversais,OU=DOM,DC=Example,DC=com
NS_LDAP_BINDPASSWD= {NS1}a1493f3c77c616
NS_LDAP_SERVERS= 192.168.1.140, 192.168.1.141
NS_LDAP_SEARCH_BASEDN= ou=dom,dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=dom,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=dom,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=dom,dc=example,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
The nsswitch.conf has files ldap on both passwd and groups.
Best regards and thanks for the help you can giveThe problem was in pam.conf that had the module pam_ldap last in the order and it shouldn't be.
This is how it should be.
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_ldap.so.1
other password required pam_authtok_store.so.1
Authentication against 2008 Active Directory working fine now. -
Authorisation Active Directory Win2003 users in Solaris 10
Now I am having the task to configure kereberos authentication and ldap authorisation users of Win2003 Active Directory in Solaris 10.
Kerberos authentication configured by native pam_krb5 according paper http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx and works fine.
But I can't configure authorisation by native ldapclient library.
Can you give steb-by-step guide about configuring native ldapclient and pam.conf for authorisation AD users on Solaris 10.
ldaplist command return error
bash-3.00# ldaplist
ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)
And snoop ldap return (10.25.66.222 - Solaris 10, 10.25.67.251 -AD-controller)
bash-3.00# snoop ldap
Using device /dev/pcn0 (promiscuous mode)
10.25.67.251 -> 10.25.66.222 LDAP R port=32926
10.25.66.222 -> 10.25.67.251 LDAP C port=32926
10.25.66.222 -> 10.25.67.251 LDAP C port=32926
10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Bind Request
10.25.67.251 -> 10.25.66.222 LDAP R port=32926 Bind Response Success
10.25.66.222 -> 10.25.67.251 LDAP C port=32926
10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Search Request derefAlways
10.25.67.251 -> 10.25.66.222 LDAP R port=32926 Search ResDone Unavailable Critic
al Extension
10.25.66.222 -> 10.25.67.251 LDAP C port=32926
10.25.66.222 -> 10.25.67.251 LDAP C port=32926 Unbind Request
10.25.67.251 -> 10.25.66.222 LDAP R port=32926
10.25.66.222 -> 10.25.67.251 LDAP C port=32926
10.25.67.251 -> 10.25.66.222 LDAP R port=32926
10.25.66.222 -> 10.25.67.251 LDAP C port=32926
10.25.67.251 -> 10.25.66.222 LDAP R port=32927
10.25.66.222 -> 10.25.67.251 LDAP C port=32927
10.25.66.222 -> 10.25.67.251 LDAP C port=32927
10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Bind Request
10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Bind Response Success
10.25.66.222 -> 10.25.67.251 LDAP C port=32927
10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
10.25.66.222 -> 10.25.67.251 LDAP C port=32927
10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
10.25.66.222 -> 10.25.67.251 LDAP C port=32927 Search Request derefAlways
10.25.67.251 -> 10.25.66.222 LDAP R port=32927 Search ResDone No Such Object
10.25.66.222 -> 10.25.67.251 LDAP C port=32927
My current 'ldapclient list' is following:
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=ldap_test,ou=Users,ou=Office,dc=corp,dc=com
NS_LDAP_BINDPASSWD= {NS1}5e10c247a91661a5b4
NS_LDAP_SERVERS= 10.25.67.251
NS_LDAP_SEARCH_BASEDN= dc=corp,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:simple
And pam.conf:
# Authentication management
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so.1 debug
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth sufficient pam_krb5.so.1 debug
dtlogin auth required pam_unix_cred.so.1
dtlogin auth required pam_unix_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1 debug
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1 debug
other session required pam_unix_session.so.1
other session sufficient pam_krb5.so.1 debug
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1 debug
other password required pam_authtok_store.so.1I tried this, but i found the Solaris implementation to unstable and scarry, so i decided to go with VAS or Vintela from Quest:
http://www.vintela.com
it really works, unlike Suns LDAP implementations, and its easy too..
7/M. -
Help with Active Directory Integration and kerberos
Hello,
Im encountering a bug preventing me to use Active Directory integration with kerberos :
Our domain name is CORP.DOMAIN.COM.
When we request the GC in this domain :
bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
Server: 1.2.1.6
Address: 1.2.1.6#53
** server can't find gc.tcp.corp.domain.com: NXDOMAIN
there is no answer.
But when we request without corp, we find the servers :
bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
bash-3.00#
Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
Thank you.Hello
the domain.com domain exist, but it's not our domain.
so, when I put domain.com, it search with no result (nothing appends).
our kdc.conf :
[kdcdefaults]
kdc_ports = 88,750
[realms]
CORP.DOMAIN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
krb.conf
[libdefaults]
default_realm = CORP.DOMAIN.COM
default_checksum = rsa-md5
[realms]
CORP.DOMAIN.COM = {
kdc = dc01.corp.domain.com
kdc = dc02.corp.domain.com
[domain_realm]
.corp.domain.com = CORP.DOMAIN.COM
corp.domain.com = CORP.DOMAIN.COM
in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
Thank you, -
Windows client error joining with Samba 4.2 Active Directory server
I have a basic samba 4.2 ADC setup on CentOS 7 and I get a RPC server not available whenever I attempt to join a windows client to the domain. The smb.conf is default on created during provisioning. All indicated pre-testing seems to work as expected. The windows client finds the domain and recognizes a valid user or not but the last step of joining the domain ends with the error "Unable to join the Domain RPC server not available. Does anyone have any ideas?
Thanks Paul
This topic first appeared in the Spiceworks CommunityI have a scenario for you in active directory when two passwords may be valid:
Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
User1 decides to call the helpdesk and changes his password to "456".
The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
valid.
If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
Regards,
~JG
Do rate helpful posts -
Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
a managed server using the node manager? I can boot the server without the AD
authenticator and I can also boot the server using a script and successfully authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
configuration works fine with weblogic running on W2K, but not on Solaris (it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)Solved the problem. The 'domain root' directory specified in the remote start configuration,
must contain a copy of the file 'SerializedSystemIni.dat' that was created along
with the domain, in order to boot when an AD authenticator is configured. If an
AD authenticator is not configured, no file is required. This was not a platform
specific issue; on Win2K I had configured the 'domain root' remote start parameter
to point to an existing domain root and not a new directory.
"Andrew Walker" <[email protected]> wrote:
>
Has anyone managed to setup a WLS 7.0 Active Directory authenticator
and booted
a managed server using the node manager? I can boot the server without
the AD
authenticator and I can also boot the server using a script and successfully
authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup
a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
This
configuration works fine with weblogic running on W2K, but not on Solaris
(it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
<main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException:
RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException:
Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute
method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31) -
Authentication on Active Directory under Kerberos v5
Hi!!
I�m trying to authenticate a user in Active Directory (with kerberos v5) and I get this message error:
C:\j2sdk1.4>java -Djava.security.auth.login.config=gsseg_jaas.conf -Djava.security.krb5.conf=krb5.conf -Dsun.security.kr
b5.debug=true GssExample
Parametros introducidos ...
Nombre de usuario de Kerberos [AAL]: Administrador
Contrase�a de Kerberos de Administrador: swtest03
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 3 1
KrbKdcReq send: kdc=192.168.80.109, port=88, timeout=30000, number of retries =3, #bytes=239
KrbKdcReq send: #bytes read=125
KDCRep: init() encoding tag is 126 req type is 11
KRBError:sTime is Tue Mar 25 18:52:52 CET 2003 1048614772000
suSec is 447772
error code is 14
realm is BRUJULATEST.LOCAL
sname is krbtgt/BRUJULATEST.LOCAL
eData provided.
Authentication attempt failedjavax.security.auth.login.LoginException: KDC has no support for encryption type (14)
javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:568)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at GssExample.main(GssExample.java:74)
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
at sun.security.krb5.Credentials.acquireTGT(DashoA6275:333)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
... 12 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA6275:129)
at sun.security.krb5.internal.au.a(DashoA6275:58)
at sun.security.krb5.internal.au.<init>(DashoA6275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
... 15 more
Is there anyone who can help me???
Thanks to everybody!!I�ve got it!!!
I can authenticate any user less than Administrator.
But I can do it with a user, that I created, with administrator permissions. -
Active Directory multi forest Kerberos authentication Tomcat
Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
Hi,
I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
There is also an error logged in Tomcat stdout.log file:
70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
If anyone has come across this situation, please share the solution.
Thanks & Regards,
Piotr
Edited by: Piotr Heise on Mar 27, 2009 2:08 PMHi
Is your enterprise is configured to a Java Active Directory?
Then there can bemultiple causes:
- The Java and the Central Management Server (CMS) are using encryption types that do not match.
- The Service Principal Name in the CMC is incorrect
Then to resolve this perform the following steps:
- In the Central Configuration Manager, double-click the CMS, and note the service account used.
- In Windows Domain users and computers, go to account properties for the CMS service account.
- Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
- Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
- Restart the CMS server and log on.
In a clustered CMS environment ensure that all CMS's are running under the same domain account.
Hope this helps!!!
Regards
Sourashree -
Solaris authentication with Active Directory
Our shop is a mixed environment of Unix and Windows users. Many use both environments daily and there has been a desire to have a common authentication scheme. We have been able to successfully configure our RH Linux clients to authenticate against our Windows or NIS environment using pam and krb5, but have not been able to successfully adapt this to our Solaris (9/10) environment. Our Unix/Linux client environment is in a common NIS domain. We want to continue to use NIS for account management and add AD for authentication only i.e. if the username/password authenticates against AD or NIS, then the user login proceeds.
On Solaris I have been able to successfully configure the /etc/krb5/krb5.conf file so that a kinit can be done successfully. klist list out the info and kdestroy removes it. However, figuring out how to properly configure the /etc/pam.conf file to use this login/rlogin/ssh authentication is not making any progress. Various attempts to add the pam_krb5.so.1 plugin in various sections of the file have not worked. Can you advise me on the proper configuration for this to work and or the means to get it working?Read up on Enterprise User Security (EUS), a feature of Oracle Enterprise Database.
Mark Wilcox also has several posts related to OVD/AD/EUS integration on his blog:
http://blogs.oracle.com/mwilcox/2008/09/clarifying_eus_and_kerberos.html
A simple google search for oracle eus will also turn up a lot of useful info.
And then there is Oracle's identity website, where there are white papers like this one:
Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory
http://www.oracle.com/us/products/middleware/identity-management/059380.pdf -
Kerberos authentication with Active Directory
I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
import java.io.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
public class krb5ADLogin1 {
public static void main(String[] args){
LoginContext lc = null;
try {
lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
lc.login();
catch(Exception e){
e.printStackTrace();
Here is my config file:
krb5ADLogin1 {
com.sun.security.auth.module.Krb5LoginModule required;
The command I use to start the program is:
java -Djava.security.krb5.realm=mydomain.com
-Djava.security.krb5.kdc=DomainController.mydomain.com
-Djava.security.auth.login.config=sample.conf krb5ADLogin1Hi there ... the Sun web site has the following snippet:
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
+ javax.security.auth.login.LoginException: KrbException::
Pre-authentication information was invalid (24) - Preauthentication failed
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key (e.g., by
setting the useKeyTab option to true in the Krb5LoginModule entry
in the JAAS login configuration file), then the key might have
changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new
keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client
differ significanlty (typically 5 minutes), this error can be
returned.
Solution 3: Synchronize the clocks (or have a system administrator
do so).
Good luck,
-Derek
Maybe you are looking for
-
Bulleted Lists in Text Boxes?
Hi all, Apologies if this has been asked before - I've searched but to no avail. Can one, in a text document, have a bulleted list in a text box? I've tried, but when the text to be bulleted in the text box is selected, the toolbar and the 'Format' d
-
The shared library is not compatible with this version of itunes
I have a G3 running Jaguar (and iTunes 6) that hosts my MP3 collection. Until recently, this worked great as a shared library, happily showing up in iTunes on other machines on my network, including my Powerbook. Then I got iTunes 8 on my MacBook Pro
-
Can QT 7.3 Upgrade Be Making My Final Cut Pro Canvas Green?
Here is a problem that has suddenly, with no apparent cause, appeared. I have read through dozens of posts complaining of a similar problems and hundreds of posts that offer advice on how to fix it. My system is FCP 5.0.4, running on a Power Mac G5 Q
-
Hi All, I took a few videos in Italy and held the camera sideways. You guessed it....I need to rotate them BEFORE putting them in the iMovie I am creating. Can I do this? If so, How???
-
How to set keyword automatic to capital in SQL Developer?
for example: when type 'select' , the keyword change to 'SELECT'. :)