Now it works, both connecting to AD and Linux !
I had the same problem as in https://forums.oracle.com/forums/thread.jspa?messageID=6385311,
thus removing proxiable=true from krb5.ini solved it.
Mit freundlichen Grüßen
DI Michael Gsandtner
Magistrat Wien, MA 14, AS3 - Zentrale Dienste
Doblhoffgasse 9/2/9/4
1082 Wien
T +43 1 4000 91640 | F + 43 1 4000 99 91640
M +43 676 8118 91640
E ***@wien.gv.at
-----Ursprüngliche Nachricht-----
Von: Gsandtner Michael *EXTERN* [mailto:***@wien.gv.at]
Gesendet: Freitag, 18. Jänner 2013 10:10
An: 'jxplorer-***@lists.sourceforge.net'
Cc: 'Douglas E. Engert *EXTERN*'
Betreff: Re: [Jxplorer-users] gssapi windows <-> Linux
GSSAPI on Windows still does not work (neither to the Domaincontroller as Directory Server nor to a Linux Directory Server running MIT Kerberos; KDC in both cases Active Directory; so may be it's another problem than an interoperability problem):
C:\Programme\jxplorer>rem # This version uses wild cards and is only suitable for Java 1.6 or better
C:\Programme\jxplorer>rem # (use jxplorer_old_jvm.bat for previous versions)
C:\Programme\jxplorer>java -classpath ".;jars/*;jasper/lib/*" -Djava.security.krb5.conf=c:\windows\krb5.ini -Dfile.encoding=utf-8 c
om.ca.directory.jxplorer.JXplorer
18.01.2013 09:44:40 com.ca.directory.jxplorer.JXplorer printTime
INFO: main start
TIME: Fri Jan 18 09:44:40 CET 2013 (928)
18.01.2013 09:44:40 com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java from: C:\Programme\Java\jre6
18.01.2013 09:44:40 com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java version 1.6.0_37
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNUNG: JX using configDirectory: C:\Programme\jxplorer\
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNUNG: JX using configDirectory: C:\Programme\jxplorer\
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNUNG: JX using configDirectory: C:\Programme\jxplorer\
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig setupLogger
INFO: setting up logger
XXX logging initially level WARNING with 0 parents=true
18.01.2013 09:44:41 com.ca.commons.cbutil.CBUtility readPropertyFile
WARNUNG: No property list:
C:\Programme\jxplorer\search_filters.txt
18.01.2013 09:44:41 com.ca.commons.cbutil.CBUtility readPropertyFile
WARNUNG: No property list:
bookmarks.txt
18.01.2013 09:44:41 com.ca.commons.cbutil.CBUtility readPropertyFile
WARNUNG: No property list:
quicksearch.txt
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GS
SException: No valid credentials provided (Mechanism level: Invalid option setting in ticket request. (101))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.ca.commons.jndi.JndiAction.run(JndiAction.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:160)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism
level: Invalid option setting in ticket request. (101))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
... 28 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Invalid option setting in ticket request. (101))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 29 more
Caused by: KrbException: Invalid option setting in ticket request. (101)
at sun.security.krb5.KrbTgsReq.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.<init>(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 32 more
18.01.2013 09:44:47 com.ca.directory.jxplorer.broker.JNDIDataBroker openConnection
WARNUNG: initial receipt of exception by jndi broker a problem with GSSAPI occurred - couldn't create a GSSAPI directory context
javax.naming.NamingException: a problem with GSSAPI occurred - couldn't create a GSSAPI directory context
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:165)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Unknown Source)
Any more ideas ?
Mit freundlichen Grüßen
DI Michael Gsandtner
Magistrat Wien, MA 14, AS3 - Zentrale Dienste
Doblhoffgasse 9/2/9/4
1082 Wien
T +43 1 4000 91640 | F + 43 1 4000 99 91640
M +43 676 8118 91640
E ***@wien.gv.at
-----Ursprüngliche Nachricht-----
Von: Douglas E. Engert *EXTERN* [mailto:***@anl.gov]
Gesendet: Dienstag, 15. Jänner 2013 17:41
An: Gsandtner Michael
Betreff: Re: AW: [Jxplorer-users] gssapi windows <-> Linux
I have installed kfw (http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html) and configured everything listed here. It still does not work.
Can you send me your jxplorer.bat creating jxconfig.txt ? May be these settings differ.
I have been using the KfW-3.2.2, mostly because we use OpenAFS. You may not
need KfW and Java can access the Windows LSA credentials, or Jave has
its own kinit.
The info in here may be helpful:
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin
Java will look for the krb5.ini in a number of places. The jxplorer.bat can set this.
Java will look for a ticket cache in a number of places.
%HOME%\krb5cc_userid for Window is first. If you have one of these file
delete it, so it does not get in the way. (If you used the Java kinit command
it may create one of these.)
Native credentials cache (LSA, or Local Security Authority, for Windows
This is the one where Windows stores the tickets if you login to a domain
or if you do a runAs or RunAS Administrator.
KfW will have set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Which will allow applications like KfW and Java to fetch the TGT from the
LSA cache.
KfW may also have created a c:\Windows\krb5.ini
The connection to an AD DC would look something like:
Host: FQDN of one of the DCs
Port: 389
Protocol: LDAP v3
Base DN: dc=xxx,dc=xxx (what even the AD Domain is)
Security Level: GSSAPI
User DN: (grayed out, not used)
Password: (grayed out, not used)
Hope this helps.
Mit freundlichen Grüßen
DI Michael Gsandtner
Magistrat Wien, MA 14, AS3 - Zentrale Dienste
Doblhoffgasse 9/2/9/4
1082 Wien
T +43 1 4000 91640 | F + 43 1 4000 99 91640
M +43 676 8118 91640
-----Ursprüngliche Nachricht-----
Gesendet: Donnerstag, 10. Jänner 2013 17:07
Betreff: Re: [Jxplorer-users] gssapi windows <-> Linux
Attached is a jxplorer.bat file that is started from a shortcut
with the Start in: C:\opt\jxplorer
The Java Kerberos may need needs a krb5.conf or krb5.ini file which
lists the realm and KDCs.
The -Djxplorer.config=user.home ends up using the Windows USERPROFILE
environment variable for example: C:\Users\username
and the jxplorer directory would end up with the
connections.txt, gssapi.conf and jxconfig.txt
The gssapi.conf is created if not present. I suspect that jxplorer
com.ca.commons.jndi.JNDIOps {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE
useTicketCache=TRUE;
};
http://info.michael-simons.eu/2012/07/23/java-7-jaas-and-kerberos-single-sign-on-vs-newer-windows-systems/
(I don't use Jxplorer on Windows much any more...)
Post by Gsandtner MichaelJxplorer using kerberos authentication via GSSAPI on Red Hat works fine.
javax.naming.NamingException: a problem with GSSAPI occurred - couldn't create a GSSAPI directory context
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:165)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Unknown Source)
Directory Server: Sun-Directory-Server/11.1.1.5.0 B2011.0517.2353 (64-bit) on Red Hat Enterprise Linux Server release 5.8 (Tikanga)
KDC: Active Directory 2003 on Windows Server 2003 SP2
Jxplorer v3.3.02 on Red Hat Enterprise Linux ES release 4 (Nahant Update 9): OK
Jxplorer v3.3.02 on Windows XP Professional SP3: fail
Jxplorer v3.3.02 on Windows 7 SP1 32bit: fail
Any hint welcome.
Regards
Michael Gsandtner, Magistrat Wien
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Jxplorer-users mailing list
https://lists.sourceforge.net/lists/listinfo/jxplorer-users
--
Douglas E. Engert <***@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444