Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LoginException: Cannot get kdc for realm

5 views
Skip to first unread message

Giuseppe Catalano

unread,
May 30, 2007, 12:29:44 PM5/30/07
to
Hi to all.

We have a problem using JAAS for autenticating against Microsoft
Active Directory LDAP and a security service based on Microsoft
Kerberos V5.

We have a krb5.conf like this:

#
# All rights reserved.
#
#pragma ident @(#)krb5.conf 1.1 00/12/08

[libdefaults]
default_realm = AAA.IT.xxx.YYYY.COM

[realms]
IT.XXX.YYYY.COM = {
kdc = SERVER1:88
}
AAA.IT.XXX.YYYY.COM = {
kdc = SERVER2.AAA.IT.XXXP.YYYY.COM:88
}
BBB.IT.XXX.YYYY.COM = {
kdc = SERVER3.BBB.IT.XXX.YYYY.COM:88
}
CCC.IT.XXX.YYYY.COM = {
kdc = SERVER4.CCC.IT.XXX.YYYY.COM:88
}
DDD.IT.XXX.YYYY.COM = {
kdc = SERVER5.DDD.IT.XXX.YYYY.COM:88
}

[domain_realm]
.bbb.it.xxx.yyyy.com = BBB.IT.XXX.YYYY.COM
.aaa.it.xxx.yyyy.com = AAA.IT.XXX.YYYY.COM
.it.xxx.yyyy.com = IT.XXX.YYYY.COM
.ccc.it.xxx.yyyy.com = CCC.IT.XXX.YYYY.COM
.ddd.it.xxx.yyyy.com = DDD.IT.XXX.YYYY.COM

We are developing under Oracle Application Server 10.1.3. We load
krb5.conf file in a servlet with this code:
System.setProperty("java.security.krb5.conf"..

We autenticate users with these calls:

lc = new LoginContext("MyLogin", new CallbackHandler(args));
lc.login();

We have deployed our web application under a test environment and
everything works. Now we are trying to go on production, where we have
the following error:


javax.security.auth.login.LoginException: Cannot get kdc for realm
CC.IT.XXX.YYYY.COM
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)

at sun.reflect.GeneratedMethodAccessor1909.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)...
.....
....
Caused by: KrbException: Cannot get kdc for realm CCC.IT.XXX.YYYY.COM

at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)

at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)

at sun.security.krb5.KrbAsReq.send(DashoA12275:330)

at sun.security.krb5.Credentials.acquireTGT(DashoA12275:369)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)

We have deployed another web application inside the same application
server that uses the same framework for autentication, that is the
same classes that we have developed for autentication. The other web
application works correctly, the only difference is that we have added
two more domains in krb5.conf that is deployed with each web
application.

Using kinit the autentication works for the added domains.

Does anyone has some suggestion to solve this problem?

Thanks in advance.
Best Regards,
Giuseppe
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

preetam R

unread,
May 31, 2007, 12:02:34 AM5/31/07
to
Hi,

I believe the domain name in the section,
domain_realm is case-sensitive. Add the following
entry and try again

[domain_realm]
..............
.CCC.IT.XXX.YYYY.COM = CCC.IT.XXX.YYYY.COM
.................

Thanks,
Preetam


____________________________________________________________________________________
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.
http://tv.yahoo.com/

0 new messages