null credentials even when tgt exists
843810Jul 21 2007 — edited Jul 23 2007Hi, I'm new to kerberos, jaas and gssapi and I need help. I'm on solaris 10. After kinit, klist shows the following:
bash-3.00# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kerberos-test@RICHMOND.COM
Valid starting Expires Service principal
07/20/07 18:09:16 07/21/07 02:09:16 krbtgt/RICHMOND.COM@RICHMOND.COM
renew until 07/27/07 18:09:16
Then I use jaas and gssapi to get to a dir server, using the following config file:
GssExample {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache="true"
doNotPrompt="true"
refreshKrb5Config="true"
debug="true";
};
The intent is to use the tgt from the cache. But I get the following:
bash-3.00# java -Djava.security.auth.login.config=gsseg_jaas.conf -Djava.securi
ty.krb5.conf=/etc/krb5/krb5.conf GssExample auth "dc=ca,dc=com"
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt tr
ue ticketCache is null KeyTab is null refreshKrb5Config is true principal is nul
l tryFirstPass is false useFirstPass is false storePass is false clearPass is fa
lse
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Unable to obtain Princpal Name for authentication
Authentication attempt failedjavax.security.auth.login.LoginException: Unable to
obtain Princpal Name for authentication
Somehow, krb5loginmodule cannot get the tgt from the cache. I know my code works because if I remove the useTicketCache and doNotPrompt options, krb5loginmodule will ask for the username and password and everything works fine. But my requirement is to just use existing tickets.
Am I doing anything wrong somewhere? Thanks.