LoginException: Cannot get kdc for realm - Kerberos

This is a discussion on LoginException: Cannot get kdc for realm - Kerberos ; Hi to all. We have a problem using JAAS for autenticating against Microsoft Active Directory LDAP and a security service based on Microsoft Kerberos V5. We have a krb5.conf like this: # # All rights reserved. # #pragma ident @(#)krb5.conf ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: LoginException: Cannot get kdc for realm

  1. LoginException: Cannot get kdc for realm

    Hi to all.

    We have a problem using JAAS for autenticating against Microsoft
    Active Directory LDAP and a security service based on Microsoft
    Kerberos V5.

    We have a krb5.conf like this:

    #
    # All rights reserved.
    #
    #pragma ident @(#)krb5.conf 1.1 00/12/08

    [libdefaults]
    default_realm = AAA.IT.xxx.YYYY.COM

    [realms]
    IT.XXX.YYYY.COM = {
    kdc = SERVER1:88
    }
    AAA.IT.XXX.YYYY.COM = {
    kdc = SERVER2.AAA.IT.XXXP.YYYY.COM:88
    }
    BBB.IT.XXX.YYYY.COM = {
    kdc = SERVER3.BBB.IT.XXX.YYYY.COM:88
    }
    CCC.IT.XXX.YYYY.COM = {
    kdc = SERVER4.CCC.IT.XXX.YYYY.COM:88
    }
    DDD.IT.XXX.YYYY.COM = {
    kdc = SERVER5.DDD.IT.XXX.YYYY.COM:88
    }

    [domain_realm]
    .bbb.it.xxx.yyyy.com = BBB.IT.XXX.YYYY.COM
    .aaa.it.xxx.yyyy.com = AAA.IT.XXX.YYYY.COM
    .it.xxx.yyyy.com = IT.XXX.YYYY.COM
    .ccc.it.xxx.yyyy.com = CCC.IT.XXX.YYYY.COM
    .ddd.it.xxx.yyyy.com = DDD.IT.XXX.YYYY.COM

    We are developing under Oracle Application Server 10.1.3. We load
    krb5.conf file in a servlet with this code:
    System.setProperty("java.security.krb5.conf"..

    We autenticate users with these calls:

    lc = new LoginContext("MyLogin", new CallbackHandler(args));
    lc.login();

    We have deployed our web application under a test environment and
    everything works. Now we are trying to go on production, where we have
    the following error:


    javax.security.auth.login.LoginException: Cannot get kdc for realm
    CC.IT.XXX.YYYY.COM
    at com.sun.security.auth.module.Krb5LoginModule.attem ptAuthentication(Krb5LoginModule.java:652)

    at com.sun.security.auth.module.Krb5LoginModule.login (Krb5LoginModule.java:512)

    at sun.reflect.GeneratedMethodAccessor1909.invoke(Unk nown Source)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:585)

    at javax.security.auth.login.LoginContext.invoke(Logi nContext.java:769)

    at javax.security.auth.login.LoginContext.access$000( LoginContext.java:186)

    at javax.security.auth.login.LoginContext$4.run(Login Context.java:683)...
    .....
    ....
    Caused by: KrbException: Cannot get kdc for realm CCC.IT.XXX.YYYY.COM

    at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)

    at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)

    at sun.security.krb5.KrbAsReq.send(DashoA12275:330)

    at sun.security.krb5.Credentials.acquireTGT(DashoA122 75:369)

    at com.sun.security.auth.module.Krb5LoginModule.attem ptAuthentication(Krb5LoginModule.java:642)

    We have deployed another web application inside the same application
    server that uses the same framework for autentication, that is the
    same classes that we have developed for autentication. The other web
    application works correctly, the only difference is that we have added
    two more domains in krb5.conf that is deployed with each web
    application.

    Using kinit the autentication works for the added domains.

    Does anyone has some suggestion to solve this problem?

    Thanks in advance.
    Best Regards,
    Giuseppe
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: LoginException: Cannot get kdc for realm

    Hi,

    I believe the domain name in the section,
    domain_realm is case-sensitive. Add the following
    entry and try again

    [domain_realm]
    ...............
    ..CCC.IT.XXX.YYYY.COM = CCC.IT.XXX.YYYY.COM
    ..................

    Thanks,
    Preetam

    --- Giuseppe Catalano wrote:

    > Hi to all.
    >
    > We have a problem using JAAS for autenticating
    > against Microsoft
    > Active Directory LDAP and a security service based
    > on Microsoft
    > Kerberos V5.
    >
    > We have a krb5.conf like this:
    >
    > #
    > # All rights reserved.
    > #
    > #pragma ident @(#)krb5.conf 1.1 00/12/08
    >
    > [libdefaults]
    > default_realm = AAA.IT.xxx.YYYY.COM
    >
    > [realms]
    > IT.XXX.YYYY.COM = {
    > kdc = SERVER1:88
    > }
    > AAA.IT.XXX.YYYY.COM = {
    > kdc = SERVER2.AAA.IT.XXXP.YYYY.COM:88
    > }
    > BBB.IT.XXX.YYYY.COM = {
    > kdc = SERVER3.BBB.IT.XXX.YYYY.COM:88
    > }
    > CCC.IT.XXX.YYYY.COM = {
    > kdc = SERVER4.CCC.IT.XXX.YYYY.COM:88
    > }
    > DDD.IT.XXX.YYYY.COM = {
    > kdc = SERVER5.DDD.IT.XXX.YYYY.COM:88
    > }
    >
    > [domain_realm]
    > .bbb.it.xxx.yyyy.com = BBB.IT.XXX.YYYY.COM
    > .aaa.it.xxx.yyyy.com = AAA.IT.XXX.YYYY.COM
    > .it.xxx.yyyy.com = IT.XXX.YYYY.COM
    > .ccc.it.xxx.yyyy.com = CCC.IT.XXX.YYYY.COM
    > .ddd.it.xxx.yyyy.com = DDD.IT.XXX.YYYY.COM
    >
    > We are developing under Oracle Application Server
    > 10.1.3. We load
    > krb5.conf file in a servlet with this code:
    > System.setProperty("java.security.krb5.conf"..
    >
    > We autenticate users with these calls:
    >
    > lc = new LoginContext("MyLogin", new
    > CallbackHandler(args));
    > lc.login();
    >
    > We have deployed our web application under a test
    > environment and
    > everything works. Now we are trying to go on
    > production, where we have
    > the following error:
    >
    >
    > javax.security.auth.login.LoginException: Cannot
    > get kdc for realm
    > CC.IT.XXX.YYYY.COM
    > at
    >

    com.sun.security.auth.module.Krb5LoginModule.attem ptAuthentication(Krb5LoginModule.java:652)
    >
    > at
    >

    com.sun.security.auth.module.Krb5LoginModule.login (Krb5LoginModule.java:512)
    >
    > at
    >

    sun.reflect.GeneratedMethodAccessor1909.invoke(Unk nown
    > Source)
    >
    > at
    >

    sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
    >
    > at
    > java.lang.reflect.Method.invoke(Method.java:585)
    >
    > at
    >

    javax.security.auth.login.LoginContext.invoke(Logi nContext.java:769)
    >
    > at
    >

    javax.security.auth.login.LoginContext.access$000( LoginContext.java:186)
    >
    > at
    >

    javax.security.auth.login.LoginContext$4.run(Login Context.java:683)...
    > .....
    > ....
    > Caused by: KrbException: Cannot get kdc for realm
    > CCC.IT.XXX.YYYY.COM
    >
    > at
    > sun.security.krb5.KrbKdcReq.send(DashoA12275:133)
    >
    > at
    > sun.security.krb5.KrbKdcReq.send(DashoA12275:106)
    >
    > at
    > sun.security.krb5.KrbAsReq.send(DashoA12275:330)
    >
    > at
    >

    sun.security.krb5.Credentials.acquireTGT(DashoA122 75:369)
    >
    > at
    >

    com.sun.security.auth.module.Krb5LoginModule.attem ptAuthentication(Krb5LoginModule.java:642)
    >
    > We have deployed another web application inside the
    > same application
    > server that uses the same framework for
    > autentication, that is the
    > same classes that we have developed for
    > autentication. The other web
    > application works correctly, the only difference is
    > that we have added
    > two more domains in krb5.conf that is deployed with
    > each web
    > application.
    >
    > Using kinit the autentication works for the added
    > domains.
    >
    > Does anyone has some suggestion to solve this
    > problem?
    >
    > Thanks in advance.
    > Best Regards,
    > Giuseppe
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





    __________________________________________________ __________________________________
    TV dinner still cooling?
    Check out "Tonight's Picks" on Yahoo! TV.
    http://tv.yahoo.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread