Quantcast
Channel: Software Communities : Popular Discussions - All Things Unix
Viewing all 1046 articles
Browse latest View live

VAS GSSAPI Error 851968 (gss_init_sec_context)

March 28, 2011, 6:50 am
$
0
0
We are getting the major error code 851968 (& minor code 0) while using the GSS API flavor of the VAS API's on Linux x64.

Our Linux machine is has vas installed (including vasdev) and is joined to our AD domain. We are able to compile and execute the two samples provided with the SDK sucessfully and are now trying to get the GSS API style token from the VAS API's. The sequence of calls leading to init security context are as follows:

vas_ctx_alloc
vas_id_alloc
vas_id_establish_cred_password
vas_gss_initialize
vas_gss_acquire_cred
gss_import_name
gss_init_sec_context

Is there something we're missing?
Search

why?

February 3, 2009, 12:46 am
$
0
0
HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: No servers available in AD domain example.com for NTLM authentication

vas_ipc_connect: Error 13 calling connect (Permission denied)

May 9, 2012, 4:33 am
$
0
0
Hi all,
I'm having a strange issue with Authentication Services.
The installation was apparently fine but where I enable an AD user to login on a joined Linux sistem, I log this stuff

ay  8 11:50:46 francio vasd[1224]: RunChild: Closing LDAP handles that have been inactive for at least 120 seconds.
May  8 11:50:54 francio sshd[6939]: Invalid user s.pisani@quest.local from 192.168.3.18
May  8 11:50:54 francio sshd[6940]: input_userauth_request: invalid user s.pisani@quest.local
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate: Called for service sshd
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: no PAM stack account info for user s.pisani@quest.local, looking up
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: User is not a VAS user or a mapped user
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: user: s.pisani@quest.local is not a vas account
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_handle_non_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: getting password from PAM_AUTHTOK item
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok: could not get PAM_AUTHTOK item: Unknown cause
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas**: could not get PAM_AUTHTOK item, will prompt for the password
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt begin
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: done with conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok: PAM_AUTHTOK contained an non-empty credential
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: Got a non-empty response from the conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_handle_non_vas_user end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate: handle_non_vas_user() returned with PAM_IGNORE 25
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return end
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return: Found a previous return value, exiting with previous return value of "25".
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return end, returning 25
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): check pass; user unknown
May  8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.18
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_succeed_if(sshd:auth): error retrieving information about user s.pisani@quest.local
May  8 11:51:00 francio sshd[6939]: Failed password for invalid user s.pisani@quest.local from 192.168.3.18 port 50113 ssh2

Where is my mistake? Any advice?
Thanks a lot. I'm new.


Need automatic changing of HTTP service account password every X days

October 7, 2011, 1:00 pm
$
0
0
Hi All,

The Apache mod_auth_vas module is working great for me except that every X days I have to recreate the service account because of our password expiration policy enforces that all passwords (including passwords for service accounts) must be changed every "X" days.  Is there any way that VAS could automatically refresh the password for the HTTP service account?  If there was that would be hugely beneficial.  Thanks for any ideas you guys may have.  =)

-Jenny  =)

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm
$
0
0
I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

wyse T50 problem with key "." layout pt-BR keyboard ABNT2

February 18, 2013, 7:29 am
$
0
0

I'm using Wyse T50 with brazilian ABNT2 keyboard(pt-BR) and the key "."(point) in numeric keyboard does work inside rdpclient. It works fine with console and other apps outside rdpclient but not inside. Using rdpclient with parameter --lx-debug helped to get the keycode 0x79 but I do not how to fix it. I installed Remmina/Rdesktop and all the keys works fine, so I guess the problem is with Wyse-rdpclient/RDP.

 

Any idea?

 

Thanks in advance

Login using VAS only possible with userid in capital letters

August 30, 2013, 9:15 am
$
0
0

Hi,

 

I have pretty new to VAS and we have an issue on one system where we are only able to log in using our userid in capital letters. On other systems we are perfectly able to login in using small cap.

 

Is this a config I can change or is this a known issue?

 

Thanks,

SSH and Kerberos keytab

November 8, 2006, 4:48 am
$
0
0
How can one ensure that different SSH sessions use different Kerberos keytabs. Default appears to be that all sessions share the same keytab and that occasionally closing one session removes shared keytab.
Search

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

April 12, 2010, 9:37 am
$
0
0

removed


Message was edited by: MarkBarc

SSH GSSAPI authentication and Kerberos keytab

November 8, 2006, 4:50 am
$
0
0
Is there any specific configuration required to get Kerberos keytab generated when using GSSAPI authentication to a box. Using Putty and Quest SSH with GSSAPI authentication and this succeeds. However no Kerberos keytab is created for session on UNIX/Linux box. Does this require trusted for delegation rights in AD?

Would like to use this for pass-through SSO to subsequent boxes.

Samba errors with Win2008 R2

December 11, 2009, 2:00 pm
$
0
0
Hi,

Using RHEL 5.2 64-bit, VAS 3.3.2-142+Samba 3.0.33-3.7.el5; Win 2008 R2. Can you help me?

# vastool status

VAS is currently joined to:                      localdom.com
Join command found in:                           /etc/opt/quest/vas/lastjoin
Verifying timesync with domain controller:       YES
  Time delta: 0 seconds
Are valid VAS licenses installed?                YES
Checking to see if VAS daemon is running:        YES
Checking for valid computer account (SAMNAME)
  PODCAST1$@LOCALDOM.COM                     YES
Checking for valid computer account (SPN)
  host/podcast1.localdom.com@LOCALDOM.COM       YES
Checking to see if VAS is in connected state:    YES
Verifying VAS is configured for name service:    YES
Verifying VAS is configured for auth service:    YES
Verifying VAS configuration file is correct:     YES
Verifying sanity of users allow file:            YES
Verifying sanity of users deny file:             YES
Verifying sanity of group-override file:         YES
Verifying sanity of user-override file:          YES

Samba log:

[2009/12/08 11:33:53, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001!
[2009/12/08 11:37:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/08 11:42:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/08 11:52:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[...]
[2009/12/11 14:09:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:19:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:29:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:40:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:50:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:00:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:10:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:20:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:25:26, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:28:41, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
  cli_pipe_verify_schannel: auth_len 56.
[2009/12/11 15:38:42, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001!
[2009/12/11 15:48:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:58:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:08:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:18:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:28:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED


Thank you.

QAS - Using Text Replacement Macros in GPO Dynamic File Copy Source Path ?

September 2, 2013, 5:56 pm
$
0
0

Working with a customer where there a large number of unix hosts that require differing "user-override" files applied - ie for the same AD user - apply different overrides on different hosts.

 

While it is possible to deploy the user-override files when the host is QAS joined to AD - we would prefer to use the GPO's applied to the hosts to deploy the files/overrides so that they can then be centrally managed - and eventually removed once the the "dirty" user config has been resolved.

 

It appears that it is not possible to use a Text Replacement Macro in a GPO in the source path for the Dynamic File Copy ? - I'd like to set up a per-host sub directory - and have a single GPO used to copy the correct file from the host specific subdirectory to the host ? eg \somepath\%hostname%\user-override.  A text replacement macro is then used to determine which file gets copied to the host when the policy is applied . . ..

 

Looking at the GPO directory structure on SYSVOL on the DC - after a Dynamic File Copy has been defined - it simple places the source file in a flat directory structure . . .

 

Any ideas on how this can be accomplished - without having to create a seperate GPO per host . .. . .

 

TIA

Intermittent NTLM 403 Error

March 22, 2007, 8:51 am
$
0
0
Typically, we see
HTTP Status 403 - This server does not allow NTLM, but the client attempted NTLM anyway.
as a client configuration issue.  However, the client can successfully connect most of the time and sees this only intermittently.

Ideas ?

Error in Service Module

October 3, 2011, 1:16 pm
$
0
0

RHEL 6.1

Machine is joined to domain, AD account is able to login to other QAS machines.

Whenever I attempt to login from main screen I just get the error "Error in Service Module"

Any thoughts?

Support for apache httpd 2.4?

March 1, 2012, 4:18 am
$
0
0
Do you know if mod_auth_vas will work with Apache httpd 2.4? Or if there is any intention to support this, and if so what time frame this version is likely to be supported in?

Thanks,
Paul
Search

Couldn't create pid file /var/run/sshd-quest.pid

August 21, 2012, 7:58 am
$
0
0
Hi. Anybody knows what could be the reason for this errot in authlog?
I do not have /var/run on the AIX host. Is that something created on the fly?

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm
$
0
0
I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

problem of vastool user checklogin

March 16, 2009, 3:24 am
$
0
0

Hi experts!

I am newbie for VAS.

After installation of  VAS 3.5 on both server(windows server 2003) and client(redhat5.2) according to the manual,

I failed to login the linux client using a Unix enabled domain user :test

I try to run some troubleshooting commands, and get some information as below:

[root@redhat-head ~]# /opt/quest/bin/vastool user checklogin test
WARNING: NSS lookup (getpwnam) for user test failed, this will almost
certainly mean that you will be unable to log in with a username of test.
This should be fixed before worrying about any other failures.
##I checked /etc/nsswith.conf, and found everything is ok.

[root@redhat-head ~]# /opt/quest/bin/vastool nss getpwnam test
ERROR: Could not look up user for name: test, error = 2.

[root@redhat-head ~]# /opt/quest/bin/vastool info domain
test.com

[root@redhat-head ~]#/opt/quest/bin/vastool -u host/ attrs test uidnumber gidnumber unixhomedirectory loginshell userprincipalname DistinguishedName
ginshell userprincipalname DistinguishedName
distinguishedName: CN=test,OU=Unix,DC=pera-test,DC=com
userPrincipalName: test@test.com
uidNumber: 1000
gidNumber: 1000
unixHomeDirectory: /home/test
loginShell: /bin/bash

I can't  find where the problem is.

Any advise?

Thank in advance!


VAS / SAMBA how to

March 26, 2009, 7:17 pm
$
0
0
Hi,

If I am using a stock samba version (3.0.20b-3.21-1370-SUSE) and trying to get VAS working with it, do I have to join the system twice in the domain? One for VAS (vastool join...) and other for samba (net ads join...)?

I was trying to setup my samba server without joining the system for samba (net ads join...) and "vas-samba-config" failed on me with the following error:

Testing Samba is joined to Active Directory...
+ /usr/bin/net -s /etc/samba/smb.conf ads testjoin
[2009/03/26 18:43:58, 0] libads/kerberos.c:ads_kinit_password(147)
kerberos_kinit_password host1$@xx.xx.xx.COM failed: Preauthentication failed
[2009/03/26 18:43:59, 0] libads/kerberos.c:ads_kinit_password(147)
kerberos_kinit_password host1$@xx.xx.xx.COM failed: Preauthentication failed
[2009/03/26 18:43:59, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Preauthentication failed
Join to domain is not valid
ERROR: Samba not joined: 'net ads testjoin' failed

this kind of indicates that VAS and samba both need to be joined separately. is that correct?

Thanks!

Getting error while initializing AuthFilter against MIT Kerb server

May 4, 2011, 3:59 am
$
0
0
Getting Fallowing Error when trying to make a new AuthFilter with fallowing FilterConfig

        idm.kdc,
        idm.realm,
        idm.princ
        idm.userHandledExcept : true
        idm.allowUnsecured: true

2011-04-28 10:19:17,225 ERROR [com.wedgetail.idm.sso.util.CommonsSsoLogger] Successfully got TGT for HTTP/spnegouser.myrealm.com@MYREALM.COM but failed to do GSSAPI to HTTP/spnegouser.myrealm.com
GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Incorrect net address (PROCESS_TGS)
KrbError:
    Error code: 38
    Error message: PROCESS_TGS
    Client name: null
    Client realm: null
    Client time: Tue Feb 01 20:32:17 CET 2005
    Server name: HTTP/aamir.myrealm.com
    Server realm: MYREALM.COM
    Server time: Thu Apr 28 10:19:17 CEST 2011)
    at com.dstc.security.kerberos.gssapi.GSSKrbException.create(GSSKrbException.java:208)
    at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:310)
    at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:280)
    at com.wedgetail.idm.sso.util.Util.checkSPNs(Util.java:245)
    at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:582)
    at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
    at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)

....
.....
Caused by: com.dstc.security.kerberos.KerberosError: Incorrect net address (PROCESS_TGS)
KrbError:
    Error code: 38
    Error message: PROCESS_TGS
    Client name: null
    Client realm: null
    Client time: Tue Feb 01 20:32:17 CET 2005
    Server name: HTTP/aamir.myrealm.com
    Server realm: MYREALM.COM
    Server time: Thu Apr 28 10:19:17 CEST 2011
    at com.dstc.security.kerberos.Kerberos.getKrbTGSRepFromKDC(Kerberos.java:1361)
    at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1314)
    at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1338)
    at com.dstc.security.kerberos.gssapi.DefaultCredentialManager.requestServiceTicket(DefaultCredentialManager.java:194)
    at com.dstc.security.kerberos.gssapi.ClientHandShaker.getServiceTicket(ClientHandShaker.java:715)
    at com.dstc.security.kerberos.gssapi.ClientHandShaker.huntServiceTicket(ClientHandShaker.java:295)
    at com.dstc.security.kerberos.gssapi.ClientHandShaker.handle(ClientHandShaker.java:193)
    at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:301)
    ... 53 more
2011-04-28 10:19:17,227 ERROR [com.wedgetail.idm.sso.util.CommonsSsoLogger] All SPNs failed verification.
2011-04-28 10:19:17,227 ERROR [com.wedgetail.idm.sso.util.CommonsSsoLogger] Error during initAuthenticator()
com.wedgetail.idm.sso.ConfigException: All SPNs failed verification.
    at com.wedgetail.idm.sso.util.Util.checkSPNs(Util.java:273)
    at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:582)
    at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
    at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)



Message was edited by: aamir
Viewing all 1046 articles
Browse latest View live
Search