1 2 Previous Next 17 Replies Latest reply on Dec 15, 2010 7:17 AM by Bill Robinson

    Problem with AD / Kerberos integration on a 7.6.x AppServer

      Hello,
      i cannot get the AD / Kerberos integration on a 7.6.x AppServer running.

      I´m just pasting what i have - maybe someone has an idea?

      The keytab File seems to work - at least with the Kerberos "kinit", but not realy with the BMC "kinit" (just running from a regular bash):


      [root@appserver br]# kinit -k -t blauthsvc.keytab blauthsvc/appserver1@DOMAIN
      [root@appserver br]#

      [root@appserver br]# java/bin/kinit -k -t blauthsvc.keytab blauthsvc/appserver1@DOMAIN
      Exception: krb_error 0 Cannot get kdc for realm DOMAIN No error
      KrbException: Cannot get kdc for realm DOMAIN
              at sun.security.krb5.KrbKdcReq.send(Unknown Source)
              at sun.security.krb5.KrbKdcReq.send(Unknown Source)
              at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)
              at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
              at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)


      AppServer Configuration:


      FILE /opt/blapp/nsh/br/blappserv_login.conf:

      com.sun.security.jgss.accept {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="/opt/blapp/nsh/br/blauthsvc.keytab"
      storeKey=true
      principal="blauthsvc/appserver1@DOMAIN"
      doNotPrompt=true
      debug=false;
      };


      FILE /opt/blapp/nsh/br/blappserv_krb5.conf:

      [libdefaults]
      ticket_lifetime=6000
      default_realm=DOMAIN
      default_tkt_enctypes=des-cbc-md5
      default_tgs_enctypes=des-cbc-md5
      [realms]
      DOMAIN={
      kdc=kdc1.DOMAIN:88
      kdc=kdc2.DOMAIN:88
      }

      The Settings with "blasadmin" for "AuthServer" are OK.


      Client configuration:

      FILE: authenticationProfiles.xml

      This file does not have a configuration entry for the SPN!
      It seems, a line like the following is missing:

          <SPN>blauthsvc/appserver1@DOMAIN</SPN>

      But with the GUI, i cannot add this information - is it required to be added manually?


      <?xml version="1.0" encoding="UTF-8"?>
      <ServiceProfiles>
        <ServiceProfile>
          <Name>Integration AD</Name>
          <ServiceURL>service:authsvc.bladelogic:blauth://appserver.DOMAIN:9840
      </ServiceURL>
          <AuthenticationType>AD_KERBEROS</AuthenticationType>
        </ServiceProfile>
        <ServiceProfile>
          <Name>Integration</Name>
          <ServiceURL>service:authsvc.bladelogic:blauth://appserver.domain:9840
      </ServiceURL>
          <AuthenticationType>SRP</AuthenticationType>
        </ServiceProfile>
      </ServiceProfiles>


      FILE: blclient_krb5.conf

      [libdefaults]
      ticket_lifetime = 6000
      default_realm = DOMAIN
      default_tkt_enctypes = des-cbc-md5
      default_tgs_enctypes = des-cbc-md5
      [realms]
      DOMAIN = {
      kdc = kdc1.DOMAIN:88
      kdc = kdc2.DOMAIN:88
      }


      FILE: blclient_login.conf

      com.sun.security.jgss.initiate {
      com.sun.security.auth.module.Krb5LoginModule required
      doNotPrompt=true
      Debug=true
      useTicketCache=true;
      };


      FILE: config.properties

      #Last saved by: Unknown:Unknown
      #Fri Feb 25 10:39:33 EST 2005
      Current.Global.RunNow=1
      AUTH_TYPE=SRP
      Current.Deploy.DestinationDir=/tmp/blade
      keystore=bladelogic.keystore
      Default.Verify.Options=0
      Default.Deploy.ParallelProcs=1
      CMUI.LASTUSER=
      Current.Deploy.StageDir=/tmp/stage
      WEBBROWSER=C\:\\Program Files\\Internet Explorer\\iexplore.exe
      show.tooltips=0
      Default.Deploy.DestinationDir="/tmp/blade"
      CMUI.LASTROLE=
      Current.Deploy.BackupDirectory=/backup
      APPSERVER_ISPROXY=FALSE
      APPSERVER_PORT=9829
      Default.Deploy.BackupSuffix=".bak"
      Current.Deploy.MinFileSize=0
      job_refresh_interval=5
      Default.Deploy.MinFileSize=0
      Current.Deploy.BackupSuffix=.bak
      Current.Deploy.PullDir=/nsh/pull/%h
      task_refresh_interval=5
      Default.Global.RunNow=1
      RBACUI.LASTUSER=
      Default.Deploy.PullDir="/nsh/pull/%h"
      Default.Notification.MaxEmailSize=1000
      Current.Deploy.MinDiskFree=0
      Default.Deploy.MinDiskFree=0
      APPSERVER_HOST=localhost
      Default.Deploy.BackupDirectory="/backup"
      Default.Deploy.StageDir="/tmp/stage"
      Current.Deploy.BlockSize=0
      Current.Verify.Options=0
      Current.Deploy.ParallelProcs=1
      max.model.cache.size=1000
      Default.Deploy.BlockSize=0
      java.security.auth.login.config=C\:\\Program Files/BladeLogic/OM/br/blclient_log
      in.conf
      java.security.krb5.conf=C\:\\Program Files/BladeLogic/OM/br/blclient_krb5.conf
      javax.security.auth.useSubjectCredsOnly=false
      Available.Languages=en,fr,ja
      Language=en
      Deploy.RegisterCOMComponents=true



      Error messages of the AppServer:


      ==> console.log <==
      Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/blapp/nsh/br/blauthsvc.keytab refreshKrb5Config is false principal is blauthsvc/appserver1@DOMAIN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      principal's key obtained from the keytab
      Acquire TGT using AS Exchange
                      [Krb5LoginModule] authentication failed
      Cannot get kdc for realm DOMAIN
      [09 Dec 2010 18:34:35,392] [Authentication-Service-Thread-0] [WARN] [::CLIENT_IP] [Appserver] No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
      [09 Dec 2010 18:34:35,408] [Authentication-Service-Thread-0] [WARN] [::CLIENT_IP] [Appserver] java.io.EOFException
      com.bladelogic.mfw.util.BlException: java.io.EOFException
              at com.bladelogic.auth.service.AuthSvcConnection.handleAuthRequest(AuthSvcConnection.java:218)
              at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:62)
              at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:16)
              at com.bladelogic.app.service.thread.BlBlockingThread.run(BlBlockingThread.java:92)
      Caused by: java.io.EOFException
              at com.bladelogic.session.common.SimpleMessaging.receiveMessage(SimpleMessaging.java:116)
              at com.bladelogic.session.common.SimpleMessaging.receiveToken(SimpleMessaging.java:173)
              at com.bladelogic.auth.service.AuthSvcConnection.handleAuthRequest(AuthSvcConnection.java:164)
              ... 3 more
      [09 Dec 2010 18:34:35,410] [Authentication-Service-Thread-0] [INFO] [::CLIENT_IP] [Appserver] Authentication Connection closed

      ==> appserver.log <==
      [09 Dec 2010 18:34:35,392] [Authentication-Service-Thread-0] [WARN] [::CLIENT_IP] [Appserver] No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
      [09 Dec 2010 18:34:35,408] [Authentication-Service-Thread-0] [WARN] [::CLIENT_IP] [Appserver] java.io.EOFException
      com.bladelogic.mfw.util.BlException: java.io.EOFException
              at com.bladelogic.auth.service.AuthSvcConnection.handleAuthRequest(AuthSvcConnection.java:218)
              at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:62)
              at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:16)
              at com.bladelogic.app.service.thread.BlBlockingThread.run(BlBlockingThread.java:92)
      Caused by: java.io.EOFException
              at com.bladelogic.session.common.SimpleMessaging.receiveMessage(SimpleMessaging.java:116)
              at com.bladelogic.session.common.SimpleMessaging.receiveToken(SimpleMessaging.java:173)
              at com.bladelogic.auth.service.AuthSvcConnection.handleAuthRequest(AuthSvcConnection.java:164)
              ... 3 more
      [09 Dec 2010 18:34:35,410] [Authentication-Service-Thread-0] [INFO] [::CLIENT_IP] [Appserver] Authentication Connection closed



      An "USER@DOMAIN" user is added to RBAC and starting the Configuration Manager correctly shows USER@DOMAIN, so the TGT seems to apply.


      I tried with the above <SPN>...</SPN> added to the *.xml file, but this did not change nothing.

      Any idea?
        • 1. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

          Some additional fact, that i forgot to mention:

           

          The keytab File lists the correct SPN:

           

           

          [root@si1184p br]# klist -k blauthsvc.keytab
          Keytab name: FILE:blauthsvc.keytab
          KVNO Principal
          ---- --------------------------------------------------------------------------
             4 blauthsvc/appserver1@DOMAIN


          bladmin>show authserver all
          [AuthServer]
          ActiveDirectoryLdapUrl:
          ActiveDirectorySearchBase:
          AppServiceURLs:
          AuthSvcKrb5Config:/opt/blapp/nsh/br/blappserv_krb5.conf
          AuthSvcKrb5LoginConfig:/opt/blapp/nsh/br/blappserv_login.conf
          AuthSvcPort:9840
          AuthSvcSocketTimeout:75
          AuthSvcSocketsBindAddress:all
          IsADKAuthEnabled:true
          IsActiveDirectoryLdapCheckEnabled:
          IsDomainAuthEnabled:true
          IsLdapAuthEnabled:
          IsSRPAuthEnabled:true
          IsSSOCredRefreshEnabled:true
          IsSecurIdAuthEnabled:
          IsSsoRefreshHostnameCheckEnabled:
          LdapUserDnTemplate:
          LdapUserValidationFilter:
          MaxAuthSvcContexts:20
          MaxAuthSvcThreads:3
          MaximumSessionCredentialLifetime:
          ProxyServiceURLs:
          ReportServiceURLs:
          SessionCredentialLifetime:

          I also tried with:

          AuthSvcKrb5Config:blappserv_krb5.conf
          AuthSvcKrb5LoginConfig:blappserv_login.conf

          And yes, AD is checked for the BladeLogic User in RBAC ...

           

           

          BTW, the BladeLogic Administratiohn guide speaks about

           

          set AuthServer Krb5Config <file_name>

          and

          set AuthServer Krb5LoginConfig <file_name>

           

          while "blasadmin" only shows

           

          AuthSvcKrb5Config
          and
          AuthSvcKrb5LoginConfig

          So, the variable name is different?!?

           

          Added part about the different naming od blasadmin variables ...

          • 2. Problem with AD / Kerberos integration on a 7.6.x AppServer

            And something more:

             

            In the AD configuration (Windows 2003) the settings are:

             

            User Logon Name: "blauthsvc/appserver1"  and "@domain" (yes, setspn made that lowercase! Is that OK?)

             

            User Logon Name (pre-Windows 2000): "DOMAIN\" and "blauthsvc"

             

            Use DES is checked.

             

            Account never expires.

             

            First Name: "blauthsvc"

             

            Display name: "blauthsvc"

            • 3. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer
              Bill Robinson

              i think your problem is here:

               

              Cannot get kdc for realm DOMAIN

               

              can you telnet to port 88 on the kdc(s) from your appserver?  Can the appserver read the blappserv_* files ?

              • 4. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

                Hello Bill!

                 

                I tested those things already, but did again (i stopped telnet with Ctrl-C):

                 

                 

                [root@appserver br]# telnet kdc1.DOMAIN 88

                Trying 172.28.112.72...

                Connected to kdc1.intitoper.local (172.28.112.72).

                Escape character is '^]'.

                Connection closed by foreign host.

                 

                [root@appserver br]# telnet kdc2.DOMAIN 88

                Trying 172.28.112.73...

                Connected to kdc2.intitoper.local (172.28.112.73).

                Escape character is '^]'.

                Connection closed by foreign host.

                 

                The AppServer is running as "bladmin":

                 

                [root@appserver br]# ls -al blappserv_* blauthsvc.keytab /etc/krb5.conf

                -rw-r--r-- 1 bladmin bladmin 234 Dec  8 16:52 blappserv_login.conf_FINAL

                -rw-r--r-- 1 bladmin bladmin 222 Dec  9 16:20 blappserv_krb5.conf

                -rw-r--r-- 1 root    root    222 Dec  9 16:20 /etc/krb5.conf

                -rw-r----- 1 bladmin bladmin  69 Dec  9 17:35 blauthsvc.keytab

                -rw-r--r-- 1 bladmin bladmin 228 Dec 10 12:49 blappserv_login.conf

                 

                [root@appserver br]# pwd

                /opt/blapp/nsh/br

                 

                 

                I copied blappserv_krb5.conf to /etc/krb5.conf, so that the Kerberos "kinit" could be used to test the keyTab file.

                 

                The BMC "kinit" cannot find the kdc as it does not know where to find it, i suppose - while the appServer should know from the blasadmin Configuration for AuthServer.

                 

                I tested both full paths and only the filenames for the two config files.

                • 5. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

                  I have the impression, that the AppServer never contacts one of the KDCs ...

                  At least, tcpdump does not show nothing.

                   

                  That would mean, the AppServer is not able to contact the AD because he either does not know them, or he does not reach that step because of more early problems ...

                   

                  Just brainstorming.

                  • 6. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer
                    Bill Robinson

                    From the command line you could do I think:

                     

                    Export KRB5_CONFG= /opt/blapp/nsh/br/blappserv_krb5.conf

                    Then your ‘java/bin/kinit -k -t blauthsvc.keytab…’ command – I think that will force it to use the right krb5 config

                     

                     

                    Can you paste a ‘blasadmin –s  show auth all’ ?

                    • 7. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

                      The variable does not seem to work:

                       

                      [root@si1184p br]# export KRB5_CONFG=/opt/blapp/nsh/br/blappserv_krb5.conf

                      [root@si1184p br]# java/bin/kinit -k -t blauthsvc.keytab

                      Exception: krb_error 0 Cannot get kdc for realm INTITOPER.LOCAL No error

                      KrbException: Cannot get kdc for realm INTITOPER.LOCAL

                              at sun.security.krb5.KrbKdcReq.send(Unknown Source)

                              at sun.security.krb5.KrbKdcReq.send(Unknown Source)

                              at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)

                              at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)

                              at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

                       

                      I tried both a regular bash and a nsh.

                       

                      It does not find the blappserv_login.conf, it seems ...

                       

                      I tried

                      export KRB5_CONFG=/opt/blapp/nsh/br/blappserv_login.conf

                      instead, but to no avail.

                      • 8. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer
                        Bill Robinson

                        KRB5_CONFIG (I think you are missing an ‘I’) but that’s for testing - if kinit works w/ the same file in /etc/krb5.conf, I think the file is ok.

                         

                        What’s in the blasadmin output for the authsvc of your appserver instance ?

                        • 9. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

                          I tried 3 blasadmin calls:

                           

                          blasadmin -s _template

                          blasadmin -s default

                          blasadmin -a

                           

                          The _template has

                          IsDomainAuthEnabled:false

                           

                          While both other outputs are:

                           

                          [AuthServer]

                          ActiveDirectoryLdapUrl:

                          ActiveDirectorySearchBase:

                          AppServiceURLs:

                          AuthSvcKrb5Config:blappserv_krb5.conf

                          AuthSvcKrb5LoginConfig:blappserv_login.conf

                          AuthSvcPort:9840

                          AuthSvcSocketTimeout:75

                          AuthSvcSocketsBindAddress:all

                          IsADKAuthEnabled:true

                          IsActiveDirectoryLdapCheckEnabled:

                          IsDomainAuthEnabled:true

                          IsLdapAuthEnabled:

                          IsSRPAuthEnabled:true

                          IsSSOCredRefreshEnabled:true

                          IsSecurIdAuthEnabled:

                          IsSsoRefreshHostnameCheckEnabled:

                          LdapUserDnTemplate:

                          LdapUserValidationFilter:

                          MaxAuthSvcContexts:20

                          MaxAuthSvcThreads:3

                          MaximumSessionCredentialLifetime:

                          ProxyServiceURLs:

                          ReportServiceURLs:

                          SessionCredentialLifetime:

                           

                          So, currently without the full path to the config-files.

                           

                          I am going to change that (again) for a new test!

                           

                          There are more deployments:

                           

                          _install and two jobservers ...

                           

                          Shall i post them too?

                          • 10. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

                            I changed all deployments to have all

                             

                            IsADKauthEnabled:true

                            and

                            IsDomainAuthEnabled:false

                             

                            Just to be sure

                             

                            Beside that, all configs were the same with the exception of a 0 AuthSvcPort for the JobServers ...

                            • 11. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer
                              Bill Robinson

                              The ‘default’ deployment is what you want to look at (if there are no other instances handling CONFIG duties).  That looks ok.

                               

                              You are restarting the appserver service after making these changes to test right?

                              • 13. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

                                The latest output, after the changes:

                                 

                                 

                                Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/blapp/nsh/br/blauthsvc.keytab refreshKrb5Config is false principal is blauthsvc/appserver1@DOMAIN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                                principal's key obtained from the keytab
                                Acquire TGT using AS Exchange
                                                [Krb5LoginModule] authentication failed
                                Cannot get kdc for realm DOMAIN
                                [10 Dec 2010 14:50:29,629] [Authentication-Service-Thread-0] [WARN] [::172.28.112.76] [Appserver] No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
                                [10 Dec 2010 14:50:29,649] [Authentication-Service-Thread-0] [WARN] [::172.28.112.76] [Appserver] java.io.EOFException
                                com.bladelogic.mfw.util.BlException: java.io.EOFException
                                        at com.bladelogic.auth.service.AuthSvcConnection.handleAuthRequest(AuthSvcConnection.java:218)
                                        at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:62)
                                        at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:16)
                                        at com.bladelogic.app.service.thread.BlBlockingThread.run(BlBlockingThread.java:92)
                                Caused by: java.io.EOFException
                                        at com.bladelogic.session.common.SimpleMessaging.receiveMessage(SimpleMessaging.java:116)
                                        at com.bladelogic.session.common.SimpleMessaging.receiveToken(SimpleMessaging.java:173)
                                        at com.bladelogic.auth.service.AuthSvcConnection.handleAuthRequest(AuthSvcConnection.java:164)
                                        ... 3 more
                                [10 Dec 2010 14:50:29,651] [Authentication-Service-Thread-0] [INFO] [::172.28.112.76] [Appserver] Authentication Connection closed
                                • 14. Re: Problem with AD / Kerberos integration on a 7.6.x AppServer

                                  I made the debug output a little better more readable:

                                   

                                   

                                  Debug is true

                                  storeKey true

                                  useTicketCache false

                                  useKeyTab true

                                  doNotPrompt true

                                  ticketCache is null

                                  isInitiator true

                                  KeyTab is /opt/blapp/nsh/br/blauthsvc.keytab

                                  refreshKrb5Config is false

                                  principal is blauthsvc/appserver1@DOMAIN

                                  tryFirstPass is false

                                  useFirstPass is false

                                  storePass is false

                                  clearPass is false

                                   

                                  Currently, i use the full path to the blasadmin entry for AuthServ: /opt/blapp/nsh/br/blappserv_login.conf

                                   

                                  (BTW, this forum does not use widescreens very good - the text does sadly neither wrap around nor use the full width of the screen :-(

                                  1 2 Previous Next