Kerberos user principals in Keytab and KDC with JAAS

Question

I'm building a simple Jaas loginmodule. This uses the following code:

public class Jaas {
    private static String name;
    private static final boolean verbose = false;

    public static void main(String[] args) throws Exception {
        if (args.length > 0) {
            name = args[0];
        } else {
            name = "client";
        }

        // Create action to perform
        PrivilegedExceptionAction action = new MyAction();

        loginAndAction(name, action);
    }

    static void loginAndAction(String name, PrivilegedExceptionAction action)
        throws LoginException, PrivilegedActionException {

        // Create a callback handler
        CallbackHandler callbackHandler = new TextCallbackHandler();

        LoginContext context = null;

        try {
            // Create a LoginContext with a callback handler
            context = new LoginContext(name, callbackHandler);

            // Perform authentication
            context.login();
        } catch (LoginException e) {
            System.err.println("Login failed");
            e.printStackTrace();
            System.exit(-1);
        }

        // Perform action as authenticated user
        Subject subject = context.getSubject();
        if (verbose) {
            System.out.println(subject.toString());
        } else {
            System.out.println("Authenticated principal: " +
                subject.getPrincipals());
        }

        Subject.doAs(subject, action);

        context.logout();
    }

    // Action to perform
    static class MyAction implements PrivilegedExceptionAction {
        MyAction() {
        }

        public Object run() throws Exception {
            // Replace the following with an action to be performed
            // by authenticated user
            System.out.println("Performing secure action ...");
            return null;
        }
    }
}

This is run using:

java -Djava.security.auth.login.config=jaas-krb5.conf Jaas client

jaas-krb5:

client{
    com.sun.security.auth.module.Krb5LoginModule required
    principal="name@Host.COM";
};
server{
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    KeyTab=myKeyTab.keytab
    principal="host.name.com";
};

and within the myKeyTab we have the following principal:

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    4        name@Host.COM

So i've compiled and run but when logging in I always get an error:

Kerberos password for name@Host.COM: //I enter the password
Login failed

with the stacktrace:

javax.security.auth.login.LoginException: Cannot get kdc for realm Host.COM
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at Jaas.loginAndAction(Jaas.java:77)
        at Jaas.main(Jaas.java:61)
Caused by: KrbException: Cannot get kdc for realm Host.COM
        at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)
        at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:174)
        at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)
        at sun.security.krb5.Credentials.sendASRequest(Credentials.java:400)
        at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)

My Question is:

I think I've got a fundamental misunderstanding on what's occurring between the KDC/ Keytab and the user entry. My understanding is that the principal is what is validated against, if so, how do I enter new principals and assign passwords?

My aim is to simply add a test principal to the keytab and use that for running this log in script.

Answer 1

It looks like you made one incorrect assumption.

Principals are username + Kerberos realm (or active directory domain). This might or might not be the same value as DNS domain. But fundamentally they are completely different things. In your particular case it looks like your kerberos realm is intranet.barcapint.com . However your keytab contains key for name@host.com . Because of this Jaas Kerberos client ignores what's in the keytab and falls back to the default realm resolution. And it seems your realm to domain mapping is broken, so it cannot find KDC and fails with the error above. Hence you get the inner exception.

To fix all the above, first you need to fix your domain to realm mapping. How to do it depends on the operating systems. On Unix systems you should check /etc/krb5.conf on Windows it is c:\\windows\\krb5.ini . But it might be somewhere else. Check this for more info.

Another thing is, you only need keytabs for unattended servers. It is just convenient way to store kerberos keys. I suggest first you get the server and client working using textcallback like you have above. Once you got this, you can proceed to using keytab for the server.