Hi Gordon,
I bring up again this topic because I am already struggling to enable Kerberos
security in Qpid.
Just to summarize, I am on CentOS 6.3 with Qpid 0.14. Nothing has been
installed from sources, so it should be pretty much like RHEL.
I have disabled SELinux on this box and I am using QPID as realm.
The file attached is what I am using to connect to/test the broker.
Calling my tool gives me this:
2013-03-11 10:32:44 warning Closing connection due to internal-error: Sasl
error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Credentials cache file '/tmp/krb5cc_526' not
found) (qpid/SaslFactory.cpp:280)
qpid::messaging::ConnectionError
Error: internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_526' not found) (qpid/SaslFactory.cpp:280)
Of course, I can do kinit:
-bash-4.1$ kinit
Password for davide@QPID:
-bash-4.1$
...which seems to work!
If I call again my tool, I get a slightly different error:
2013-03-11 10:34:25 warning Closing connection due to internal-error: Sasl
error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Server krbtgt/LOCALDOMAIN@QPID not found in
Kerberos database) (qpid/SaslFactory.cpp:280)
qpid::messaging::ConnectionError
Error: internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Server
krbtgt/LOCALDOMAIN@QPID not found in Kerberos database)
(qpid/SaslFactory.cpp:280)
I am not sure what I should blame (my tool, the broker configuration, kerberos
configuration?), so I am a bit stuck with this problem and I am not sure what I
should look for on the internet.
I look forward to hearing from you. Any hint will be of great help.
Thanks,
Davide
-----Original Message-----
From: Gordon Sim [mailto:[email protected]]
Sent: 14 August 2012 17:16
To: [email protected]
Subject: Re: Setting up Kerberos security
On 08/14/2012 03:03 PM, Davide Anastasia wrote:
> I've created the keytab file as specified in the Qpid user manual [1]
> and I have set the environment variable as well.
What about the realm? Have you set that? (Previous error message looked like
you were using EXAMPLE.COM?)
> However, I haven't figured out a way to understand where the broker is
> actually looking for this file.
The krb5.conf file points to various logs that may help (the kdc may actually
be another box of course, but the log there is very useful).
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
#include <iostream>
#include <cassert>
#include <string>
#include <qpid/messaging/Connection.h>
using namespace std;
using namespace qpid::messaging;
const string broker = "localhost:5672";
int main(int argc, char** argv)
{
if ( argc < 3 ) {
cerr << "Not enough parameters!\n";
cerr << argv[0] << " [username] [password]\n";
return 1;
}
try {
qpid::messaging::Connection conn(broker);
conn.setOption("sasl-mechanisms", "GSSAPI");
conn.setOption("username", argv[1]); // "guest");
conn.setOption("password", argv[2]); // "guest");
conn.open();
assert( conn.isOpen() );
assert( conn.isValid() );
conn.close();
}
catch ( qpid::messaging::ConnectionError& err )
{
cerr << "qpid::messaging::ConnectionError\n";
cerr << "Error: " << err.what() << "\n";
cerr << "Detail: " << err.detail << "\n";
return -1;
}
catch ( qpid::messaging::TransportFailure& err )
{
cerr << "qpid::messaging::TransportFailure\n";
cerr << "Error: " << err.what() << "\n";
cerr << "Detail: " << err.detail << "\n";
return -1;
}
cout << "All fine!\n";
return 0;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
