Kerberos Join Active Directory Domain Failure (uBuntu) - active-directory

I try to join Active Directory and Samba 4 in Ubuntu 12.04.05.
When I run host -t SRV _kerberos._udp.test.sg I get the error:
Host _kerberos._udp.test.sg not found: 3(NXDOMAIN)
meanwhile
$# host -t SRV _ldap._tcp.test.sg
_ldap._tcp.test.sg has SRV record 0 0 389 4ecapsvsg6.test.sg.
$# host -t A 4ECAPSVSG6.test.sg
4ECAPSVSG6.test.sg has address 10.153.64.5
My /etc/samba/smb.conf:
# Global parameters
[global]
workgroup = TEST
realm = TEST.SG
netbios name = 4ECAPSVSG6
server role = active directory domain controller
dns forwarder = 10.153.64.5
security = ads
use kerberos keytab = true
password server = 4ecapsvsg6.test.sg
allow dns updates = nonsecure and secure
bind interfaces only = no
server services = +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc
passdb backend = samba4
server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
My /etc/krb5.conf:
[libdefaults]
default_realm = TEST.SG
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
4ECAP.SG = {
kdc = 4ecapsvsg6.test.sg:88
admin_server = 4ecapsvsg6.test.sg:749
default_domain = test.sg
}
[domain_realm]
.test.sg = TEST.SG
test.sg = TEST.SG
[login]
krb4_convert = true
krb4_get_tickets = false
My /etc/hosts:
127.0.0.1 localhost
127.0.1.1 4ecapsvsg6
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.153.64.5 4ecapsvsg6.test.sg 4ecapsvsg6
What is the solution? Without it I cannot run join domain with command:
sudo net ads join
which comes out error like
Failed to join domain: failed to lookup DC info for domain 'TEST' over rpc: Logon failure
I did kinit administrator and klist, result:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator#TEST.SG
Valid starting Expires Service principal
26/03/2015 14:29:04 27/03/2015 00:29:04 krbtgt/TEST.SG#TEST.SG
renew until 27/03/2015 14:29:00
meanwhile i include my /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.153.64.5
search test.sg
domain test.sg

After i google this past week, lucky i found this site http://edoceo.com/howto/samba4
Happens to be i need to edit my dnsmasq (/etc/dnsmasq.conf)
add this line :
srv-host=_kerberos._tcp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._tcp.dc._msdcs.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._udp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kpasswd._tcp.test.sg,4ecapsvsg6.test.sg,464
srv-host=_kpasswd._udp.test.sg,4ecapsvsg6.test.sg,464
and disable Bind9 (which installed along with Samba4 by default)
Now the problems gone :)
Only one problems remains, how to connect to AD (which i'll open another thread for that)

Related

Samba 4 AD SmartCard Login Your credentials could not be verified

i have build an AD with Samba 4.17.4 under Debian 11. So far everything works. I wanted to test smarcard login and encountered the following problem when logging in on a windows client:
‘Your credentials could not be verified’
Eventlog ID 4625
status 0xC000006D
substatus 0x0
FailReason %%2304
The PKI infrastructure consists of root ca and inter ca. My Kerberos Config on the DC:
/etc/krb5.conf
[libdefaults]
default_realm = SUB.TEST.DE
dns_lookup_realm = false
dns_lookup_kdc = true
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool= FILE:/var/lib/samba/private/tls/interca.pem
[appdefaults]
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool = FILE:/var/lib/samba/private/tls/interca.pem
[realms]
SUB.TEST.DE = {
default_domain = sub.test.de
pkinit_require_eku = true
}
[domain_realm]
dc0 = SUB.TEST.DE
[kdc]
enable-pkinit = yes
pkinit_identity = FILE:/var/lib/samba/private/tls/dc-cert.pem,/var/lib/samba/private/tls/secure/dc-privkey.pem
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool = FILE:/var/lib/samba/private/tls/interca.pem
pkinit_revoke = FILE:/var/lib/samba/private/tls/sub.crl,/var/lib/samba/private/tls/rootca.crl
pkinit_principal_in_certificate = yes
pkinit_win2k = no
pkinit_win2k_require_binding = yes
my smb.conf:
GNU nano 5.4 /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 10.0.0.10
netbios name = DC
realm = SUB.TEST.DE
server role = active directory domain controller
dns forwarder = 10.0.0.1
workgroup = SUB
idmap_ldb:use rfc2307 = yes
log level = 1 auth_audit:3 auth_json_audit:3
tls enabled = yes
tls certfile = /var/lib/samba/private/tls/dc-cert.pem
tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
tls cafile = /var/lib/samba/private/tls/cacert.pem
tls crlfile = /var/lib/samba/private/tls/sub.crl
tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/sub.test.de/scripts
read only = No
GPO with Root CA (Trusted Root Certificates) and Inter CA (Intermediate Certificates) under computer configuration > windows setting > secruity settings > public key policies is set. Works perfectly.
Root and Inter CA Certificates are imported with certutil, works without problems. Time between DC an Client are synchronized.
The certificates were created like this
openssl req -new -addext 'subjectAltName = otherName:msUPN;UTF8:m.mustermann#sub.contoso.de,email:copy' -newkey rsa:2048 -keyout private/mmustermann-key.pem -out mmustermann-req.pem -config openssl.cnf
openssl ca -config openssl.cnf -extensions usr_cert_scarduser -in mmustermann-req.pem -out mmustermann-cert.pem
cat mmustermann-cert.pem chain.pem > mmustermann-chain.pem
openssl pkcs12 -in mmustermann-chain.pem -inkey private/mmustermann-key.pem -export -out mmustermann.p12
The p12 is imported to a yubikey and bundled with PIN.
Auth Log says following:
[2023/02/09 13:46:29.247497, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [Kerberos KDC,PK-INIT(ietf) Pre-authentication] user [(null)]\[m.mustermann\\#sub.test.de#SUB.TEST.DE] at [Thu, 09 Feb 2023 13:46:29.24748
7 CET] with [(null)] status [NT_STATUS_PKINIT_FAILURE] workstation [(null)] remote host [ipv4:10.0.0.100:61127] mapped to [SUB]\[m.mustermann]. local host [NULL]
{"timestamp": "2023-02-09T13:46:29.247547+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "51cf6b969
999c23e", "logonType": 3, "status": "NT_STATUS_PKINIT_FAILURE", "localAddress": null, "remoteAddress": "ipv4:10.0.0.100:61127", "serviceDescription": "Kerberos KDC", "authDe
scription": "PK-INIT(ietf) Pre-authentication", "clientDomain": null, "clientAccount": "m.mustermann\\#sub.test.de#SUB.TEST.DE", "workstation": nu
ll, "becameAccount": "m.mustermann", "becameDomain": "SUB", "becameSid": "S-1-5-21-3437283345-98153231-3800821964-1119", "mappedAccount": "m.mustermann", "mappedDomain": "SUB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passw
ordType": null, "duration": 4175}}
Anyone have any ideas what else I could check? I need a Direction.
regards
I tried different forms of user certificates. With chain, without, CRLs included. At the Certificate creation i tried different UPN types, like: "SUB\m.mustermann", "m.mustermann#sub.test.de" or "m.mustermann".
I rebuilt the whole structure oriented on this:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Set_up_the_CRL_Distribution_Point
The only difference is that there was only a root CA in use. On other system tried this, and it works. But with InterCA i have the explained problem. Thias must be a trick somewhere. I cant see it.

Jupyterhub AD Integration Error: No entry found for user when looking up attribute ‘sAMAccountName’

I am facing issue in configuring ldap authentication with AD integration and I get error while logging in. Below is my config file.
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = '<ip>'
c.LDAPAuthenticator.server_port = 389
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.allowed_groups = []
#set up the template which used to bind the user from ldap directory
#c.LDAPAuthenticator.bind_dn_template = ["uid={username},ou=Admin,ou=Groups,dc=example,dc=com"]
#Active Directory Integration
c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'user#example.com'
c.LDAPAuthenticator.lookup_dn_search_password = 'redact'
c.LDAPAuthenticator.user_search_base = 'ou=Admin,ou=Groups,dc=example,dc=com'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'cn'
c.LDAPAuthenticator.escape_userdn = False
c.LDAPAuthenticator.bind_dn_template = '{username}'
While logging to jupyterhub with my user I get below error.
[W 2021-03-18 05:02:18.675 JupyterHub ldapauthenticator:275] No entry found for user 'testuser' when looking up attribute 'sAMAccountName'
[W 2021-03-18 05:02:18.675 JupyterHub base:713] Failed login for testuser
versions
python==3.8.5
jupyterhub==1.1.0
jupyterhub-ldapauthenticator==1.3.2
Tried different combinations in configuring the parameters but the error remains the same.
c.LDAPAuthenticator.lookup_dn_search_user is the ldap account that I have mentioned. Is it the correct way?
Any suggestions please.

ubuntu 18.04 sssd not creating keytab file but works fine in 20.04

Trying to bind a ubuntu 18.04 (because of compatibility issues with another app, need to use this specific version) I use a mod script:
#!/bin/bash
apt install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common
realm leave
realm discover xxxx.local
realm join -U xxxx vgmtl.local
echo -e "[sssd]
domains = xxxx.local
config_file_version = 2
services = nss, pam, pac
[domain/xxxx.local]
ad_domain = xxxx.local
krb5_realm = xxxx.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
override_homedir = /home/xxxx/%u
enumerate = true
ad_enable_dns_sites = False
ad_enabled_domains = xxxx.local
ad_gpo_ignore_unreadable = True
" > /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf
chmod 700 /etc/sssd/sssd.conf
rm -rf /var/lib/sss/db/*
service sssd restart
When doing the realm join it gets stuck on:
Using GSS-SPNEGO for SAL bind
and just hangs there, the other thing I noticed, is that no xxxx.keytab seems created....
If running on ubuntu 20.04 --> runs perfect !?
Any help appreciated

How to perform EJB DB RBAC with WildFly?

I'm trying to create a rich client that performs EJB RMI to interact with a server/DB. Previously, I had communications working with the remoting system to authenticate a user. Then I tacked on HTTPS communications using a keystore and clustering to the environment. Everything worked at that point.
The file-based authentication was an interim step in moving towards database authentication & authorization. I may still have configurations from that lingering and effecting this new step, I'm not certain.
Below is the failure message when trying to authenticate via the client:
Jan 19, 2017 12:51:52 PM org.jboss.ejb.client.EJBClient <clinit>
INFO: JBoss EJB Client version 2.1.4.Final
Jan 19, 2017 12:51:52 PM org.xnio.Xnio <clinit>
INFO: XNIO version 3.4.0.Final
Jan 19, 2017 12:51:52 PM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.4.0.Final
Jan 19, 2017 12:51:52 PM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 4.0.21.Final
Jan 19, 2017 12:51:53 PM org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector setupEJBReceivers
WARN: Could not register a EJB receiver for connection to 10.0.0.1:8443
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: /home/appsrv/wildfly-10.1.0.Final/domain/tmp/auth/local4807198060994958453.challenge (No such file or directory)]
DIGEST-MD5: Server rejected authentication
at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:114)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:389)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:241)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:198)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:112)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.ssl.JsseStreamConduit.run(JsseStreamConduit.java:446)
at org.xnio.ssl.JsseStreamConduit.readReady(JsseStreamConduit.java:547)
at org.xnio.ssl.JsseStreamConduit$2.readReady(JsseStreamConduit.java:319)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:294)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:430)
at org.jboss.ejb.client.remoting.EndpointPool$PooledEndpoint.connect(EndpointPool.java:192)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:153)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:78)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:161)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:118)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:47)
at org.jboss.ejb.client.EJBClientContext.getCurrent(EJBClientContext.java:281)
at org.jboss.ejb.client.EJBClientContext.requireCurrent(EJBClientContext.java:291)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:178)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
at com.sun.proxy.$Proxy6.getVer(Unknown Source)
at com.test.clientapp.TestClient.authenticate(TestClient.java:208)
at com.test.clientapp.BackgroundServiceEngine.run(BackgroundServiceEngine.java:136)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
In my WildFly domain configuration, I added the following authentication module to the "ha" profile (the one assigned to my host controllers) in -> Security -> MySecurityDomain via the GUI:
name: testds01
code: Database
flag: required
module options:
dsJndiName = java:/TestDS01
principalsQuery = SELECT password FROM users WHERE username=?
password-stacking = useFirstPass
hashAlgorithm = MD5
hashEncoding = BASE64
hashCharset = utf-8
I also added the following authorization module to the same area:
name: testds01
code: Delegating
flag: required
module options:
dsJndiName = java:/TestDS01
rolesQuery = SELECT role, 'Roles' FROM roles INNER JOIN users ON users.role_id = roles.role_id WHERE users.username =?
Honestly, I don't know what the flag "required" means. Nor the code "Delegating". I just found these in a book I read.
My WildFly setup includes: 1x Domain Controller, 2x Host Controllers w/1 server each, 2x SQL databases. All 5 of these are separate VMs. So, In addition to the testds01 modules added above, I have testds02 modules added pointing to "java:/TestDS02".
Let me know if additional information is needed. I'm not sure I covered everything.
Update: It's probably useful to have the client properties I'm using to setup & perform RMI:
// Set TLS Properties
System.setProperty("javax.net.ssl.keyStore", "test.keystore");
System.setProperty("javax.net.ssl.trustStore", "test.truststore");
System.setProperty("javax.net.ssl.keyStorePassword", "testpass1");
System.setProperty("javax.net.ssl.trustStorePassword", "testpass2");
// Set Application Server Properties
properties = new Properties();
properties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
properties.put("remote.connections", "hcl01,hcl02");
// Host Controller
properties.put("remote.connection.hcl01.port", "8443");
properties.put("remote.connection.hcl01.host", "10.0.0.1");
properties.put("remote.connection.hcl01.protocol", "https-remoting");
properties.put("remote.connection.hcl01.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
properties.put("remote.connection.hrl01.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
properties.put("remote.connection.hcl01.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
properties.put("remote.connection.hrl01.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
properties.put("remote.connection.hcl02.port", "8443");
properties.put("remote.connection.hcl02.host", "10.0.0.2");
properties.put("remote.connection.hcl02.protocol", "https-remoting");
properties.put("remote.connection.hcl02.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
properties.put("remote.connection.hrl02.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
properties.put("remote.connection.hcl02.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
properties.put("remote.connection.hrl02.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
// Build SLSB Lookup String
String appName = "/"; //name of ear containg ejb
String moduleName = "testapp/"; //name of ejb jar w/o extension
String distinctName = "/"; //any distinct name set within jboss for this deployment
String beanName = Login.class.getSimpleName(); //name of the bean we're looking up
String viewClassName = LoginRemote.class.getName(); //name of the bean interface
System.out.println("beanName=" + beanName + " viewClassName=" + viewClassName);
lookupSLSB = "ejb:" + appName + moduleName + distinctName + beanName + "!" + viewClassName;
// Configure EJB Lookup
Properties props = new Properties();
props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
context = new InitialContext(props);
properties.put("remote.connection.hcl01.username", au.getUsername());
properties.put("remote.connection.hcl01.password", au.getPassword());
properties.put("remote.connection.hcl02.username", au.getUsername());
properties.put("remote.connection.hcl02.password", au.getPassword());
// JBoss Cluster Setup (using properties above)
EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(properties);
ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
EJBClientContext.setSelector(selector);
LoginRemote bean = (LoginRemote)context.lookup(lookupSLSB);
System.out.println("NIC [From bean]: Class=\"" + bean.getStr() + "\"");
I resolved this issue. After dumping traffic it appeared that the queries were being sent to the database. I enabled query logging on the database and found that they were being received, but there was a permission issue with the database user. After granting privileges to the tables being queried, the communication was successful.

JBoss Fuse JMX not working

I tried to connect JMX rmi url in Jboss fuse container for monitoring the queues.
The URL not connected in jconsole,
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi/camel
I want to implement in my bundle, How to connect MBean server in JBoss Fuse?
Advance Thanks.
IMHO just wrong URL.
You can see the current settings of your server in the org.apache.karaf.management.cfg.
For example:
#
# Port number for RMI registry connection
#
rmiRegistryPort = 1099
#
# Host for RMI registry
#
rmiRegistryHost = 0.0.0.0
#
# Port number for RMI server connection
#
rmiServerPort = 44444
#
# Host for RMI server
#
rmiServerHost = 0.0.0.0
#
# Name of the JAAS realm used for authentication
#
jmxRealm = karaf
#
# The service URL for the JMXConnectorServer
#
serviceUrl = service:jmx:rmi://${rmiServerHost}:${rmiServerPort}/jndi/rmi://${rmiRegistryHost}:${rmiRegistryPort}/karaf-${karaf.name}
#
# Whether any threads started for the JMXConnectorServer should be started as daemon threads
#
daemon = true
#
# Whether the JMXConnectorServer should be started in a separate thread
#
threaded = true
#
# The ObjectName used to register the JMXConnectorServer
#
objectName = connector:name=rmi
In my case URL looks like service:jmx:rmi://0.0.0.0:44444/jndi/rmi://0.0.0.0:1099/karaf-root
P.S. And don't forget to specify a user name and password.
Finally solved the issue with the karaf username and password,
Check with the username and password in users.properties file.
service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root
It should work.
JMXServiceURL url = new JMXServiceURL(serviceURL);
HashMap<String, String[]> environment = new HashMap<String, String[]>();
String username = "admin";
String password = "admin";
String[] credentials = new String[] { username, password };
environment.put("jmx.remote.credentials", credentials);
connectorServer = JMXConnectorFactory.connect(url,environment);

Resources