You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Sidda Eraiah <si...@kaazing.com> on 2010/10/07 19:05:56 UTC
ApacheDS does not recognize RC4-HMAC encryption type
All,
I am resending this mail with the hope that some of you have a
solution for this.
I have Apache-DS (1.5.7) with Kerberos Domain Controller starting up
correctly and generating tickets using the default encryption type.
Due to a customer requirement, I have to use encryption type of RC4-HMAC.
Based on what I could find this needs me to add a <encryptionsType> property
to the kdcServer like this:
<kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
<transports>
<tcpTransport port="60088" nbThreads="4" backLog="50"/>
<udpTransport port="60088" nbThreads="4" backLog="50"/>
</transports>
<directoryService>#directoryService</directoryService>
<encryptionTypes>rc4-hmac</encryptionTypes>
</kdcServer>
with this change to the server.xml the server comes up fine. But trying to
get a ticket out of KDC fails with the following error:
$~/share/apacheds_1.5.7$ kinit
hnelson@EXAMPLE.COMhnelson@EXAMPLE.COM's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type
I see a warning in the ApacheDS like this:
[14:12:49] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
KDC has no support for encryption type (14)
One of the ApacheDS developer suggested the following in the IRC channel:
<spring:bean id="enc" class="java.util.HashSet">
<spring:constructor-arg>
<spring:list>
<spring:value
type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</spring:value>
</spring:list>
</spring:constructor-arg>
</spring:bean>
<kdcServer id="kdcServer">
<transports>
<tcpTransport port="60088" nbThreads="4" backLog="50"/>
<udpTransport port="60088" nbThreads="4" backLog="50"/>
</transports>
<directoryService>#directoryService</directoryService>
<encryptionTypes>#enc</encryptionTypes>
</kdcServer>
This also gives the same error.
Have any of you got the encryption type of RC4-HMAC to work with ApacheDS
KDC?
Your thoughts and suggestions on how to get this to work is really
appreciated.
Thanks in advance.
--
Best Regards,
Sidda
Director of Management Services
>|< <http://kaazing.me> Kaazing Corporation <http://kaazing.com> >|<<http://kaazing.me/visitors.html>
444 Castro St., Suite 1100, Mountain View, CA 94041
Re: ApacheDS does not recognize RC4-HMAC encryption type
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Oct 7, 2010 at 11:19 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
> On 10/7/10 7:05 PM, Sidda Eraiah wrote:
>>
>> All,
>>
>> I am resending this mail with the hope that some of you have a
>> solution for this.
>>
>> I have Apache-DS (1.5.7) with Kerberos Domain Controller starting up
>> correctly and generating tickets using the default encryption type.
>>
>> Due to a customer requirement, I have to use encryption type of RC4-HMAC.
>> Based on what I could find this needs me to add a<encryptionsType>
>> property
>> to the kdcServer like this:
>>
>> <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
>> <transports>
>> <tcpTransport port="60088" nbThreads="4" backLog="50"/>
>> <udpTransport port="60088" nbThreads="4" backLog="50"/>
>> </transports>
>> <directoryService>#directoryService</directoryService>
>> <encryptionTypes>rc4-hmac</encryptionTypes>
>> </kdcServer>
>>
>> with this change to the server.xml the server comes up fine. But trying to
>> get a ticket out of KDC fails with the following error:
>>
>> $~/share/apacheds_1.5.7$ kinit
>> hnelson@EXAMPLE.COMhnelson@EXAMPLE.COM's Password:
>> kinit: krb5_get_init_creds: KDC has no support for encryption type
>>
>> I see a warning in the ApacheDS like this:
>>
>> [14:12:49] WARN
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
>> KDC has no support for encryption type (14)
>>
>> One of the ApacheDS developer suggested the following in the IRC channel:
>>
>> <spring:bean id="enc" class="java.util.HashSet">
>> <spring:constructor-arg>
>> <spring:list>
>> <spring:value
>>
>> type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</spring:value>
>> </spring:list>
>> </spring:constructor-arg>
>> </spring:bean>
>> <kdcServer id="kdcServer">
>> <transports>
>> <tcpTransport port="60088" nbThreads="4" backLog="50"/>
>> <udpTransport port="60088" nbThreads="4" backLog="50"/>
>> </transports>
>> <directoryService>#directoryService</directoryService>
>> <encryptionTypes>#enc</encryptionTypes>
>> </kdcServer>
>>
>> This also gives the same error.
>
> What about :
>
> <kdcServer id="kdcServer">
> <transports>
> <tcpTransport port="60088" nbThreads="4" backLog="50"/>
> <udpTransport port="60088" nbThreads="4" backLog="50"/>
> </transports>
> <directoryService>#directoryService</directoryService>
> <property name="encryptionTypes">
> <set>
> <value
> type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</value>
> </set>
> </property>
> <encryptionTypes>#enc</encryptionTypes>
> </kdcServer>
>
>
> ?
great Emmanuel, this works, however a small fix though, it has to be like
<spring:property name="encryptionTypes">
<spring:set>
<spring:value
type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</spring:value>
</spring:set>
</spring:property>
note that " <encryptionTypes>#enc</encryptionTypes>" is not required
Kiran Ayyagari
Re: ApacheDS does not recognize RC4-HMAC encryption type
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 10/7/10 7:05 PM, Sidda Eraiah wrote:
> All,
>
> I am resending this mail with the hope that some of you have a
> solution for this.
>
> I have Apache-DS (1.5.7) with Kerberos Domain Controller starting up
> correctly and generating tickets using the default encryption type.
>
> Due to a customer requirement, I have to use encryption type of RC4-HMAC.
> Based on what I could find this needs me to add a<encryptionsType> property
> to the kdcServer like this:
>
> <kdcServer id="kdcServer" searchBaseDn="ou=Users,dc=example,dc=com">
> <transports>
> <tcpTransport port="60088" nbThreads="4" backLog="50"/>
> <udpTransport port="60088" nbThreads="4" backLog="50"/>
> </transports>
> <directoryService>#directoryService</directoryService>
> <encryptionTypes>rc4-hmac</encryptionTypes>
> </kdcServer>
>
> with this change to the server.xml the server comes up fine. But trying to
> get a ticket out of KDC fails with the following error:
>
> $~/share/apacheds_1.5.7$ kinit
> hnelson@EXAMPLE.COMhnelson@EXAMPLE.COM's Password:
> kinit: krb5_get_init_creds: KDC has no support for encryption type
>
> I see a warning in the ApacheDS like this:
>
> [14:12:49] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> KDC has no support for encryption type (14)
>
> One of the ApacheDS developer suggested the following in the IRC channel:
>
> <spring:bean id="enc" class="java.util.HashSet">
> <spring:constructor-arg>
> <spring:list>
> <spring:value
> type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</spring:value>
> </spring:list>
> </spring:constructor-arg>
> </spring:bean>
> <kdcServer id="kdcServer">
> <transports>
> <tcpTransport port="60088" nbThreads="4" backLog="50"/>
> <udpTransport port="60088" nbThreads="4" backLog="50"/>
> </transports>
> <directoryService>#directoryService</directoryService>
> <encryptionTypes>#enc</encryptionTypes>
> </kdcServer>
>
> This also gives the same error.
What about :
<kdcServer id="kdcServer">
<transports>
<tcpTransport port="60088" nbThreads="4" backLog="50"/>
<udpTransport port="60088" nbThreads="4" backLog="50"/>
</transports>
<directoryService>#directoryService</directoryService>
<property name="encryptionTypes">
<set>
<value type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</value>
</set>
</property>
<encryptionTypes>#enc</encryptionTypes>
</kdcServer>
?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com