You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Robert Winch <bo...@yahoo.com> on 2012/04/01 01:12:35 UTC
Kerberos
I'm trying to follow the guide for setting up Kerberos [1] and while I am able to verify the credentials using ApacheDS, I am unable to validate my credentials with kinit or k5start or kinit. I get the following error log from ApacheDS when running k5start (kinit does not send the correct encryption types) with the exact krb5.conf. I am running Ubuntu 11.10 32bit. Any ideas what I can do to fix this issue?
[18:00:49] INFO [org.apache.directory.server.Service] - Cannot find any reference to the HTTP Server in the server.xml file : the server won't be started
[18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CREATED: datagram
[18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 OPENED
[18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 RCVD: org.apache.directory.server.kerberos.shared.messages.KdcRequest@1cee792
[18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 127.0.0.1
nonce: 288257937
kdcOptions: FORWARDABLE RENEWABLE_OK
clientPrincipal: hnelson@EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
encryptionType: des3-cbc-sha1-kd (16), des-cbc-crc (1), des-cbc-md5 (3)
realm: EXAMPLE.COM
from time: 20120331230058Z
till time: 20120401090058Z
renew-till time: null
hostAddresses: null
[18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type des-cbc-md5 (3).
[18:00:58] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
uid: hnelson
sn: Nelson
krb5PrincipalName: hnelson@EXAMPLE.COM
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'
krb5KeyVersionNumber: 0
cn: Horatio Nelson
for kerberos principal name hnelson@EXAMPLE.COM
[18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
[18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
[18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
[18:00:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - KDC has no support for padata type (16)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException: KDC has no support for padata type
at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:301)
at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107)
at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
[18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
explanatory text: KDC has no support for padata type
error code: 16
clientPrincipal: null
client time: null
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server time: 20120331230058Z
[18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 SENT: org.apache.directory.server.kerberos.shared.messages.ErrorMessage@12c4768
[18:01:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CLOSED
[1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
Thanks,
Re: Kerberos
Posted by Robert Winch <bo...@yahoo.com>.
I got a tip on the IRC that got this working "require pre-authentication by encrypted timestamp"; somehow what ApacheDS uses is incompatible with what the rest of the world uses". Note to others (also provided by the IRC) that normally you want pre-authetnication to be enabled.
----- Original Message -----
From: Robert Winch <bo...@yahoo.com>
To: "users@directory.apache.org" <us...@directory.apache.org>; Robert Winch <bo...@yahoo.com>
Cc:
Sent: Sunday, April 1, 2012 1:27 PM
Subject: Re: Kerberos
I probably should have included this earlier, but here are my logs for running against 2.0.0.M6 [1]. I have gone through a number of krb5.conf files, but this is the one I am using now [2].
Let me know if there is anything else I can provide that will help figure out this issue.
Thanks again for your replies.
[1] http://pastebin.com/T8yL9XU8
[2] http://pastebin.com/mjXpQhwg
----- Original Message -----
From: Robert Winch <bo...@yahoo.com>
To: "users@directory.apache.org" <us...@directory.apache.org>
Cc:
Sent: Sunday, April 1, 2012 1:07 PM
Subject: Re: Kerberos
Thank you for your reply. I have tried with a few versions and all with the same problem 2.0.0-M3, 2.0.0-M6, 1.5.7. I believe I had found a discussion about this issue, but I have not found anything describing that it got fixed or a way to work around it [1]. Any help or guidance would be appreciated.
[1] http://mail-archives.apache.org/mod_mbox/directory-dev/201202.mbox/%3Cloom.20120202T000513-791@post.gmane.org%3E
----- Original Message -----
From: Kiran Ayyagari <ka...@apache.org>
To: users@directory.apache.org; Robert Winch <bo...@yahoo.com>
Cc:
Sent: Sunday, April 1, 2012 2:48 AM
Subject: Re: Kerberos
which version of ApacheDS you are running? can you try with
version2.0.0-M6 (I assume you are running an earlier version
cause there was a bug related to the below error you are encountering
which I have fixed in January)
On Sun, Apr 1, 2012 at 4:42 AM, Robert Winch <bo...@yahoo.com> wrote:
>
>
> I'm trying to follow the guide for setting up Kerberos [1] and while I am able to verify the credentials using ApacheDS, I am unable to validate my credentials with kinit or k5start or kinit. I get the following error log from ApacheDS when running k5start (kinit does not send the correct encryption types) with the exact krb5.conf. I am running Ubuntu 11.10 32bit. Any ideas what I can do to fix this issue?
>
> [18:00:49] INFO [org.apache.directory.server.Service] - Cannot find any reference to the HTTP Server in the server.xml file : the server won't be started
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CREATED: datagram
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 OPENED
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 RCVD: org.apache.directory.server.kerberos.shared.messages.KdcRequest@1cee792
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 127.0.0.1
> nonce: 288257937
> kdcOptions: FORWARDABLE RENEWABLE_OK
> clientPrincipal: hnelson@EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> encryptionType: des3-cbc-sha1-kd (16), des-cbc-crc (1), des-cbc-md5 (3)
> realm: EXAMPLE.COM
> from time: 20120331230058Z
> till time: 20120401090058Z
> renew-till time: null
> hostAddresses: null
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type des-cbc-md5 (3).
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
> dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: hnelson
> sn: Nelson
> krb5PrincipalName: hnelson@EXAMPLE.COM
> userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'
> krb5KeyVersionNumber: 0
> cn: Horatio Nelson
> for kerberos principal name hnelson@EXAMPLE.COM
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
> [18:00:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - KDC has no support for padata type (16)
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: KDC has no support for padata type
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:301)
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107)
> at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
> at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
> explanatory text: KDC has no support for padata type
> error code: 16
> clientPrincipal: null
> client time: null
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> server time: 20120331230058Z
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 SENT: org.apache.directory.server.kerberos.shared.messages.ErrorMessage@12c4768
> [18:01:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CLOSED
>
>
> [1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
>
> Thanks,
--
Kiran Ayyagari
Re: Kerberos
Posted by Robert Winch <bo...@yahoo.com>.
I probably should have included this earlier, but here are my logs for running against 2.0.0.M6 [1]. I have gone through a number of krb5.conf files, but this is the one I am using now [2].
Let me know if there is anything else I can provide that will help figure out this issue.
Thanks again for your replies.
[1] http://pastebin.com/T8yL9XU8
[2] http://pastebin.com/mjXpQhwg
----- Original Message -----
From: Robert Winch <bo...@yahoo.com>
To: "users@directory.apache.org" <us...@directory.apache.org>
Cc:
Sent: Sunday, April 1, 2012 1:07 PM
Subject: Re: Kerberos
Thank you for your reply. I have tried with a few versions and all with the same problem 2.0.0-M3, 2.0.0-M6, 1.5.7. I believe I had found a discussion about this issue, but I have not found anything describing that it got fixed or a way to work around it [1]. Any help or guidance would be appreciated.
[1] http://mail-archives.apache.org/mod_mbox/directory-dev/201202.mbox/%3Cloom.20120202T000513-791@post.gmane.org%3E
----- Original Message -----
From: Kiran Ayyagari <ka...@apache.org>
To: users@directory.apache.org; Robert Winch <bo...@yahoo.com>
Cc:
Sent: Sunday, April 1, 2012 2:48 AM
Subject: Re: Kerberos
which version of ApacheDS you are running? can you try with
version2.0.0-M6 (I assume you are running an earlier version
cause there was a bug related to the below error you are encountering
which I have fixed in January)
On Sun, Apr 1, 2012 at 4:42 AM, Robert Winch <bo...@yahoo.com> wrote:
>
>
> I'm trying to follow the guide for setting up Kerberos [1] and while I am able to verify the credentials using ApacheDS, I am unable to validate my credentials with kinit or k5start or kinit. I get the following error log from ApacheDS when running k5start (kinit does not send the correct encryption types) with the exact krb5.conf. I am running Ubuntu 11.10 32bit. Any ideas what I can do to fix this issue?
>
> [18:00:49] INFO [org.apache.directory.server.Service] - Cannot find any reference to the HTTP Server in the server.xml file : the server won't be started
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CREATED: datagram
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 OPENED
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 RCVD: org.apache.directory.server.kerberos.shared.messages.KdcRequest@1cee792
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 127.0.0.1
> nonce: 288257937
> kdcOptions: FORWARDABLE RENEWABLE_OK
> clientPrincipal: hnelson@EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> encryptionType: des3-cbc-sha1-kd (16), des-cbc-crc (1), des-cbc-md5 (3)
> realm: EXAMPLE.COM
> from time: 20120331230058Z
> till time: 20120401090058Z
> renew-till time: null
> hostAddresses: null
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type des-cbc-md5 (3).
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
> dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: hnelson
> sn: Nelson
> krb5PrincipalName: hnelson@EXAMPLE.COM
> userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'
> krb5KeyVersionNumber: 0
> cn: Horatio Nelson
> for kerberos principal name hnelson@EXAMPLE.COM
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
> [18:00:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - KDC has no support for padata type (16)
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: KDC has no support for padata type
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:301)
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107)
> at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
> at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
> explanatory text: KDC has no support for padata type
> error code: 16
> clientPrincipal: null
> client time: null
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> server time: 20120331230058Z
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 SENT: org.apache.directory.server.kerberos.shared.messages.ErrorMessage@12c4768
> [18:01:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CLOSED
>
>
> [1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
>
> Thanks,
--
Kiran Ayyagari
Re: Kerberos
Posted by Robert Winch <bo...@yahoo.com>.
Thank you for your reply. I have tried with a few versions and all with the same problem 2.0.0-M3, 2.0.0-M6, 1.5.7. I believe I had found a discussion about this issue, but I have not found anything describing that it got fixed or a way to work around it [1]. Any help or guidance would be appreciated.
[1] http://mail-archives.apache.org/mod_mbox/directory-dev/201202.mbox/%3Cloom.20120202T000513-791@post.gmane.org%3E
----- Original Message -----
From: Kiran Ayyagari <ka...@apache.org>
To: users@directory.apache.org; Robert Winch <bo...@yahoo.com>
Cc:
Sent: Sunday, April 1, 2012 2:48 AM
Subject: Re: Kerberos
which version of ApacheDS you are running? can you try with
version2.0.0-M6 (I assume you are running an earlier version
cause there was a bug related to the below error you are encountering
which I have fixed in January)
On Sun, Apr 1, 2012 at 4:42 AM, Robert Winch <bo...@yahoo.com> wrote:
>
>
> I'm trying to follow the guide for setting up Kerberos [1] and while I am able to verify the credentials using ApacheDS, I am unable to validate my credentials with kinit or k5start or kinit. I get the following error log from ApacheDS when running k5start (kinit does not send the correct encryption types) with the exact krb5.conf. I am running Ubuntu 11.10 32bit. Any ideas what I can do to fix this issue?
>
> [18:00:49] INFO [org.apache.directory.server.Service] - Cannot find any reference to the HTTP Server in the server.xml file : the server won't be started
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CREATED: datagram
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 OPENED
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 RCVD: org.apache.directory.server.kerberos.shared.messages.KdcRequest@1cee792
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 127.0.0.1
> nonce: 288257937
> kdcOptions: FORWARDABLE RENEWABLE_OK
> clientPrincipal: hnelson@EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> encryptionType: des3-cbc-sha1-kd (16), des-cbc-crc (1), des-cbc-md5 (3)
> realm: EXAMPLE.COM
> from time: 20120331230058Z
> till time: 20120401090058Z
> renew-till time: null
> hostAddresses: null
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type des-cbc-md5 (3).
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
> dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: hnelson
> sn: Nelson
> krb5PrincipalName: hnelson@EXAMPLE.COM
> userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'
> krb5KeyVersionNumber: 0
> cn: Horatio Nelson
> for kerberos principal name hnelson@EXAMPLE.COM
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
> [18:00:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - KDC has no support for padata type (16)
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: KDC has no support for padata type
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:301)
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107)
> at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
> at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
> explanatory text: KDC has no support for padata type
> error code: 16
> clientPrincipal: null
> client time: null
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> server time: 20120331230058Z
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 SENT: org.apache.directory.server.kerberos.shared.messages.ErrorMessage@12c4768
> [18:01:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CLOSED
>
>
> [1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
>
> Thanks,
--
Kiran Ayyagari
Re: Kerberos
Posted by Kiran Ayyagari <ka...@apache.org>.
which version of ApacheDS you are running? can you try with
version2.0.0-M6 (I assume you are running an earlier version
cause there was a bug related to the below error you are encountering
which I have fixed in January)
On Sun, Apr 1, 2012 at 4:42 AM, Robert Winch <bo...@yahoo.com> wrote:
>
>
> I'm trying to follow the guide for setting up Kerberos [1] and while I am able to verify the credentials using ApacheDS, I am unable to validate my credentials with kinit or k5start or kinit. I get the following error log from ApacheDS when running k5start (kinit does not send the correct encryption types) with the exact krb5.conf. I am running Ubuntu 11.10 32bit. Any ideas what I can do to fix this issue?
>
> [18:00:49] INFO [org.apache.directory.server.Service] - Cannot find any reference to the HTTP Server in the server.xml file : the server won't be started
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CREATED: datagram
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 OPENED
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 RCVD: org.apache.directory.server.kerberos.shared.messages.KdcRequest@1cee792
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 127.0.0.1
> nonce: 288257937
> kdcOptions: FORWARDABLE RENEWABLE_OK
> clientPrincipal: hnelson@EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> encryptionType: des3-cbc-sha1-kd (16), des-cbc-crc (1), des-cbc-md5 (3)
> realm: EXAMPLE.COM
> from time: 20120331230058Z
> till time: 20120401090058Z
> renew-till time: null
> hostAddresses: null
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type des-cbc-md5 (3).
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - Found entry ServerEntry
> dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: hnelson
> sn: Nelson
> krb5PrincipalName: hnelson@EXAMPLE.COM
> userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'
> krb5KeyVersionNumber: 0
> cn: Horatio Nelson
> for kerberos principal name hnelson@EXAMPLE.COM
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
> [18:00:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - KDC has no support for padata type (16)
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: KDC has no support for padata type
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:301)
> at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107)
> at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
> at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
> at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
> at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
> explanatory text: KDC has no support for padata type
> error code: 16
> clientPrincipal: null
> client time: null
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> server time: 20120331230058Z
> [18:00:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 SENT: org.apache.directory.server.kerberos.shared.messages.ErrorMessage@12c4768
> [18:01:58] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:57312 CLOSED
>
>
> [1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html
>
> Thanks,
--
Kiran Ayyagari