You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Wu, James C." <Ja...@disney.com> on 2013/04/06 02:23:08 UTC
kinit failed on - Integrity check on decrypted field failed
Hi,
I am trying to set up ApacheDS as a KDC. After adding hnelson using the following ldif, I could not get kinit to get the ticket
dn: uid=hnelson,ou=users,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userpassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
The log output of ApacheDS show the following output:
[cloud-user@n7-z01-0a2a0c3a ~]$ [17:15:57] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[17:15:57] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
[17:15:57] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
[17:16:00] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
[17:16:00] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
Could someone give me some hint?
james
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Alex Karasulu <ak...@apache.org>.
<thinking-out-loud>
When I saw this email I thought to myself - what a great how to this would
be for the Kerberos documentation on our site. Hadoop is setup nicely to
work with Kerberos and thanks to the efforts of the team here we have
something pure java that we can use with Hadoop for security.
</thinking-out-loud>
On Thu, Apr 11, 2013 at 1:48 AM, Wu, James C. <Ja...@disney.com> wrote:
> Hi,
>
> Thanks a lot for your help. I also have verified that apacheds works with
> Hadoop too with trust relationship setup between an Apacheds Kerberos
> service and an MIT Kerberos service.
>
> Regards,
>
> james
>
> -----Original Message-----
> From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
> Sent: Wednesday, April 10, 2013 3:36 PM
> To: Apache Directory Developers List
> Subject: Re: kinit failed on - Integrity check on decrypted field failed
>
> Le 4/10/13 8:10 PM, Wu, James C. a écrit :
> > Hi,
> >
> > I re-installed the apacheds 2.0.0 M11 and wiped out all the existing
> stuff and used all default settings. The kinit does work.
> >
> > So I guess my problem is the config error because in my actual config, I
> use a different realm, not the EXAMPLE.COM.
> >
> > I am going to play compare the configs to find out what mistake I make
> when changing the realm. I will update in this thread.
>
> Cool !!!
>
> I'm happy that you get it working. Kerberos is not very ind, and
> understanding why it's not working can be a real nightmare. Sadly, due to
> the very nature of the exhcanged data, which are encoded most of the time,
> plus the fact that it's not safe to provide too much information when the
> authent fails, it's difficult to know what can be wrong in the conf.
>
> FYI, we have build a new version which should contain some bug fix : you
> can get ApacheDS 2.0.0-RC1 here http://people.apache.org/~elecharny/
>
> FYI, this release will not be public, as we detected some more issues that
> need to be fixed, but still, it can be worthfull to try it.
>
> Thanks for your patience !
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Best Regards,
-- Alex
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
Hi,
Thanks a lot for your help. I also have verified that apacheds works with Hadoop too with trust relationship setup between an Apacheds Kerberos service and an MIT Kerberos service.
Regards,
james
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Wednesday, April 10, 2013 3:36 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/10/13 8:10 PM, Wu, James C. a écrit :
> Hi,
>
> I re-installed the apacheds 2.0.0 M11 and wiped out all the existing stuff and used all default settings. The kinit does work.
>
> So I guess my problem is the config error because in my actual config, I use a different realm, not the EXAMPLE.COM.
>
> I am going to play compare the configs to find out what mistake I make when changing the realm. I will update in this thread.
Cool !!!
I'm happy that you get it working. Kerberos is not very ind, and understanding why it's not working can be a real nightmare. Sadly, due to the very nature of the exhcanged data, which are encoded most of the time, plus the fact that it's not safe to provide too much information when the authent fails, it's difficult to know what can be wrong in the conf.
FYI, we have build a new version which should contain some bug fix : you can get ApacheDS 2.0.0-RC1 here http://people.apache.org/~elecharny/
FYI, this release will not be public, as we detected some more issues that need to be fixed, but still, it can be worthfull to try it.
Thanks for your patience !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/10/13 8:10 PM, Wu, James C. a écrit :
> Hi,
>
> I re-installed the apacheds 2.0.0 M11 and wiped out all the existing stuff and used all default settings. The kinit does work.
>
> So I guess my problem is the config error because in my actual config, I use a different realm, not the EXAMPLE.COM.
>
> I am going to play compare the configs to find out what mistake I make when changing the realm. I will update in this thread.
Cool !!!
I'm happy that you get it working. Kerberos is not very ind, and
understanding why it's not working can be a real nightmare. Sadly, due
to the very nature of the exhcanged data, which are encoded most of the
time, plus the fact that it's not safe to provide too much information
when the authent fails, it's difficult to know what can be wrong in the
conf.
FYI, we have build a new version which should contain some bug fix : you
can get ApacheDS 2.0.0-RC1 here http://people.apache.org/~elecharny/
FYI, this release will not be public, as we detected some more issues
that need to be fixed, but still, it can be worthfull to try it.
Thanks for your patience !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
Hi,
I re-installed the apacheds 2.0.0 M11 and wiped out all the existing stuff and used all default settings. The kinit does work.
So I guess my problem is the config error because in my actual config, I use a different realm, not the EXAMPLE.COM.
I am going to play compare the configs to find out what mistake I make when changing the realm. I will update in this thread.
Thanks.
James
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, April 09, 2013 8:52 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <Ja...@disney.com>> wrote:
Hi,
I came across this page which describes how Kerberos key are derived from the passwords of an entry.
http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see
just like you mentioned above, realm name is used as salt and kinit knows the realm name
something like that mentioned in the log output.
I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right?
Regards,
James
-----Original Message-----
From: dev-return-42835-James.C.Wu=disney.com@directory.apache.org<ma...@directory.apache.org> [mailto:dev-return-42835-James.C.Wu<ma...@directory.apache.org>] On Behalf Of Wu, James C.
Sent: Tuesday, April 09, 2013 9:49 AM
To: Apache Directory Developers List
Subject: RE: kinit failed on - Integrity check on decrypted field failed
I am very sure of that. I just deleted the hnelson entry and recreate it using the ldapadd command. The hnelson.ldif file is as follows:
dn: uid=hnelson,ou=users,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userpassword: secret01
krb5PrincipalName: hnelson@EXAMPLE.COM<ma...@EXAMPLE.COM>
The ldap command I used to add the entry is
ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H ldap://localhost:10389
When I do a ldapsearch, I saw the hnelson entry as follows
# hnelson, users, example.com<http://example.com>
dn: uid=hnelson,ou=users,dc=example,dc=com
uid: hnelson
userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
=
objectclass: organizationalPerson
objectclass: krb5Principal
objectclass: person
objectclass: krb5KDCEntry
objectclass: inetOrgPerson
objectclass: top
cn: Horatio Nelson
sn: Nelson
krb5KeyVersionNumber: 0
krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
krb5PrincipalName: hnelson@EXAMPLE.COM<ma...@EXAMPLE.COM>
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com<ma...@gmail.com>]
Sent: Tuesday, April 09, 2013 9:34 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> I will do it. The log output are also attached below in this email. If anyone can take a quick look at it, I would really appreciate. -- james
Just looked at the logs, so far, it seems that everyting goes find, up to a point you get the error.
Are you *sure* that the password is the one stored in the entry ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com<http://www.iktek.com>
--
Kiran Ayyagari
http://keydap.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Kiran Ayyagari <ka...@apache.org>.
On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <Ja...@disney.com> wrote:
> Hi,
>
> I came across this page which describes how Kerberos key are derived from
> the passwords of an entry.
> http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
>
> It mentioned that the Kerberos keys are basically a hashed value of the
> passwords with the salt be the realm name. I am wondering how does the
> kinit program know the salt for the Kerberos key? Is it passed from
> apacheds? I did not see
just like you mentioned above, realm name is used as salt and kinit knows
the realm name
> something like that mentioned in the log output.
>
> I guess the kinit has to know both the encryption type and the salt in
> order to reproduce the Kerberos encryption key so that it can decrypt
> message from apacheds. Am I right?
>
> Regards,
>
> James
>
> -----Original Message-----
> From: dev-return-42835-James.C.Wu=disney.com@directory.apache.org [mailto:
> dev-return-42835-James.C.Wu=disney.com@directory.apache.org] On Behalf Of
> Wu, James C.
> Sent: Tuesday, April 09, 2013 9:49 AM
> To: Apache Directory Developers List
> Subject: RE: kinit failed on - Integrity check on decrypted field failed
>
> I am very sure of that. I just deleted the hnelson entry and recreate it
> using the ldapadd command. The hnelson.ldif file is as follows:
>
> dn: uid=hnelson,ou=users,dc=example,dc=com
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> cn: Horatio Nelson
> sn: Nelson
> uid: hnelson
> userpassword: secret01
> krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
> The ldap command I used to add the entry is
>
> ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H
> ldap://localhost:10389
>
> When I do a ldapsearch, I saw the hnelson entry as follows
>
> # hnelson, users, example.com
> dn: uid=hnelson,ou=users,dc=example,dc=com
> uid: hnelson
> userpassword::
> e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
> =
> objectclass: organizationalPerson
> objectclass: krb5Principal
> objectclass: person
> objectclass: krb5KDCEntry
> objectclass: inetOrgPerson
> objectclass: top
> cn: Horatio Nelson
> sn: Nelson
> krb5KeyVersionNumber: 0
> krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
> krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
> krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
> krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
> krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
> krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
>
> -----Original Message-----
> From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
> Sent: Tuesday, April 09, 2013 9:34 AM
> To: Apache Directory Developers List
> Subject: Re: kinit failed on - Integrity check on decrypted field failed
>
> Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> > I will do it. The log output are also attached below in this email. If
> anyone can take a quick look at it, I would really appreciate. --
> james
>
> Just looked at the logs, so far, it seems that everyting goes find, up to
> a point you get the error.
>
> Are you *sure* that the password is the one stored in the entry ?
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Kiran Ayyagari
http://keydap.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
Hi Emmanuel,
If you can test the full kinit sequence tomorrow, that would be great! Please keep me updated.
James
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Tuesday, April 09, 2013 3:52 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/9/13 11:13 PM, Wu, James C. a écrit :
> Hi,
>
> I came across this page which describes how Kerberos key are derived from the passwords of an entry.
> http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
>
> It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see something like that mentioned in the log output.
Kinit will not create the hashed values of the password. It's coputed on the fly when the password is added, on the server. The salt is not used by kinit.
>
> I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right?
No, it's not what happens. The encryption key is negociated by the server and the client during the very first steps of the kerberos exchange. In your case, the AES 256 algorithm is being selected.
I'm sorry, I'm in the middle of a release atm, but I'll try to test the full kinit sequence asap (ie, probably tomorrow my time)
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/9/13 11:13 PM, Wu, James C. a écrit :
> Hi,
>
> I came across this page which describes how Kerberos key are derived from the passwords of an entry.
> http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
>
> It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see something like that mentioned in the log output.
Kinit will not create the hashed values of the password. It's coputed on
the fly when the password is added, on the server. The salt is not used
by kinit.
>
> I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right?
No, it's not what happens. The encryption key is negociated by the
server and the client during the very first steps of the kerberos
exchange. In your case, the AES 256 algorithm is being selected.
I'm sorry, I'm in the middle of a release atm, but I'll try to test the
full kinit sequence asap (ie, probably tomorrow my time)
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
Hi,
I came across this page which describes how Kerberos key are derived from the passwords of an entry.
http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see something like that mentioned in the log output.
I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right?
Regards,
James
-----Original Message-----
From: dev-return-42835-James.C.Wu=disney.com@directory.apache.org [mailto:dev-return-42835-James.C.Wu=disney.com@directory.apache.org] On Behalf Of Wu, James C.
Sent: Tuesday, April 09, 2013 9:49 AM
To: Apache Directory Developers List
Subject: RE: kinit failed on - Integrity check on decrypted field failed
I am very sure of that. I just deleted the hnelson entry and recreate it using the ldapadd command. The hnelson.ldif file is as follows:
dn: uid=hnelson,ou=users,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userpassword: secret01
krb5PrincipalName: hnelson@EXAMPLE.COM
The ldap command I used to add the entry is
ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H ldap://localhost:10389
When I do a ldapsearch, I saw the hnelson entry as follows
# hnelson, users, example.com
dn: uid=hnelson,ou=users,dc=example,dc=com
uid: hnelson
userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
=
objectclass: organizationalPerson
objectclass: krb5Principal
objectclass: person
objectclass: krb5KDCEntry
objectclass: inetOrgPerson
objectclass: top
cn: Horatio Nelson
sn: Nelson
krb5KeyVersionNumber: 0
krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
krb5PrincipalName: hnelson@EXAMPLE.COM
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Tuesday, April 09, 2013 9:34 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> I will do it. The log output are also attached below in this email. If anyone can take a quick look at it, I would really appreciate. -- james
Just looked at the logs, so far, it seems that everyting goes find, up to a point you get the error.
Are you *sure* that the password is the one stored in the entry ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
I am very sure of that. I just deleted the hnelson entry and recreate it using the ldapadd command. The hnelson.ldif file is as follows:
dn: uid=hnelson,ou=users,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userpassword: secret01
krb5PrincipalName: hnelson@EXAMPLE.COM
The ldap command I used to add the entry is
ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H ldap://localhost:10389
When I do a ldapsearch, I saw the hnelson entry as follows
# hnelson, users, example.com
dn: uid=hnelson,ou=users,dc=example,dc=com
uid: hnelson
userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
=
objectclass: organizationalPerson
objectclass: krb5Principal
objectclass: person
objectclass: krb5KDCEntry
objectclass: inetOrgPerson
objectclass: top
cn: Horatio Nelson
sn: Nelson
krb5KeyVersionNumber: 0
krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
krb5PrincipalName: hnelson@EXAMPLE.COM
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Tuesday, April 09, 2013 9:34 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> I will do it. The log output are also attached below in this email. If anyone can take a quick look at it, I would really appreciate. -- james
Just looked at the logs, so far, it seems that everyting goes find, up to a point you get the error.
Are you *sure* that the password is the one stored in the entry ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> I will do it. The log output are also attached below in this email. If anyone can take a quick look at it, I would really appreciate. -- james
Just looked at the logs, so far, it seems that everyting goes find, up
to a point you get the error.
Are you *sure* that the password is the one stored in the entry ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Kiran Ayyagari <ka...@apache.org>.
can you try injecting a new entry or deleting and re-injecting the entry
you are using for testing
On Tue, Apr 9, 2013 at 9:54 PM, Wu, James C. <Ja...@disney.com> wrote:
> I will do it. The log output are also attached below in this email. If
> anyone can take a quick look at it, I would really appreciate. -- jam
>
> </snip>
--
Kiran Ayyagari
http://keydap.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
I will do it. The log output are also attached below in this email. If anyone can take a quick look at it, I would really appreciate. -- james
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PaData] - PreAuthenticationData encoding : 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PaData] - PreAuthenticationData initial value : PreAuthenticationData :
padata-type: Encryption info.(19)
padata-value:0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.MethodData] - METHOD-DATA encoding : 0x30 0x1F
0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.MethodData] - METHOD-DATA initial value : METHOD-DATA : PreAuthenticationData :
padata-type: Encrypted timestamp.(2)
, PreAuthenticationData :
padata-type: Encryption info.(19)
padata-value:0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
[10:44:15] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
[10:44:15] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
[10:44:15] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request
with error:
explanatory text: Additional pre-authentication required
error code: Additional pre-authentication required
clientPrincipal: null@null
client time: null
serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
server time: 20130408174415Z
[10:44:15] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to request with error:
explanatory text: Additional pre-authentication required
error code: Additional pre-authentication required
clientPrincipal: null@null
client time: null
serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
server time: 20130408174415Z
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PrincipalName] - PrinipalName encoding : 0x7E 0x81 0xA8 0x30 0x81 0xA5 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x35 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02 0x01 0x19 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1
0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PrincipalName] - PrinipalName initial value : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError encoding : 0x7E 0x81 0xA8 0x30 0x81 0xA5 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34
0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x35 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02 0x01 0x19 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAB 0x28 0x1B 0x26 0x41 0x64 0x64 0x69 0x74 0x69 0x6F 0x6E 0x61 0x6C 0x20 0x70 0x72 0x65 0x2D 0x61 0x75 0x74 0x68 0x65 0x6E 0x74 0x69 0x63 0x61 0x74 0x69 0x6F 0x6E 0x20 0x72 0x65 0x71 0x75 0x69 0x72 0x65 0x64 0xAC 0x23 0x04 0x21 0x30
0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
[10:44:15] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError initial value :
KRB-ERROR : {
pvno: 5
msgType: KRB_ERROR
sTime: 20130408174415Z
susec: 0
errorCode: Additional pre-authentication required
realm: EXAMPLE.COM
sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
eText: Additional pre-authentication required
eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
}
[10:44:15] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /10.42.12.54:55923 SENT:
KRB-ERROR : {
pvno: 5
msgType: KRB_ERROR
sTime: 20130408174415Z
susec: 0
errorCode: Additional pre-authentication required
realm: EXAMPLE.COM
sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
eText: Additional pre-authentication required
eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
}
[10:44:15] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:55923 SENT:
KRB-ERROR : {
pvno: 5
msgType: KRB_ERROR
sTime: 20130408174415Z
susec: 0
errorCode: Additional pre-authentication required
realm: EXAMPLE.COM
sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
eText: Additional pre-authentication required
eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
}
[10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /10.42.12.54:41991 CREATED: datagram
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 CREATED: datagram
[10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /10.42.12.54:41991 OPENED
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 OPENED
[10:44:17] DEBUG [org.apache.mina.filter.codec.ProtocolCodecFilter] - Processing a MESSAGE_RECEIVED for session 9
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPvno] - pvno : 5
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.PaDataInit] - PaData created
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.StoreDataType] - padata-type : 2
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReq.actions.AddPaData] - Added PA-DATA: PreAuthenticationData :
padata-type: Encrypted timestamp.(2)
padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.PaDataInit] - PaData created
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.StoreDataType] - padata-type : 149
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReq.actions.AddPaData] - Added PA-DATA: PreAuthenticationData :
padata-type: null(0)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.KdcReqBodyInit] - KdcReqBody created
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreKdcOptions] - KDCOptions : FORWARDABLE RENEWABLE
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.PrincipalNameInit] - PrincipalName created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 1
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameType] - name-type : {}Just the name of the principal as in DCE, or for users(1)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString] - PrincipalName String : hnelson
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPrincipalName] - PrincipalName : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadRealm] - read realm value : EXAMPLE.COM
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.PrincipalNameInit] - PrincipalName created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 2
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameType] - name-type : {}Service and other unique instance (krbtgt)(2)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString] - PrincipalName String : krbtgt
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString] - PrincipalName String : EXAMPLE.COM
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPrincipalName] - PrincipalName : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreFrom] - From : 20130408174415Z
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreTill] - Till : 20130409174415Z
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadKerberosTime] - decoded kerberos time is : 20130415174415Z
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 1801102745
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] - EncryptionType : aes256-cts-hmac-sha1-96 (18)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] - EncryptionType : aes128-cts-hmac-sha1-96 (17)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] - EncryptionType : des3-cbc-sha1-kd (16)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] - EncryptionType : rc4-hmac (23)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReq.actions.StoreKdcReqBody] - KDC-REQ-BODY : KDCOptions : FORWARDABLE RENEWABLE
cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
realm : EXAMPLE.COM
sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
from : 20130408174415Z
till : 20130409174415Z
rtime : 20130415174415Z
nonce : 1801102745
etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd (16) rc4-hmac (23)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.asReq.actions.StoreKdcReq] - AS-REQ :
>-------------------------------------------------------------------------------
AS-REQ
pvno : 5
msg-type : AS_REQ
padata :
PreAuthenticationData :
padata-type: Encrypted timestamp.(2)
padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
padata :
PreAuthenticationData :
padata-type: null(0)
kdc-req-body :
KDCOptions : FORWARDABLE RENEWABLE
cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
realm : EXAMPLE.COM
sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
from : 20130408174415Z
till : 20130409174415Z
rtime : 20130415174415Z
nonce : 1801102745
etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd (16) rc4-hmac (23)
-------------------------------------------------------------------------------<
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.KerberosMessageGrammar] - Decoded KerberosMessage
>-------------------------------------------------------------------------------
AS-REQ
pvno : 5
msg-type : AS_REQ
padata :
PreAuthenticationData :
padata-type: Encrypted timestamp.(2)
padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
padata :
PreAuthenticationData :
padata-type: null(0)
kdc-req-body :
KDCOptions : FORWARDABLE RENEWABLE
cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
realm : EXAMPLE.COM
sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
from : 20130408174415Z
till : 20130409174415Z
rtime : 20130415174415Z
nonce : 1801102745
etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd (16) rc4-hmac (23)
-------------------------------------------------------------------------------<
[10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder] - Decoded KerberosMessage
:
>-------------------------------------------------------------------------------
AS-REQ
pvno : 5
msg-type : AS_REQ
padata :
PreAuthenticationData :
padata-type: Encrypted timestamp.(2)
padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
padata :
PreAuthenticationData :
padata-type: null(0)
kdc-req-body :
KDCOptions : FORWARDABLE RENEWABLE
cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
realm : EXAMPLE.COM
sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
from : 20130408174415Z
till : 20130409174415Z
rtime : 20130415174415Z
nonce : 1801102745
etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd (16) rc4-hmac (23)
-------------------------------------------------------------------------------<
[10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /10.42.12.54:41991 RCVD:
>-------------------------------------------------------------------------------
AS-REQ
pvno : 5
msg-type : AS_REQ
padata :
PreAuthenticationData :
padata-type: Encrypted timestamp.(2)
padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
padata :
PreAuthenticationData :
padata-type: null(0)
kdc-req-body :
KDCOptions : FORWARDABLE RENEWABLE
cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
realm : EXAMPLE.COM
sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
from : 20130408174415Z
till : 20130409174415Z
rtime : 20130415174415Z
nonce : 1801102745
etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd (16) rc4-hmac (23)
-------------------------------------------------------------------------------<
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 RCVD:
>-------------------------------------------------------------------------------
AS-REQ
pvno : 5
msg-type : AS_REQ
padata :
PreAuthenticationData :
padata-type: Encrypted timestamp.(2)
padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
padata :
PreAuthenticationData :
padata-type: null(0)
kdc-req-body :
KDCOptions : FORWARDABLE RENEWABLE
cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
realm : EXAMPLE.COM
sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
from : 20130408174415Z
till : 20130409174415Z
rtime : 20130415174415Z
nonce : 1801102745
etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd (16) rc4-hmac (23)
-------------------------------------------------------------------------------<
[10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 10.42.12.54
nonce: 1801102745
kdcOptions: FORWARDABLE RENEWABLE
clientPrincipal: { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
encryptionType: aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)
realm: EXAMPLE.COM
from time: 20130408174415Z
till time: 20130409174415Z
renew-till time: 20130415174415Z
hostAddresses: null
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 10.42.12.54
nonce: 1801102745
kdcOptions: FORWARDABLE RENEWABLE
clientPrincipal: { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
encryptionType: aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)
realm: EXAMPLE.COM
from time: 20130408174415Z
till time: 20130409174415Z
renew-till time: 20130415174415Z
hostAddresses: null
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Selecting the EncryptionType
[10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Encryption types requested by client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)].
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Encryption types requested by client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)].
[10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Session will use encryption type aes256-cts-hmac-sha1-96 (18).
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Session will use encryption type aes256-cts-hmac-sha1-96 (18).
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Getting the client Entry
[10:44:17] DEBUG [org.apache.directory.server.core.DefaultOperationManager] - >> SearchOperation : SearchContext
for Dn 'ou=users,dc=disney,dc=com', filter :'(krb5PrincipalName=hnelson@EXAMPLE.COM)'
[10:44:17] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: SearchContext for Dn 'ou=users,dc=disney,dc=com', filter :'(krb5PrincipalName=hnelson@EXAMPLE.COM)'
[10:44:17] DEBUG [org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine] - Nb results : 1 for filter : (&:[1](krb5PrincipalName=hnelson@EXAMPLE.COM:[1])(#{SUBTREE_SCOPE (Estimated), 'ou=users,dc=disney,dc=com', DEREF_ALWAYS}))
[10:44:17] DEBUG [org.apache.directory.server.core.DefaultOperationManager] - << SearchOperation successful
[10:44:17] DEBUG [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - Found entry uid=hnelson,ou=users,dc=disney,dc=com for kerberos principal name hnelson@EXAMPLE.COM
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Found entry uid=hnelson,ou=users,dc=disney,dc=com for kerberos principal name hnelson@EXAMPLE.COM
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 3
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : des-cbc-md5 (3)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 23
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : rc4-hmac (23)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 17
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : aes128-cts-hmac-sha1-96 (17)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 16
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : des3-cbc-sha1-kd (16)
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit] - EncryptionKey created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 18
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType] - keytype : aes256-cts-hmac-sha1-96 (18)
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Found entry uid=hnelson,ou=users,dc=disney,dc=com for principal hnelson@EXAMPLE.COM
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying the policy
[10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using SAM subsystem.
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using SAM subsystem.
[10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying using encrypted timestamp.
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using encrypted timestamp.
[10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptedData.actions.EncryptedDataInit] - EncryptedData created
[10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer value : 18
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptedData.actions.StoreEType] - e-type : aes256-cts-hmac-sha1-96 (18)
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Decrypting data using key aes256-cts-hmac-sha1-96 (18) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the client key (1)
[10:44:17] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
[10:44:17] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
[10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request
with error:
explanatory text: Integrity check on decrypted field failed
error code: Integrity check on decrypted field failed
clientPrincipal: null@null
client time: null
serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
server time: 20130408174417Z
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to request with error:
explanatory text: Integrity check on decrypted field failed
error code: Integrity check on decrypted field failed
clientPrincipal: null@null
client time: null
serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
server time: 20130408174417Z
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.components.PrincipalName] - PrinipalName encoding : 0x7E 0x81 0x86 0x30 0x81 0x83 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x37 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02 0x01 0x1F 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1
0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.components.PrincipalName] - PrinipalName initial value : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError encoding : 0x7E 0x81 0x86 0x30 0x81 0x83 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34
0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x37 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02 0x01 0x1F 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAB 0x2B 0x1B 0x29 0x49 0x6E 0x74 0x65 0x67 0x72 0x69 0x74 0x79 0x20 0x63 0x68 0x65 0x63 0x6B 0x20 0x6F 0x6E 0x20 0x64 0x65 0x63 0x72 0x79 0x70 0x74 0x65 0x64 0x20 0x66 0x69 0x65 0x6C 0x64 0x20 0x66 0x61 0x69 0x6C 0x65 0x64
[10:44:17] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError initial value :
KRB-ERROR : {
pvno: 5
msgType: KRB_ERROR
sTime: 20130408174417Z
susec: 0
errorCode: Integrity check on decrypted field failed
realm: EXAMPLE.COM
sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
eText: Integrity check on decrypted field failed
}
[10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /10.42.12.54:41991 SENT:
KRB-ERROR : {
pvno: 5
msgType: KRB_ERROR
sTime: 20130408174417Z
susec: 0
errorCode: Integrity check on decrypted field failed
realm: EXAMPLE.COM
sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
eText: Integrity check on decrypted field failed
}
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 SENT:
KRB-ERROR : {
pvno: 5
msgType: KRB_ERROR
sTime: 20130408174417Z
susec: 0
errorCode: Integrity check on decrypted field failed
realm: EXAMPLE.COM
sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
eText: Integrity check on decrypted field failed
}
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Monday, April 08, 2013 9:37 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/9/13 12:14 AM, Wu, James C. a écrit :
> Hi Guys,
>
> Has anyone take a look at the log file I attached in my previous email?
Sory, the logs weren't present. They should have been discarded by the mail server at Apache.
Create a JIRA, and attache the logs to it.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/9/13 12:14 AM, Wu, James C. a écrit :
> Hi Guys,
>
> Has anyone take a look at the log file I attached in my previous email?
Sory, the logs weren't present. They should have been discarded by the
mail server at Apache.
Create a JIRA, and attache the logs to it.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
Hi Guys,
Has anyone take a look at the log file I attached in my previous email?
Regards,
james
-----Original Message-----
From: dev-return-42818-James.C.Wu=disney.com@directory.apache.org [mailto:dev-return-42818-James.C.Wu=disney.com@directory.apache.org] On Behalf Of Wu, James C.
Sent: Monday, April 08, 2013 10:56 AM
To: Apache Directory Developers List
Subject: RE: kinit failed on - Integrity check on decrypted field failed
Hi,
I put some debug log output in the attached file. Hope it will get us to the cause of the problem.
Regards,
jame
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Monday, April 08, 2013 10:38 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/8/13 7:33 PM, Wu, James C. a écrit :
> I removed the allow_weak_crypto = true from krb5.conf and set the
> ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96.
> But I still get the same error. See the log
>
> [10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No
> timestamp found [10:29:58] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
> ] - Additional pre-authentication required (25) [10:29:58] WARN
> [org.apache.directory.server.KERBEROS_LOG] - Additional
> pre-authentication required (25) [10:30:02] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
> ] - Integrity check on decrypted field failed (31) [10:30:02] WARN
> [org.apache.directory.server.KERBEROS_LOG] - Integrity check on
> decrypted field failed (31)
>
> I am wondering about the "No timestamp found" error. Does it have any relation to the "Integrity check on decrypted field failed" error?
No. The 'No Timestamp found' message is just a part of the Kerberos protocol : in order to guarantee that the client is who he/she is pretending tobe, a timestamp is sent back to the client, for him/her to encrypt it. The pb is that the algorihm used to encrypt the password on the cient side is not the one used to decrypt it on the server side.
I'm pretty sure that it has been fixed in trunk 2 weeks ago.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
Hi,
I put some debug log output in the attached file. Hope it will get us to the cause of the problem.
Regards,
jame
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Monday, April 08, 2013 10:38 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/8/13 7:33 PM, Wu, James C. a écrit :
> I removed the allow_weak_crypto = true from krb5.conf and set the
> ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96.
> But I still get the same error. See the log
>
> [10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No
> timestamp found [10:29:58] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
> ] - Additional pre-authentication required (25) [10:29:58] WARN
> [org.apache.directory.server.KERBEROS_LOG] - Additional
> pre-authentication required (25) [10:30:02] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
> ] - Integrity check on decrypted field failed (31) [10:30:02] WARN
> [org.apache.directory.server.KERBEROS_LOG] - Integrity check on
> decrypted field failed (31)
>
> I am wondering about the "No timestamp found" error. Does it have any relation to the "Integrity check on decrypted field failed" error?
No. The 'No Timestamp found' message is just a part of the Kerberos protocol : in order to guarantee that the client is who he/she is pretending tobe, a timestamp is sent back to the client, for him/her to encrypt it. The pb is that the algorihm used to encrypt the password on the cient side is not the one used to decrypt it on the server side.
I'm pretty sure that it has been fixed in trunk 2 weeks ago.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/8/13 7:33 PM, Wu, James C. a écrit :
> I removed the allow_weak_crypto = true from krb5.conf and set the ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96. But I still get the same error. See the log
>
> [10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
> [10:29:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
> [10:29:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
> [10:30:02] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
> [10:30:02] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
>
> I am wondering about the "No timestamp found" error. Does it have any relation to the "Integrity check on decrypted field failed" error?
No. The 'No Timestamp found' message is just a part of the Kerberos
protocol : in order to guarantee that the client is who he/she is
pretending tobe, a timestamp is sent back to the client, for him/her to
encrypt it. The pb is that the algorihm used to encrypt the password on
the cient side is not the one used to decrypt it on the server side.
I'm pretty sure that it has been fixed in trunk 2 weeks ago.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
I removed the allow_weak_crypto = true from krb5.conf and set the ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96. But I still get the same error. See the log
[10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[10:29:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
[10:29:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
[10:30:02] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
[10:30:02] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
I am wondering about the "No timestamp found" error. Does it have any relation to the "Integrity check on decrypted field failed" error?
Regards,
james
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Monday, April 08, 2013 10:16 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
very likely that the default weak encryption type set in ApacheDS is the reason.
either you enable the weak encrytion support in krb5.conf
[libdefaults]
allow_weak_crypto = true
or modify the encryption types configured in ApacheDS
1. go to the entry ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can add another value like aes256-cts-hmac-sha1-96)
3. restart the server
let us know if you still have an issue
On Mon, Apr 8, 2013 at 10:24 PM, Wu, James C. <Ja...@disney.com>> wrote:
I installed the JCE and using the JVM from Oracle now. But I am getting the same error as when I used the OpenJDK JVM.
[09:48:32] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
[09:48:32] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
I tried to use kinit from two machines, both show the same error. The kinit is part of the krb5-lib/krb5-workstation library. Do I have to other implementation of kinit?
Regards,
james
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com<ma...@gmail.com>]
Sent: Sunday, April 07, 2013 10:38 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/8/13 3:35 AM, Wu, James C. a écrit :
> The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
>
> When I switched the JVM to Oracle JVM by installing the jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the following stack trace.
AES256 is not included by default in the standard J2SE installation. You have to install JCE in order to be able to use AES 256.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com<http://www.iktek.com>
--
Kiran Ayyagari
http://keydap.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/8/13 7:16 PM, Kiran Ayyagari a écrit :
> very likely that the default weak encryption type set in ApacheDS is the
> reason.
>
> either you enable the weak encrytion support in krb5.conf
>
> [libdefaults]
> allow_weak_crypto = true
>
> or modify the encryption types configured in ApacheDS
>
> 1. go to the entry
> ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
>
> 2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can
> add another value like aes256-cts-hmac-sha1-96)
>
> 3. restart the server
>
> let us know if you still have an issue
I wonder if this is not related to a bug I fixed 2 or 3 weeks ago : the
selection of the encyption mechanism is not correct in M11, and the
encryption type used by the client does not match the one used by the
server?
The workaround on the server would be to remove all the weak
entryptionTypes to only keep AES256.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Kiran Ayyagari <ka...@apache.org>.
very likely that the default weak encryption type set in ApacheDS is the
reason.
either you enable the weak encrytion support in krb5.conf
[libdefaults]
allow_weak_crypto = true
or modify the encryption types configured in ApacheDS
1. go to the entry
ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can
add another value like aes256-cts-hmac-sha1-96)
3. restart the server
let us know if you still have an issue
On Mon, Apr 8, 2013 at 10:24 PM, Wu, James C. <Ja...@disney.com> wrote:
> I installed the JCE and using the JVM from Oracle now. But I am getting
> the same error as when I used the OpenJDK JVM.
>
> [09:48:32] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> Integrity check on decrypted field failed (31)
> [09:48:32] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity
> check on decrypted field failed (31)
>
> I tried to use kinit from two machines, both show the same error. The
> kinit is part of the krb5-lib/krb5-workstation library. Do I have to other
> implementation of kinit?
>
> Regards,
>
> james
>
>
> -----Original Message-----
> From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
> Sent: Sunday, April 07, 2013 10:38 PM
> To: Apache Directory Developers List
> Subject: Re: kinit failed on - Integrity check on decrypted field failed
>
> Le 4/8/13 3:35 AM, Wu, James C. a écrit :
> > The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
> >
> > When I switched the JVM to Oracle JVM by installing the
> jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See
> the following stack trace.
>
> AES256 is not included by default in the standard J2SE installation. You
> have to install JCE in order to be able to use AES 256.
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Kiran Ayyagari
http://keydap.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
I installed the JCE and using the JVM from Oracle now. But I am getting the same error as when I used the OpenJDK JVM.
[09:48:32] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
[09:48:32] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
I tried to use kinit from two machines, both show the same error. The kinit is part of the krb5-lib/krb5-workstation library. Do I have to other implementation of kinit?
Regards,
james
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Sunday, April 07, 2013 10:38 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/8/13 3:35 AM, Wu, James C. a écrit :
> The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
>
> When I switched the JVM to Oracle JVM by installing the jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the following stack trace.
AES256 is not included by default in the standard J2SE installation. You have to install JCE in order to be able to use AES 256.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/8/13 3:35 AM, Wu, James C. a écrit :
> The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
>
> When I switched the JVM to Oracle JVM by installing the jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the following stack trace.
AES256 is not included by default in the standard J2SE installation. You
have to install JCE in order to be able to use AES 256.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
When I switched the JVM to Oracle JVM by installing the jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the following stack trace.
[cloud-user@host ~]$ sudo tail -f /var/lib/apacheds-2.0.0-M11/default/log/apacheds.log
[18:30:44] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[18:30:44] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
[18:30:44] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
[18:30:47] ERROR [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - ERR_152 Unexpected exception: null
java.lang.NullPointerException
at org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionEngine.deriveRandom(EncryptionEngine.java:77)
at org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.deriveKey(AesCtsSha1Encryption.java:148)
at org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.getDecryptedData(AesCtsSha1Encryption.java:86)
at org.apache.directory.server.kerberos.shared.crypto.encryption.Aes256CtsSha1Encryption.getDecryptedData(Aes256CtsSha1Encryption.java:30)
at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decrypt(CipherTextHandler.java:121)
at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:335)
at org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:126)
at org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:206)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:407)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:236)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:701)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:670)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$800(AbstractPollingConnectionlessIoAcceptor.java:61)
at org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:607)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
regards,
james
-----Original Message-----
From: dev-return-42802-James.C.Wu=disney.com@directory.apache.org [mailto:dev-return-42802-James.C.Wu=disney.com@directory.apache.org] On Behalf Of Wu, James C.
Sent: Sunday, April 07, 2013 6:15 PM
To: Apache Directory Developers List
Subject: RE: kinit failed on - Integrity check on decrypted field failed
Here is the content of the krb5.conf file.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
debug = true
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true
allow_weak_crypto = yes
[realms]
EXAMPLE.COM = {
kdc = 127.0.0.1:60088
admin_server = 127.0.0.1:60464
default_domain = EXAMPLE.COM
}
[domain_realm]
.EXAMPLE.COM = EXAMPLE.COM
EXAMPLE.COM = EXAMPLE.COM
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Friday, April 05, 2013 10:33 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/6/13 2:23 AM, Wu, James C. a écrit :
> Hi,
Hi,
>
> I am trying to set up ApacheDS as a KDC. After adding hnelson using
> the following ldif, I could not get kinit to get the ticket
>
> dn: uid=hnelson,ou=users,dc=example,dc=com
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> cn: Horatio Nelson
> sn: Nelson
> uid: hnelson
> userpassword: secret
> krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
> The log output of ApacheDS show the following output:
>
> [cloud-user@n7-z01-0a2a0c3a ~]$ [17:15:57] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
> [17:15:57] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
> [17:15:57] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
> [17:16:00] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
> [17:16:00] WARN [org.apache.directory.server.KERBEROS_LOG] -
> Integrity check on decrypted field failed (31)
>
> Could someone give me some hint?
First, can you give us the version you are using ?
Can you also provide the krb5.conf file you are using ?
Its very likely that the encryptionType you are using on the client is not correctly recognized by the server.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: kinit failed on - Integrity check on decrypted field failed
Posted by "Wu, James C." <Ja...@disney.com>.
Here is the content of the krb5.conf file.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
debug = true
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true
allow_weak_crypto = yes
[realms]
EXAMPLE.COM = {
kdc = 127.0.0.1:60088
admin_server = 127.0.0.1:60464
default_domain = EXAMPLE.COM
}
[domain_realm]
.EXAMPLE.COM = EXAMPLE.COM
EXAMPLE.COM = EXAMPLE.COM
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Friday, April 05, 2013 10:33 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/6/13 2:23 AM, Wu, James C. a écrit :
> Hi,
Hi,
>
> I am trying to set up ApacheDS as a KDC. After adding hnelson using
> the following ldif, I could not get kinit to get the ticket
>
> dn: uid=hnelson,ou=users,dc=example,dc=com
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> cn: Horatio Nelson
> sn: Nelson
> uid: hnelson
> userpassword: secret
> krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
> The log output of ApacheDS show the following output:
>
> [cloud-user@n7-z01-0a2a0c3a ~]$ [17:15:57] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
> [17:15:57] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
> [17:15:57] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
> [17:16:00] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
> [17:16:00] WARN [org.apache.directory.server.KERBEROS_LOG] -
> Integrity check on decrypted field failed (31)
>
> Could someone give me some hint?
First, can you give us the version you are using ?
Can you also provide the krb5.conf file you are using ?
Its very likely that the encryptionType you are using on the client is not correctly recognized by the server.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: kinit failed on - Integrity check on decrypted field failed
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 4/6/13 2:23 AM, Wu, James C. a écrit :
> Hi,
Hi,
>
> I am trying to set up ApacheDS as a KDC. After adding hnelson using the following ldif, I could not get kinit to get the ticket
>
> dn: uid=hnelson,ou=users,dc=example,dc=com
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> cn: Horatio Nelson
> sn: Nelson
> uid: hnelson
> userpassword: secret
> krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
> The log output of ApacheDS show the following output:
>
> [cloud-user@n7-z01-0a2a0c3a ~]$ [17:15:57] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
> [17:15:57] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)
> [17:15:57] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)
> [17:16:00] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
> [17:16:00] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
>
> Could someone give me some hint?
First, can you give us the version you are using ?
Can you also provide the krb5.conf file you are using ?
Its very likely that the encryptionType you are using on the client is
not correctly recognized by the server.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com