You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ivan Frain <iv...@gmail.com> on 2012/08/30 10:31:48 UTC
apacheds 1.5.7 kdc server problem on Mac OS X
Hi all,
I am having trouble with the configuration of apcheDS kdcServer
configuration.
I am using apacheDS 1.5.7 from tar.gz archive and running on Mac OS X.
My java version "1.7.0_05" 64 bits
I have successfully started the server and kdcServer is up and running.
I have configured the partition and set up one user. The krb5key was
generated since I enable the keyDerivation interceptor.
The problem comes when I use kinit:
$ kinit ifrain@HADOOP.LAN
ifrain@HADOOP.LAN's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type
Any help would be much appreciated.
Thanks in advance
Ivan
I switched on DEBUG LOG LEVEL for kdc server and here is the log:
[10:24:29] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
192.168.198.1:59026 CREATED: datagram
[10:24:29] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
192.168.198.1:59026 OPENED
[10:24:29] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
192.168.198.1:59026 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@2a48a09f
[10:24:29] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 192.168.198.1
nonce: 850330990
kdcOptions: FORWARDABLE
clientPrincipal: ifrain@HADOOP.LAN
serverPrincipal: krbtgt/HADOOP.LAN@HADOOP.LAN
encryptionType: aes256-cts-hmac-sha1-96 (18), rc4-hmac (23),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16)
realm: HADOOP.LAN
from time: null
till time: 20120830182417Z
renew-till time: null
hostAddresses: null
[10:24:29] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type null.
[10:24:29] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
KDC has no support for encryption type (14)
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
KDC has no support for encryption type
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.selectEncryptionType(AuthenticationService.java:141)
at
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:103)
at
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
at
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375)
at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56)
at
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
[10:24:29] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Responding to request with error:
explanatory text: KDC has no support for encryption type
error code: 14
clientPrincipal: null
client time: null
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server time: 20120830082429Z
[10:24:29] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
192.168.198.1:59026 SENT:
org.apache.directory.server.kerberos.shared.messages.ErrorMessage@4fa7b2bf
[10:25:29] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /
192.168.198.1:59026 CLOSED
--
Ivan Frain
11, route de Grenade
31530 Saint-Paul-sur-Save
mobile: +33 (0)6 52 52 47 07
Re: apacheds 1.5.7 kdc server problem on Mac OS X
Posted by Kiran Ayyagari <ka...@apache.org>.
try after including the unlimited strength policy files [1]
[1] http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
On Thu, Aug 30, 2012 at 3:26 PM, Ivan Frain <iv...@gmail.com> wrote:
> Thanks for your quick answer !
>
> I switched to ApacheDS 2.0.0.M7
> My first try also gave me the same answer on my kinit request.
> But I have changed my krb5.conf (see below) to allow weak type
> (des-cbc-md5) thus the encryption type is supported now.
>
> And finally I was able to authenticate. Great !
>
> However I have still the problem for strong type like aes256. Do you have
> any idea ?
> It is not mandatory for me at the moment but it could be great if I
> understand what's happening in that case.
>
> Thanks for your support.
>
> BR,
> Ivan
>
>
> ---- krb5.conf ----
> [libdefaults]
> default_realm = HADOOP.LAN
> allow_weak_crypto = true
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>
> [realms]
> HADOOP.LAN = {
> kdc = mac.hadoop.lan:60088
> }
>
> [domain_realm]
> .hadoop.lan = HADOOP.LAN
> hadoop.lan = HADOOP.LAN
>
>
>
>
> 2012/8/30 Emmanuel Lécharny <el...@gmail.com>
>
>> Le 8/30/12 10:31 AM, Ivan Frain a écrit :
>>
>> Hi all,
>>>
>>> I am having trouble with the configuration of apcheDS kdcServer
>>> configuration.
>>> I am using apacheDS 1.5.7 from tar.gz archive and running on Mac OS X.
>>> My java version "1.7.0_05" 64 bits
>>>
>>> I have successfully started the server and kdcServer is up and running.
>>> I have configured the partition and set up one user. The krb5key was
>>> generated since I enable the keyDerivation interceptor.
>>>
>>> The problem comes when I use kinit:
>>>
>>> $ kinit ifrain@HADOOP.LAN
>>> ifrain@HADOOP.LAN's Password:
>>> kinit: krb5_get_init_creds: KDC has no support for encryption type
>>>
>>>
>>> Any help would be much appreciated.
>>>
>>
>> Have you tried with the latest version, 2.0.0-M7 ?
>>
>> We have fixed *many* issues since 1.5.7, including kerberos bugs...
>>
>>
>> --
>> Regards,
>> Cordialement,
>> Emmanuel Lécharny
>> www.iktek.com
>>
>>
>
>
> --
> Ivan Frain
> 11, route de Grenade
> 31530 Saint-Paul-sur-Save
> mobile: +33 (0)6 52 52 47 07
--
Kiran Ayyagari
http://keydap.com
Re: apacheds 1.5.7 kdc server problem on Mac OS X
Posted by Ivan Frain <iv...@gmail.com>.
Thanks for your quick answer !
I switched to ApacheDS 2.0.0.M7
My first try also gave me the same answer on my kinit request.
But I have changed my krb5.conf (see below) to allow weak type
(des-cbc-md5) thus the encryption type is supported now.
And finally I was able to authenticate. Great !
However I have still the problem for strong type like aes256. Do you have
any idea ?
It is not mandatory for me at the moment but it could be great if I
understand what's happening in that case.
Thanks for your support.
BR,
Ivan
---- krb5.conf ----
[libdefaults]
default_realm = HADOOP.LAN
allow_weak_crypto = true
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
HADOOP.LAN = {
kdc = mac.hadoop.lan:60088
}
[domain_realm]
.hadoop.lan = HADOOP.LAN
hadoop.lan = HADOOP.LAN
2012/8/30 Emmanuel Lécharny <el...@gmail.com>
> Le 8/30/12 10:31 AM, Ivan Frain a écrit :
>
> Hi all,
>>
>> I am having trouble with the configuration of apcheDS kdcServer
>> configuration.
>> I am using apacheDS 1.5.7 from tar.gz archive and running on Mac OS X.
>> My java version "1.7.0_05" 64 bits
>>
>> I have successfully started the server and kdcServer is up and running.
>> I have configured the partition and set up one user. The krb5key was
>> generated since I enable the keyDerivation interceptor.
>>
>> The problem comes when I use kinit:
>>
>> $ kinit ifrain@HADOOP.LAN
>> ifrain@HADOOP.LAN's Password:
>> kinit: krb5_get_init_creds: KDC has no support for encryption type
>>
>>
>> Any help would be much appreciated.
>>
>
> Have you tried with the latest version, 2.0.0-M7 ?
>
> We have fixed *many* issues since 1.5.7, including kerberos bugs...
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Ivan Frain
11, route de Grenade
31530 Saint-Paul-sur-Save
mobile: +33 (0)6 52 52 47 07
Re: apacheds 1.5.7 kdc server problem on Mac OS X
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 8/30/12 10:31 AM, Ivan Frain a écrit :
> Hi all,
>
> I am having trouble with the configuration of apcheDS kdcServer
> configuration.
> I am using apacheDS 1.5.7 from tar.gz archive and running on Mac OS X.
> My java version "1.7.0_05" 64 bits
>
> I have successfully started the server and kdcServer is up and running.
> I have configured the partition and set up one user. The krb5key was
> generated since I enable the keyDerivation interceptor.
>
> The problem comes when I use kinit:
>
> $ kinit ifrain@HADOOP.LAN
> ifrain@HADOOP.LAN's Password:
> kinit: krb5_get_init_creds: KDC has no support for encryption type
>
>
> Any help would be much appreciated.
Have you tried with the latest version, 2.0.0-M7 ?
We have fixed *many* issues since 1.5.7, including kerberos bugs...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com