You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Leo Li <li...@gmail.com> on 2007/10/23 10:57:29 UTC
[kerberos client]Problem to obtain TGT from KDC.
Hi, all
I am trying to connect to KDC to get a TGT by:
String hostname = "wks107904wss.cn.ibm.com";
int port = 88;
KdcConnection con = new KdcConnection( hostname + ":" + port );
KerberosTicket tgt = con.getTicketGrantingTicket( clientPrincipal,
password );
But it fails with such stacktrace:
Exception in thread "main"
org.apache.directory.client.kerberos.KdcConnectionException:
BAD_ENCRYPTION_TYPE
at org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(GetTicketGrantingTicket.java:167)
at org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(GetTicketGrantingTicket.java:153)
at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:118)
at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:101)
at org.apache.directory.client.kerberos.Main.go(Main.java:62)
at org.apache.directory.client.kerberos.Main.main(Main.java:55)
And on the kdc side, the server has such log:
Oct 23 16:12:28 wks107904wss.cn.ibm.com krb5kdc[2304](info) :
AS_REQ(1 etypes{3}) 9.181.106.61:BAD_ENCRYPTION_TYPE:leo@EXAMPLE.COM
for krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC has no support for encryption
type
The KDC is provided by redhat enterprise 5 with default setup configuration.
And if I try the same program in the machine where KDC resides and
run it with "localhost" as host parameter, it will get null TGT and
from the KDC log there seems no further log as if no Kerberos Request
had been sent to KDC.
Can somebody help?
Thanks,
--
Leo Li
China Software Development Lab, IBM
Re: [kerberos client]Problem to obtain TGT from KDC.
Posted by Enrique Rodriguez <en...@gmail.com>.
On 10/30/07, Leo Li <li...@gmail.com> wrote:
> ...
> Thanks, Enrique.
> I found it is not the problem with apache ds's kerberos client but
> in fact the KDC I used: all other encrypt types can work except
> des-cbc-md5. :)
> So could you tell me what is the "long form of the ApacheDS Kerberos
> client component" which can specify the encrypt type?
Long form is described here:
http://cwiki.apache.org/confluence/display/DIRxSBOX/Draft+-+Kerberos+client+components
There is a controls object (modeled after JNDI controls) that allows
you to set less commonly used parameters. I thought this might help
keep the API simple for the common cases. Feedback about API
appreciated.
Enrique
Re: [kerberos client]Problem to obtain TGT from KDC.
Posted by Leo Li <li...@gmail.com>.
On 10/29/07, Enrique Rodriguez <en...@gmail.com> wrote:
> On 10/25/07, Leo Li <li...@gmail.com> wrote:
> > ...
> > Besides, the successful kinit has such log for REQ:
> > AS_REQ (7 etypes {18 17 16 23 1 3 2}). It has the "7" type
> > for REQ than "1" type. Does it make some difference?
> > Can somebody help?
>
> Hi, Leo,
>
> I need to fire up MIT Kerberos to try to reproduce this. The ApacheDS
> Kerberos client component has only been tested against ApacheDS
> itself, so it's entirely possible we have an interop problem. Our
> client is pre-alpha. Let me get back to you.
>
Thanks, Enrique.
I found it is not the problem with apache ds's kerberos client but
in fact the KDC I used: all other encrypt types can work except
des-cbc-md5. :)
So could you tell me what is the "long form of the ApacheDS Kerberos
client component" which can specify the encrypt type?
Thanks,
Leo.
> Enrique
>
--
Leo Li
China Software Development Lab, IBM
Re: [kerberos client]Problem to obtain TGT from KDC.
Posted by Enrique Rodriguez <en...@gmail.com>.
On 10/25/07, Leo Li <li...@gmail.com> wrote:
> ...
> Besides, the successful kinit has such log for REQ:
> AS_REQ (7 etypes {18 17 16 23 1 3 2}). It has the "7" type
> for REQ than "1" type. Does it make some difference?
> Can somebody help?
Hi, Leo,
I need to fire up MIT Kerberos to try to reproduce this. The ApacheDS
Kerberos client component has only been tested against ApacheDS
itself, so it's entirely possible we have an interop problem. Our
client is pre-alpha. Let me get back to you.
Enrique
Re: [kerberos client]Problem to obtain TGT from KDC.
Posted by Leo Li <li...@gmail.com>.
On 10/25/07, Leo Li <li...@gmail.com> wrote:
> On 10/25/07, Enrique Rodriguez <en...@gmail.com> wrote:
> > Hi, Leo,
> >
> > This looks like an MIT Kerberos configuration issue. The MIT KDC is
> > responding that it is not configured to use encryption type 3
> > (DES-CBC-MD5). The client is simply reporting the error returned by
> > the KDC. I recommend reviewing MIT Kerberos server documentation.
> > Alternatively, you can use the "long form" of the ApacheDS Kerberos
> > client component to try to use an enc type that is supported by
> > default by MIT Kerberos KDC.
> >
> Hi, Enrique,
>
> Thank you for your help.
> But after I look at the kdc.conf, it has
>
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
>
> [realms]
> EXAMPLE.COM = {
> #master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3
> }
>
> So from the configuration, des-cbd-md5 seems to have been acknowledged.
Besides, the successful kinit has such log for REQ:
AS_REQ (7 etypes {18 17 16 23 1 3 2}). It has the "7" type
for REQ than "1" type. Does it make some difference?
Can somebody help?
Thanks in advance.
>
> > Enrique
> >
> >
> > On 10/23/07, Leo Li <li...@gmail.com> wrote:
> > > Hi, all
> > >
> > > I am trying to connect to KDC to get a TGT by:
> > > String hostname = "wks107904wss.cn.ibm.com";
> > > int port = 88;
> > > KdcConnection con = new KdcConnection( hostname + ":" + port );
> > > KerberosTicket tgt = con.getTicketGrantingTicket( clientPrincipal,
> > > password );
> > >
> > > But it fails with such stacktrace:
> > > Exception in thread "main"
> > > org.apache.directory.client.kerberos.KdcConnectionException:
> > > BAD_ENCRYPTION_TYPE
> > > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(GetTicketGrantingTicket.java:167)
> > > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(GetTicketGrantingTicket.java:153)
> > > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:118)
> > > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:101)
> > > at org.apache.directory.client.kerberos.Main.go(Main.java:62)
> > > at org.apache.directory.client.kerberos.Main.main(Main.java:55)
> > >
> > >
> > > And on the kdc side, the server has such log:
> > > Oct 23 16:12:28 wks107904wss.cn.ibm.com krb5kdc[2304](info) :
> > > AS_REQ(1 etypes{3}) 9.181.106.61:BAD_ENCRYPTION_TYPE:leo@EXAMPLE.COM
> > > for krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC has no support for encryption
> > > type
> > >
> > > The KDC is provided by redhat enterprise 5 with default setup configuration.
> > >
> > > And if I try the same program in the machine where KDC resides and
> > > run it with "localhost" as host parameter, it will get null TGT and
> > > from the KDC log there seems no further log as if no Kerberos Request
> > > had been sent to KDC.
> > >
> > > Can somebody help?
> > >
> > > Thanks,
> > >
> > > --
> > > Leo Li
> > > China Software Development Lab, IBM
> > >
> >
>
>
> --
> Leo Li
> China Software Development Lab, IBM
>
--
Leo Li
China Software Development Lab, IBM
Re: [kerberos client]Problem to obtain TGT from KDC.
Posted by Leo Li <li...@gmail.com>.
On 10/25/07, Enrique Rodriguez <en...@gmail.com> wrote:
> Hi, Leo,
>
> This looks like an MIT Kerberos configuration issue. The MIT KDC is
> responding that it is not configured to use encryption type 3
> (DES-CBC-MD5). The client is simply reporting the error returned by
> the KDC. I recommend reviewing MIT Kerberos server documentation.
> Alternatively, you can use the "long form" of the ApacheDS Kerberos
> client component to try to use an enc type that is supported by
> default by MIT Kerberos KDC.
>
Hi, Enrique,
Thank you for your help.
But after I look at the kdc.conf, it has
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
EXAMPLE.COM = {
#master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
}
So from the configuration, des-cbd-md5 seems to have been acknowledged.
> Enrique
>
>
> On 10/23/07, Leo Li <li...@gmail.com> wrote:
> > Hi, all
> >
> > I am trying to connect to KDC to get a TGT by:
> > String hostname = "wks107904wss.cn.ibm.com";
> > int port = 88;
> > KdcConnection con = new KdcConnection( hostname + ":" + port );
> > KerberosTicket tgt = con.getTicketGrantingTicket( clientPrincipal,
> > password );
> >
> > But it fails with such stacktrace:
> > Exception in thread "main"
> > org.apache.directory.client.kerberos.KdcConnectionException:
> > BAD_ENCRYPTION_TYPE
> > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(GetTicketGrantingTicket.java:167)
> > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(GetTicketGrantingTicket.java:153)
> > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:118)
> > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:101)
> > at org.apache.directory.client.kerberos.Main.go(Main.java:62)
> > at org.apache.directory.client.kerberos.Main.main(Main.java:55)
> >
> >
> > And on the kdc side, the server has such log:
> > Oct 23 16:12:28 wks107904wss.cn.ibm.com krb5kdc[2304](info) :
> > AS_REQ(1 etypes{3}) 9.181.106.61:BAD_ENCRYPTION_TYPE:leo@EXAMPLE.COM
> > for krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC has no support for encryption
> > type
> >
> > The KDC is provided by redhat enterprise 5 with default setup configuration.
> >
> > And if I try the same program in the machine where KDC resides and
> > run it with "localhost" as host parameter, it will get null TGT and
> > from the KDC log there seems no further log as if no Kerberos Request
> > had been sent to KDC.
> >
> > Can somebody help?
> >
> > Thanks,
> >
> > --
> > Leo Li
> > China Software Development Lab, IBM
> >
>
--
Leo Li
China Software Development Lab, IBM
Re: [kerberos client]Problem to obtain TGT from KDC.
Posted by Enrique Rodriguez <en...@gmail.com>.
Hi, Leo,
This looks like an MIT Kerberos configuration issue. The MIT KDC is
responding that it is not configured to use encryption type 3
(DES-CBC-MD5). The client is simply reporting the error returned by
the KDC. I recommend reviewing MIT Kerberos server documentation.
Alternatively, you can use the "long form" of the ApacheDS Kerberos
client component to try to use an enc type that is supported by
default by MIT Kerberos KDC.
Enrique
On 10/23/07, Leo Li <li...@gmail.com> wrote:
> Hi, all
>
> I am trying to connect to KDC to get a TGT by:
> String hostname = "wks107904wss.cn.ibm.com";
> int port = 88;
> KdcConnection con = new KdcConnection( hostname + ":" + port );
> KerberosTicket tgt = con.getTicketGrantingTicket( clientPrincipal,
> password );
>
> But it fails with such stacktrace:
> Exception in thread "main"
> org.apache.directory.client.kerberos.KdcConnectionException:
> BAD_ENCRYPTION_TYPE
> at org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(GetTicketGrantingTicket.java:167)
> at org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(GetTicketGrantingTicket.java:153)
> at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:118)
> at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:101)
> at org.apache.directory.client.kerberos.Main.go(Main.java:62)
> at org.apache.directory.client.kerberos.Main.main(Main.java:55)
>
>
> And on the kdc side, the server has such log:
> Oct 23 16:12:28 wks107904wss.cn.ibm.com krb5kdc[2304](info) :
> AS_REQ(1 etypes{3}) 9.181.106.61:BAD_ENCRYPTION_TYPE:leo@EXAMPLE.COM
> for krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC has no support for encryption
> type
>
> The KDC is provided by redhat enterprise 5 with default setup configuration.
>
> And if I try the same program in the machine where KDC resides and
> run it with "localhost" as host parameter, it will get null TGT and
> from the KDC log there seems no further log as if no Kerberos Request
> had been sent to KDC.
>
> Can somebody help?
>
> Thanks,
>
> --
> Leo Li
> China Software Development Lab, IBM
>