You are viewing a plain text version of this content. The canonical link for it is here.
Posted to api@directory.apache.org by Vamsi Kondadasula <va...@apple.com> on 2012/03/30 15:06:56 UTC
Issue : Creating KDC principals using Apache DS API
Hi,
We are having a project requiremnt where in which Apache DS java API is used to communicate with Heimdal KDC to create the principals.
We are using heimdal-1.5.2 and Open LDAP as Back end for storing the Principals.
We are able to add principals using add (of kadmin) and authenticate using kinit from Terminal.
Please find the attached krb5.conf and source code.
Using the attached java client code able to create the Hiemdal Kerboros Principals in Open LDAP. Even Krb5Keys also generated.
But when Kinit(from terminal) i am getting the below mentioned Error.
Kindly provide us any solution for the problem.
sh-3.2# /usr/heimdal/bin/kinit sample@HELLO.COM
sample@HELLO.COM's Password: <= apple
kinit: krb5_get_init_creds: KDC has no support for encryption type
The heimdal log during the kinit for the above principal (created using java code) is as follows:
2012-03-30T18:01:58 AS-REQ sample@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:01:58 AS-REQ sample@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:01:58 Client (sample@HELLO.COM) from IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
2012-03-30T18:01:58 Client (sample@HELLO.COM) from IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
The heimdal log during the kinit for the above principal (created using kadmin terminal) is as follows:
2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED -- me100@HELLO.COM
2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED -- me100@HELLO.COM
2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM using aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM using aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset endtime: 2012-03-31T04:04:55 renew till: unset
2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset endtime: 2012-03-31T04:04:55 renew till: unset
2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 Requested flags: forwardable
2012-03-30T18:04:55 Requested flags: forwardable
2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
Environment Details:
Operating System: Mac OS X - Snow Leopard.
Kerberos: heimdal-1.5.2
Back End for Kerberos: Open LDAP 2.4.30
Apache DS API: apacheds-all-2.0.0-M6.jar
Info: The principal that has been created using Heimdal (add of Kadmin) and kinit able to get the tickets and below are the details:
sh-3.2# /usr/heimdal/bin/kinit me100@HELLO.COM
me100@HELLO.COM's Password:
sh-3.2# /usr/heimdal/bin/klist -5Afv
Credentials cache: API:0
Principal: me100@HELLO.COM
Cache version: 0
Server: krbtgt/HELLO.COM@HELLO.COM
Client: me100@HELLO.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 313
Auth time: Mar 30 18:04:55 2012
End time: Mar 31 04:04:55 2012
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless
Below are the contents of java console log when created principals using the attached code:
Started the process
Schema Process Done
entryEntry
dn: krb5PrincipalName=sample@HELLO.COM,ou=KerberosPrincipals,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: sample
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x18 0x72 0xBF 0x9A 0xE2 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xF2 0xFB 0x13 0xD9 0x91 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x5E 0xBE 0x7D 0xFA 0x07 ...'
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x46 0xAE 0xA1 0xD5 0x97 ...'
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0xCF 0x89 0xBB 0xC2 0xFC ...'
krb5MaxLife: 86400
krb5PrincipalName: sample@HELLO.COM
Entry has been created
org.apache.directory.ldap.client.api.LdapNetworkConnection@75d709a5
Thanks,
Vamsi
Re: Issue : Creating KDC principals using Apache DS API
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi,
can you please avoid spreading the same mail to all the possible mailing
lists ?
Thanks !
Le 3/30/12 3:06 PM, Vamsi Kondadasula a écrit :
> Hi,
>
> We are having a project requiremnt where in which Apache DS java API is used to
> communicate with Heimdal KDC to create the principals.
> We are using heimdal-1.5.2 and Open LDAP as Back end for storing the Principals.
> We are able to add principals using *add* (of kadmin) and authenticate using
> kinit from Terminal.
>
> Please find the attached krb5.conf and source code.
>
>
>
>
> Using the attached java client code able to create the Hiemdal Kerboros
> Principals in Open LDAP. Even Krb5Keys also generated.
> But when *Kinit*(from terminal) i am getting the below mentioned Error.
>
> Kindly provide us any solution for the problem.
>
> sh-3.2# /usr/heimdal/bin/kinit sample@HELLO.COM<ma...@HELLO.COM>
> sample@HELLO.COM<ma...@HELLO.COM>'s Password:<= apple
> kinit: krb5_get_init_creds: KDC has no support for encryption type
>
> *The heimdal log during the kinit for the above principal (created using java
> code) is as follows:*
>
> 2012-03-30T18:01:58 AS-REQ sample@HELLO.COM<ma...@HELLO.COM> from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:01:58 AS-REQ sample@HELLO.COM<ma...@HELLO.COM> from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:01:58 Client (sample@HELLO.COM<ma...@HELLO.COM>) from
> IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
> 2012-03-30T18:01:58 Client (sample@HELLO.COM<ma...@HELLO.COM>) from
> IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
> 2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
> 2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
>
> *The heimdal log during the kinit for the above principal (created using kadmin
> terminal) is as follows:
> *
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<ma...@HELLO.COM> from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<ma...@HELLO.COM> from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED --
> me100@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED --
> me100@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
> 2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<ma...@HELLO.COM> from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<ma...@HELLO.COM> from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<ma...@HELLO.COM>
> 2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
> 2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
> 2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
> <ma...@HELLO.COM>
> 2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
> <ma...@HELLO.COM>
> 2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
> <ma...@HELLO.COM>
> 2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
> <ma...@HELLO.COM>
> 2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM
> <ma...@HELLO.COM> using aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM
> <ma...@HELLO.COM> using aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset
> endtime: 2012-03-31T04:04:55 renew till: unset
> 2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset
> endtime: 2012-03-31T04:04:55 renew till: unset
> 2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> des-cbc-md5, des-cbc-md4, des-cbc-crc, using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> des-cbc-md5, des-cbc-md4, des-cbc-crc, using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 Requested flags: forwardable
> 2012-03-30T18:04:55 Requested flags: forwardable
> 2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
> 2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
>
> *Environment Details:
> *Operating System: Mac OS X - Snow Leopard.
> Kerberos: heimdal-1.5.2
> Back End for Kerberos: Open LDAP 2.4.30
> Apache DS API: apacheds-all-2.0.0-M6.jar
>
> Info: The principal that has been created using Heimdal (*add* of Kadmin) and
> *kinit* able to get the tickets and below are the details:
> /sh-3.2# //usr/heimdal/bin/*kinit* me100@HELLO.COM<ma...@HELLO.COM>
> me100@HELLO.COM<ma...@HELLO.COM>'s Password:
> /sh-3.2#/ /usr/heimdal/bin/*klist* -5Afv
> Credentials cache: API:0
> Principal: me100@HELLO.COM<ma...@HELLO.COM>
> Cache version: 0
> Server: krbtgt/HELLO.COM@HELLO.COM<ma...@HELLO.COM>
> Client: me100@HELLO.COM<ma...@HELLO.COM>
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 313
> Auth time: Mar 30 18:04:55 2012
> End time: Mar 31 04:04:55 2012
> Ticket flags: pre-authent, initial, forwardable
> Addresses: addressless
>
>
> Below are the contents of java console log when created principals using the
> attached code:
> Started the process
> Schema Process Done
> entryEntry
> dn: krb5PrincipalName=sample@HELLO.COM
> <ma...@HELLO.COM>,ou=KerberosPrincipals,dc=example,dc=com
> objectClass: top
> objectClass: account
> objectClass: krb5Principal
> objectClass: krb5KDCEntry
> uid: sample
> krb5MaxRenew: 604800
> krb5KeyVersionNumber: 1
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x18 0x72 0xBF
> 0x9A 0xE2 ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xF2 0xFB 0x13
> 0xD9 0x91 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x5E 0xBE 0x7D
> 0xFA 0x07 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x46 0xAE 0xA1
> 0xD5 0x97 ...'
> krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0xCF 0x89 0xBB
> 0xC2 0xFC ...'
> krb5MaxLife: 86400
> krb5PrincipalName: sample@HELLO.COM<ma...@HELLO.COM>
>
> Entry has been created
> org.apache.directory.ldap.client.api.LdapNetworkConnection@75d709a5
>
> Thanks,
> Vamsi
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com