You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by kumar r <ra...@gmail.com> on 2015/03/06 12:01:48 UTC
Kerberos issue - reg
Hi,
I have installed ApacheDS 2.0.0-M19, i could successfully create users,
groups using ldap. When i enable kerberos, it couldn't authenticate from
apache studio or kinit command. When trying to get ticket using kinit
command, i am getting "*Integrity check on decrypted field failed" *exception.
When i use invalid principal, it shows "*client not found*". It seems that
it could contact KDC server in apacheds but it might be encryption problem.
Checked these in windows 8 OS. Referred many links but unable to find the
solution. Found two jira task link related to this problem
https://issues.apache.org/jira/browse/DIRSERVER-1821
https://issues.apache.org/jira/browse/DIRSTUDIO-992
I have created krbtgt and ldap service referred in
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
.
Can you please tell me how to solve this problem?
Thanks,
R.Kumar
Re: Kerberos issue - reg
Posted by "R.Kumar" <ra...@gmail.com>.
Zheng, Kai <ka...@...> writes:
>
> Did you run kinit on Linux with MIT Kerberos client package installed ? Or
you’re running any Java
> provided kinit command ?
>
> The issue might be related to the issue,
> http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7067974
>
> This is possible because ApacheDS currently relies on JRE in the
encryption support. Similar issues like
> this had been complained quite much if you’d like google about it.
Unfortunately no plain solution is
> clear to me. One stupid way to work around this would suggest you disable
preauth if ApacheDS server allows
> that via configuration.
>
> By the way, we will check compatibility between Kerby with MIT Kerberos/MS
AD and keep such issue in mind.
> With such aspects resolved we would enhance ApacheDS by leveraging Kerby
library if the server still
> desire to embed a KDC server. But this won’t happen so soon so it may not
help for you at this time.
>
> Regards,
> Kai
>
> From: kumar r [mailto:rajkumar9880 <at> gmail.com]
> Sent: Friday, March 06, 2015 7:02 PM
> To: dev <at> directory.apache.org; users <at> directory.apache.org
> Subject: Kerberos issue - reg
>
> Hi,
> I have installed ApacheDS 2.0.0-M19, i could successfully create users,
groups using ldap. When i enable
> kerberos, it couldn't authenticate from apache studio or kinit command.
When trying to get ticket using
> kinit command, i am getting "Integrity check on decrypted field failed"
exception. When i use invalid
> principal, it shows "client not found". It seems that it could contact
KDC server in apacheds but it might
> be encryption problem. Checked these in windows 8 OS. Referred many links
but unable to find the solution.
> Found two jira task link related to this problem
> https://issues.apache.org/jira/browse/DIRSERVER-1821
> https://issues.apache.org/jira/browse/DIRSTUDIO-992
> I have created krbtgt and ldap service referred in
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
> Can you please tell me how to solve this problem?
> Thanks,
> R.Kumar
>
Thanks kai. I run kinit command provided by java in windows 8 machine. But i
could successfully get ticket and authenticate with kerberos when using
windows server Active Directory. Is there any way to use ApacheDS as KDC in
windows successfully instead of active directory.
Thanks,
R.Kumar
RE: Kerberos issue - reg
Posted by "Zheng, Kai" <ka...@intel.com>.
Did you run kinit on Linux with MIT Kerberos client package installed ? Or you’re running any Java provided kinit command ?
The issue might be related to the issue,
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7067974
This is possible because ApacheDS currently relies on JRE in the encryption support. Similar issues like this had been complained quite much if you’d like google about it. Unfortunately no plain solution is clear to me. One stupid way to work around this would suggest you disable preauth if ApacheDS server allows that via configuration.
By the way, we will check compatibility between Kerby with MIT Kerberos/MS AD and keep such issue in mind. With such aspects resolved we would enhance ApacheDS by leveraging Kerby library if the server still desire to embed a KDC server. But this won’t happen so soon so it may not help for you at this time.
Regards,
Kai
From: kumar r [mailto:rajkumar9880@gmail.com]
Sent: Friday, March 06, 2015 7:02 PM
To: dev@directory.apache.org; users@directory.apache.org
Subject: Kerberos issue - reg
Hi,
I have installed ApacheDS 2.0.0-M19, i could successfully create users, groups using ldap. When i enable kerberos, it couldn't authenticate from apache studio or kinit command. When trying to get ticket using kinit command, i am getting "Integrity check on decrypted field failed" exception. When i use invalid principal, it shows "client not found". It seems that it could contact KDC server in apacheds but it might be encryption problem. Checked these in windows 8 OS. Referred many links but unable to find the solution. Found two jira task link related to this problem
https://issues.apache.org/jira/browse/DIRSERVER-1821
https://issues.apache.org/jira/browse/DIRSTUDIO-992
I have created krbtgt and ldap service referred in https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
Can you please tell me how to solve this problem?
Thanks,
R.Kumar
RE: Kerberos issue - reg
Posted by "Zheng, Kai" <ka...@intel.com>.
Did you run kinit on Linux with MIT Kerberos client package installed ? Or you’re running any Java provided kinit command ?
The issue might be related to the issue,
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7067974
This is possible because ApacheDS currently relies on JRE in the encryption support. Similar issues like this had been complained quite much if you’d like google about it. Unfortunately no plain solution is clear to me. One stupid way to work around this would suggest you disable preauth if ApacheDS server allows that via configuration.
By the way, we will check compatibility between Kerby with MIT Kerberos/MS AD and keep such issue in mind. With such aspects resolved we would enhance ApacheDS by leveraging Kerby library if the server still desire to embed a KDC server. But this won’t happen so soon so it may not help for you at this time.
Regards,
Kai
From: kumar r [mailto:rajkumar9880@gmail.com]
Sent: Friday, March 06, 2015 7:02 PM
To: dev@directory.apache.org; users@directory.apache.org
Subject: Kerberos issue - reg
Hi,
I have installed ApacheDS 2.0.0-M19, i could successfully create users, groups using ldap. When i enable kerberos, it couldn't authenticate from apache studio or kinit command. When trying to get ticket using kinit command, i am getting "Integrity check on decrypted field failed" exception. When i use invalid principal, it shows "client not found". It seems that it could contact KDC server in apacheds but it might be encryption problem. Checked these in windows 8 OS. Referred many links but unable to find the solution. Found two jira task link related to this problem
https://issues.apache.org/jira/browse/DIRSERVER-1821
https://issues.apache.org/jira/browse/DIRSTUDIO-992
I have created krbtgt and ldap service referred in https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
Can you please tell me how to solve this problem?
Thanks,
R.Kumar