You are viewing a plain text version of this content. The canonical link for it is here.
Posted to kerby@directory.apache.org by Yu Wei <yu...@hotmail.com> on 2017/01/17 08:13:27 UTC
Failed to setup kerberos with Apache DS
Hi Guys,
I tried to setup Apache DS with kerberos server enabled.
After creating entry by following Apache DS document about "Kerberos User guide", I got following exception when trying to create connection with Apache Directory Studio.
The authentication failed
- javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
org.apache.directory.api.ldap.model.exception.LdapException: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1671)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1557)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:436)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1163)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:449)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:295)
at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:79)
at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:127)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:119)
Caused by: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1658)
... 8 more
Caused by: KrbException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
... 21 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 24 more
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
Then I tried again with kinit and got another error as below,
[dcos@mesos-ds apacheds-2.0.0-M23]$ sudo kinit krbtest
Password for krbtest@ISTUARY.COM:
kinit: Password incorrect while getting initial credentials
How could I fix such problem?
Another question is about krb5key. I created the entry and set password with Apache Directory Studio and krb5key was generated successfully. Where are the krb5key stored?
Thanks,
Jared, (??)
Software developer
Interested in open source software, big data, Linux
Re: Failed to setup kerberos with Apache DS
Posted by Yu Wei <yu...@hotmail.com>.
Stefan,
My problem was fixed with your advice.
Thanks very much for the information.
Thanks,
Jared, (韦煜)
Software developer
Interested in open source software, big data, Linux
________________________________
From: Stefan Seelmann <ma...@stefan-seelmann.de>
Sent: Wednesday, January 18, 2017 3:41:46 AM
To: users@directory.apache.org
Subject: Re: Failed to setup kerberos with Apache DS
On 01/17/2017 09:13 AM, Yu Wei wrote:
> Hi Guys,
>
> I tried to setup Apache DS with kerberos server enabled.
>
> After creating entry by following Apache DS document about "Kerberos User guide", I got following exception when trying to create connection with Apache Directory Studio.
>
> javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
>
> Then I tried again with kinit and got another error as below,
>
> [dcos@mesos-ds apacheds-2.0.0-M23]$ sudo kinit krbtest
> Password for krbtest@ISTUARY.COM:
> kinit: Password incorrect while getting initial credentials
Sounds like a password problem:
Please verify that the password you use for authentication is the same
you used when you created the entry.
For entry creation the password must be plain text (but password hash
interceptor will SSHA hash it by default)
Please make sure that the key derivation interceptor is enabled. If it
is enabled then the entry you imported has 5 krb5Key attributes that
were derived from the password. When you configured ApacheDS via the
Studio configuration editor (as described on [1]) the interceptor is
enabled by default. You can verify by checking entry [2], ads-enabled
must not be "false" (either true or absent).
Kind Regards,
Stefan
[1]
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
[2]
ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
Re: Failed to setup kerberos with Apache DS
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
On 01/17/2017 09:13 AM, Yu Wei wrote:
> Hi Guys,
>
> I tried to setup Apache DS with kerberos server enabled.
>
> After creating entry by following Apache DS document about "Kerberos User guide", I got following exception when trying to create connection with Apache Directory Studio.
>
> javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
>
> Then I tried again with kinit and got another error as below,
>
> [dcos@mesos-ds apacheds-2.0.0-M23]$ sudo kinit krbtest
> Password for krbtest@ISTUARY.COM:
> kinit: Password incorrect while getting initial credentials
Sounds like a password problem:
Please verify that the password you use for authentication is the same
you used when you created the entry.
For entry creation the password must be plain text (but password hash
interceptor will SSHA hash it by default)
Please make sure that the key derivation interceptor is enabled. If it
is enabled then the entry you imported has 5 krb5Key attributes that
were derived from the password. When you configured ApacheDS via the
Studio configuration editor (as described on [1]) the interceptor is
enabled by default. You can verify by checking entry [2], ads-enabled
must not be "false" (either true or absent).
Kind Regards,
Stefan
[1]
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
[2]
ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
Re: Failed to setup kerberos with Apache DS
Posted by Yu Wei <yu...@hotmail.com>.
I only created connection via Apache Directory Studio after LDAP server and kerberos server is started.
However, this step is failed.
Thanks,
________________________________
From: Emmanuel Lécharny <el...@gmail.com>
Sent: Tuesday, January 17, 2017 5:55:07 PM
To: users@directory.apache.org
Subject: Re: Failed to setup kerberos with Apache DS
Le 17/01/2017 à 10:19, Yu Wei a écrit :
> I used openjdk-1.8.0 and installed jce.
>
> [dcos@mesos-ds security]$ pwd
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-2.b15.el7_3.x86_64/jre/lib/security
> [dcos@mesos-ds security]$ ls -al
> total 64
> drwxr-xr-x. 2 root root 4096 1月 17 17:00 .
> drwxr-xr-x. 9 root root 4096 12月 21 13:55 ..
> -rw-r--r--. 1 root root 1273 11月 22 04:46 blacklisted.certs
> lrwxrwxrwx. 1 root root 41 12月 21 13:55 cacerts -> ../../../../../../../etc/pki/java/cacerts
> -rw-r--r--. 1 root root 2466 11月 22 04:46 java.policy
> -rw-r--r--. 1 root root 26712 1月 1 2014 java.security
> -rw-rw-r--. 1 root root 3035 12月 21 2013 local_policy.jar
> -rw-r--r--. 1 root root 556 1月 1 2014 local_policy.jar.bak
> -rw-r--r--. 1 root root 141 11月 22 04:54 nss.cfg
> -rw-rw-r--. 1 root root 3023 12月 21 2013 US_export_policy.jar
> -rw-r--r--. 1 root root 538 1月 1 2014 US_export_policy.jar.bak
>
>
> Then I still got the same error when running the test.
>
>
> Do I need to reinstall LDAP/Kerberos server? Or other advice?
Ok. What tool do you use to test the service ?
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: Failed to setup kerberos with Apache DS
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 17/01/2017 à 10:19, Yu Wei a écrit :
> I used openjdk-1.8.0 and installed jce.
>
> [dcos@mesos-ds security]$ pwd
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-2.b15.el7_3.x86_64/jre/lib/security
> [dcos@mesos-ds security]$ ls -al
> total 64
> drwxr-xr-x. 2 root root 4096 1月 17 17:00 .
> drwxr-xr-x. 9 root root 4096 12月 21 13:55 ..
> -rw-r--r--. 1 root root 1273 11月 22 04:46 blacklisted.certs
> lrwxrwxrwx. 1 root root 41 12月 21 13:55 cacerts -> ../../../../../../../etc/pki/java/cacerts
> -rw-r--r--. 1 root root 2466 11月 22 04:46 java.policy
> -rw-r--r--. 1 root root 26712 1月 1 2014 java.security
> -rw-rw-r--. 1 root root 3035 12月 21 2013 local_policy.jar
> -rw-r--r--. 1 root root 556 1月 1 2014 local_policy.jar.bak
> -rw-r--r--. 1 root root 141 11月 22 04:54 nss.cfg
> -rw-rw-r--. 1 root root 3023 12月 21 2013 US_export_policy.jar
> -rw-r--r--. 1 root root 538 1月 1 2014 US_export_policy.jar.bak
>
>
> Then I still got the same error when running the test.
>
>
> Do I need to reinstall LDAP/Kerberos server? Or other advice?
Ok. What tool do you use to test the service ?
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: Failed to setup kerberos with Apache DS
Posted by Yu Wei <yu...@hotmail.com>.
I used openjdk-1.8.0 and installed jce.
[dcos@mesos-ds security]$ pwd
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-2.b15.el7_3.x86_64/jre/lib/security
[dcos@mesos-ds security]$ ls -al
total 64
drwxr-xr-x. 2 root root 4096 1月 17 17:00 .
drwxr-xr-x. 9 root root 4096 12月 21 13:55 ..
-rw-r--r--. 1 root root 1273 11月 22 04:46 blacklisted.certs
lrwxrwxrwx. 1 root root 41 12月 21 13:55 cacerts -> ../../../../../../../etc/pki/java/cacerts
-rw-r--r--. 1 root root 2466 11月 22 04:46 java.policy
-rw-r--r--. 1 root root 26712 1月 1 2014 java.security
-rw-rw-r--. 1 root root 3035 12月 21 2013 local_policy.jar
-rw-r--r--. 1 root root 556 1月 1 2014 local_policy.jar.bak
-rw-r--r--. 1 root root 141 11月 22 04:54 nss.cfg
-rw-rw-r--. 1 root root 3023 12月 21 2013 US_export_policy.jar
-rw-r--r--. 1 root root 538 1月 1 2014 US_export_policy.jar.bak
Then I still got the same error when running the test.
Do I need to reinstall LDAP/Kerberos server? Or other advice?
Thanks,
Jared
________________________________
From: Emmanuel Lécharny <el...@gmail.com>
Sent: Tuesday, January 17, 2017 4:30:36 PM
To: kerby@directory.apache.org
Subject: Re: Failed to setup kerberos with Apache DS
Le 17/01/2017 à 09:13, Yu Wei a écrit :
> KrbException: Identifier doesn't match expected value (906)
Most certainly teh cipher in use is not accepted, or not supported. It
may depend on teh JVM you are using, or you also have to install teh JCE
extension, thatbrings AES 256, which is not installed inathe default JDK.
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: Failed to setup kerberos with Apache DS
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 17/01/2017 à 09:13, Yu Wei a écrit :
> KrbException: Identifier doesn't match expected value (906)
Most certainly teh cipher in use is not accepted, or not supported. It
may depend on teh JVM you are using, or you also have to install teh JCE
extension, thatbrings AES 256, which is not installed inathe default JDK.
--
Emmanuel Lecharny
Symas.com
directory.apache.org