You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Amila Jayasekara <am...@wso2.com> on 2010/09/06 05:02:01 UTC
Requesting TGT using Kinit when principle's password type is MD 5
Hi All,
I am using Kerberos server which comes with apacheds. Currently i am
facing a strange problem with that. Let me explain the scenario in detail.
I am requesting a TGT using "kinit" program. For this i am executing
following command,
> kinit hnelson@EXAMPLE.COM
I was able to successfully retreive a ticket, when hnelson@EXAMPLE.COM's
password is plain text. But when i convert principle's
(hnelson@EXAMPLE.COM) password type to MD5, i was not able to get the
ticket. I am getting an error saying "kinit: Password incorrect while
getting initial credentials".
aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM:
kinit: Password incorrect while getting initial credentials
Following i have paste the log output of apacheds server for above
request. According to log output, server has not encountered on any
error and server has successfully authenticated the principle. The
response AS_REPLY has also sent back to client. Now i am bit confused
what has gone wrong. Note that, for this particular case i have disabled
pre-authentication on server. I beleive, this has something to do with
the way kinit program works. But i couldnt get more information from
kinit. Therefore i am not able to find any cause for this error.
I am really grateful, if someone can help me to understand what has gone
wrong here.
Thanks
AmilaJ
==============================================================================================================================================================================================================
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /0:0:0:0:0:0:0:1:57572 CREATED: datagram
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /0:0:0:0:0:0:0:1:57572 OPENED
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /0:0:0:0:0:0:0:1:57572 RCVD:
org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
messageType: AS_REQ
protocolVersionNumber: 5
clientAddress: 0:0:0:0:0:0:0:1
nonce: 1457316737
kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK
clientPrincipal: hnelson@EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
encryptionType: des-cbc-md5 (3), rc4-hmac (23),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1),
aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
realm: EXAMPLE.COM
from time: 20100906024426Z
till time: 20100907024426Z
renew-till time: null
hostAddresses: null
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type des-cbc-md5 (3).
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
- Found entry ServerEntry
dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
uid: hnelson
sn: Nelson
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
0xC7 0x86 0x58 0x23 0x98 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
0xC6 0x4B 0xD6 0xFE 0x30 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
0x7A 0xB6 0x43 0x9D 0xF7 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
0x27 0xD9 0xE6 0xA4 0x66 ...'
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
0x4A 0xCE 0xDE 0xEC 0x20 ...'
krb5KeyVersionNumber: 7
cn: Horatio Nelson
userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C
0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
for kerberos principal name hnelson@EXAMPLE.COM
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using SAM subsystem.
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using encrypted timestamp.
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Entry for client principal hnelson@EXAMPLE.COM has no SAM type.
Proceeding with standard pre-authentication.
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Pre-authentication by encrypted timestamp successful for
hnelson@EXAMPLE.COM.
[07:44:26] DEBUG
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
- Found entry ServerEntry
dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
uid: krbtgt
sn: Service
userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
0x25 0x07 0x25 0x68 0x76 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
0x87 0x8D 0x80 0x14 0x60 ...'
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
0x98 0x07 0x37 0x31 0xD9 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
0x0D 0x79 0x98 0x29 0x20 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
0x64 0xEB 0x5E 0xDE 0x49 ...'
krb5KeyVersionNumber: 0
cn: KDC Service
for kerberos principal name krbtgt/EXAMPLE.COM@EXAMPLE.COM
[07:44:27] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
[07:44:27] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Monitoring Authentication Service (AS) context:
clockSkew 300000
clientAddress /0:0:0:0:0:0:0:1
principal hnelson@EXAMPLE.COM
cn null
realm null
principal hnelson@EXAMPLE.COM
SAM type null
principal krbtgt/EXAMPLE.COM@EXAMPLE.COM
cn null
realm null
principal krbtgt/EXAMPLE.COM@EXAMPLE.COM
SAM type null
Request key type des-cbc-md5 (3)
Client key version 0
Server key version 0
[07:44:27] DEBUG
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Responding with Authentication Service (AS) reply:
messageType: AS_REP
protocolVersionNumber: 5
nonce: 1457316737
clientPrincipal: hnelson@EXAMPLE.COM
client realm: EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
server realm: EXAMPLE.COM
auth time: 20100906024427Z
start time: null
end time: 20100907024426Z
renew-till time: null
hostAddresses: null
[07:44:27] DEBUG
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /0:0:0:0:0:0:0:1:57572 SENT:
org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67
Re: Requesting TGT using Kinit when principle's password type is
MD 5
Posted by Amila Jayasekara <am...@wso2.com>.
Also is it possible to achieve this (Kerberos authentication agains
hashed passwords) by some other mechanism ? Maybe by enabling
pre-authentication ?
Thanks
AmilaJ
Amila Jayasekara wrote:
> Hi Stefan,
> Thank you very much for the reply.
> Will there be a new release with the support for hashed password in
> near future ?
> Thanks
> AmilaJ
>
> Stefan Seelmann wrote:
>>
>> Hi Amila,
>>
>> The current implementation requires a plain text password, because
>> the krb5 keys are derived from the password.
>>
>> Kind regards,
>> Stefan
>>
>> On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <amilaj@wso2.com
>> <ma...@wso2.com>> wrote:
>> > Hi All,
>> > I am using Kerberos server which comes with apacheds. Currently i am
>> > facing a strange problem with that. Let me explain the scenario in
>> detail.
>> > I am requesting a TGT using "kinit" program. For this i am executing
>> > following command,
>> >
>> > > kinit hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>> >
>> > I was able to successfully retreive a ticket, when
>> hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>'s
>> > password is plain text. But when i convert principle's
>> > (hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>) password type to
>> MD5, i was not able to get the
>> > ticket. I am getting an error saying "kinit: Password incorrect while
>> > getting initial credentials".
>> >
>> > aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit
>> hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>> > Password for hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>:
>> > kinit: Password incorrect while getting initial credentials
>> >
>> > Following i have paste the log output of apacheds server for above
>> > request. According to log output, server has not encountered on any
>> > error and server has successfully authenticated the principle. The
>> > response AS_REPLY has also sent back to client. Now i am bit confused
>> > what has gone wrong. Note that, for this particular case i have
>> disabled
>> > pre-authentication on server. I beleive, this has something to do with
>> > the way kinit program works. But i couldnt get more information from
>> > kinit. Therefore i am not able to find any cause for this error.
>> >
>> > I am really grateful, if someone can help me to understand what has
>> gone
>> > wrong here.
>> >
>> > Thanks
>> > AmilaJ
>> >
>> >
>> ==============================================================================================================================================================================================================
>>
>> >
>> >
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 CREATED: datagram
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 OPENED
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 RCVD:
>> >
>> org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Received Authentication Service (AS) request:
>> > messageType: AS_REQ
>> > protocolVersionNumber: 5
>> > clientAddress: 0:0:0:0:0:0:0:1
>> > nonce: 1457316737
>> > kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK
>> > clientPrincipal: hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>> > serverPrincipal: krbtgt/EXAMPLE.COM
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > encryptionType: des-cbc-md5 (3), rc4-hmac (23),
>> > aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1),
>> > aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
>> > realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> > from time: 20100906024426Z
>> > till time: 20100907024426Z
>> > renew-till time: null
>> > hostAddresses: null
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Session will use encryption type des-cbc-md5 (3).
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
>>
>> > - Found entry ServerEntry
>> > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
>> > objectClass: organizationalPerson
>> > objectClass: person
>> > objectClass: krb5Principal
>> > objectClass: inetOrgPerson
>> > objectClass: krb5KDCEntry
>> > objectClass: top
>> > uid: hnelson
>> > sn: Nelson
>> > krb5PrincipalName: hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
>> > 0xC7 0x86 0x58 0x23 0x98 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
>> > 0xC6 0x4B 0xD6 0xFE 0x30 ...'
>> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
>> > 0x7A 0xB6 0x43 0x9D 0xF7 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
>> > 0x27 0xD9 0xE6 0xA4 0x66 ...'
>> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
>> > 0x4A 0xCE 0xDE 0xEC 0x20 ...'
>> > krb5KeyVersionNumber: 7
>> > cn: Horatio Nelson
>> > userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C
>> > 0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
>> > for kerberos principal name hnelson@EXAMPLE.COM
>> <ma...@EXAMPLE.COM>
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Verifying using SAM subsystem.
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Verifying using encrypted timestamp.
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Entry for client principal hnelson@EXAMPLE.COM
>> <ma...@EXAMPLE.COM> has no SAM type.
>> > Proceeding with standard pre-authentication.
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Pre-authentication by encrypted timestamp successful for
>> > hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>.
>> > [07:44:26] DEBUG
>> >
>> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
>>
>> > - Found entry ServerEntry
>> > dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
>> > objectClass: organizationalPerson
>> > objectClass: person
>> > objectClass: krb5Principal
>> > objectClass: inetOrgPerson
>> > objectClass: krb5KDCEntry
>> > objectClass: top
>> > uid: krbtgt
>> > sn: Service
>> > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
>> > krb5PrincipalName: krbtgt/EXAMPLE.COM
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
>> > 0x25 0x07 0x25 0x68 0x76 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
>> > 0x87 0x8D 0x80 0x14 0x60 ...'
>> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
>> > 0x98 0x07 0x37 0x31 0xD9 ...'
>> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
>> > 0x0D 0x79 0x98 0x29 0x20 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
>> > 0x64 0xEB 0x5E 0xDE 0x49 ...'
>> > krb5KeyVersionNumber: 0
>> > cn: KDC Service
>> > for kerberos principal name krbtgt/EXAMPLE.COM
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > [07:44:27] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Ticket will be issued for access to krbtgt/EXAMPLE.COM
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>.
>> > [07:44:27] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Monitoring Authentication Service (AS) context:
>> > clockSkew 300000
>> > clientAddress /0:0:0:0:0:0:0:1
>> > principal hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>> > cn null
>> > realm null
>> > principal hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>> > SAM type null
>> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM
>> <http://EXAMPLE.COM>
>> > cn null
>> > realm null
>> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM
>> <http://EXAMPLE.COM>
>> > SAM type null
>> > Request key type des-cbc-md5 (3)
>> > Client key version 0
>> > Server key version 0
>> > [07:44:27] DEBUG
>> >
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>>
>> > - Responding with Authentication Service (AS) reply:
>> > messageType: AS_REP
>> > protocolVersionNumber: 5
>> > nonce: 1457316737
>> > clientPrincipal: hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
>> > client realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> > serverPrincipal: krbtgt/EXAMPLE.COM
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > server realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> > auth time: 20100906024427Z
>> > start time: null
>> > end time: 20100907024426Z
>> > renew-till time: null
>> > hostAddresses: null
>> > [07:44:27] DEBUG
>> >
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 SENT:
>> >
>> org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67
>>
>> >
>>
>
>
Re: Requesting TGT using Kinit when principle's password type is
MD 5
Posted by Amila Jayasekara <am...@wso2.com>.
Hi Stefan,
Thank you. I will look into this. But first, i need to do some
stuff related to Kerberos with my current assignment. (For the moment
plain text password is Ok) Once that is finished i will dig into this.
Thanks
AmilaJ
Stefan Seelmann wrote:
> Hi Amila,
>
> On Mon, Sep 6, 2010 at 9:33 AM, Amila Jayasekara <am...@wso2.com> wrote:
>
>> Hi Stefan,
>> Thank you very much for the reply.
>> Will there be a new release with the support for hashed password in near
>> future ?
>>
>
> The current plan is to release a ApacheDS 2.0 first. After that we may
> work on Kerberos. However that is only the plan of the current
> developers. If you are interested you are invited do jump in and
> contribute patches :-)
>
> Kind Regards,
> Stefan
>
>
Re: Requesting TGT using Kinit when principle's password type is MD 5
Posted by Stefan Seelmann <se...@apache.org>.
Hi Amila,
On Mon, Sep 6, 2010 at 9:33 AM, Amila Jayasekara <am...@wso2.com> wrote:
> Hi Stefan,
> Thank you very much for the reply.
> Will there be a new release with the support for hashed password in near
> future ?
The current plan is to release a ApacheDS 2.0 first. After that we may
work on Kerberos. However that is only the plan of the current
developers. If you are interested you are invited do jump in and
contribute patches :-)
Kind Regards,
Stefan
Re: Requesting TGT using Kinit when principle's password type is
MD 5
Posted by Amila Jayasekara <am...@wso2.com>.
Hi Stefan,
Thank you very much for the reply.
Will there be a new release with the support for hashed password in
near future ?
Thanks
AmilaJ
Stefan Seelmann wrote:
>
> Hi Amila,
>
> The current implementation requires a plain text password, because the
> krb5 keys are derived from the password.
>
> Kind regards,
> Stefan
>
> On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <amilaj@wso2.com
> <ma...@wso2.com>> wrote:
> > Hi All,
> > I am using Kerberos server which comes with apacheds. Currently i am
> > facing a strange problem with that. Let me explain the scenario in
> detail.
> > I am requesting a TGT using "kinit" program. For this i am executing
> > following command,
> >
> > > kinit hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> >
> > I was able to successfully retreive a ticket, when
> hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>'s
> > password is plain text. But when i convert principle's
> > (hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>) password type to
> MD5, i was not able to get the
> > ticket. I am getting an error saying "kinit: Password incorrect while
> > getting initial credentials".
> >
> > aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit
> hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> > Password for hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>:
> > kinit: Password incorrect while getting initial credentials
> >
> > Following i have paste the log output of apacheds server for above
> > request. According to log output, server has not encountered on any
> > error and server has successfully authenticated the principle. The
> > response AS_REPLY has also sent back to client. Now i am bit confused
> > what has gone wrong. Note that, for this particular case i have
> disabled
> > pre-authentication on server. I beleive, this has something to do with
> > the way kinit program works. But i couldnt get more information from
> > kinit. Therefore i am not able to find any cause for this error.
> >
> > I am really grateful, if someone can help me to understand what has
> gone
> > wrong here.
> >
> > Thanks
> > AmilaJ
> >
> >
> ==============================================================================================================================================================================================================
>
> >
> >
> > [07:44:26] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 CREATED: datagram
> > [07:44:26] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 OPENED
> > [07:44:26] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 RCVD:
> > org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Received Authentication Service (AS) request:
> > messageType: AS_REQ
> > protocolVersionNumber: 5
> > clientAddress: 0:0:0:0:0:0:0:1
> > nonce: 1457316737
> > kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK
> > clientPrincipal: hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> > serverPrincipal: krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM
> <http://EXAMPLE.COM>
> > encryptionType: des-cbc-md5 (3), rc4-hmac (23),
> > aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1),
> > aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
> > realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > from time: 20100906024426Z
> > till time: 20100907024426Z
> > renew-till time: null
> > hostAddresses: null
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Session will use encryption type des-cbc-md5 (3).
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> > - Found entry ServerEntry
> > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: krb5Principal
> > objectClass: inetOrgPerson
> > objectClass: krb5KDCEntry
> > objectClass: top
> > uid: hnelson
> > sn: Nelson
> > krb5PrincipalName: hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> > 0xC7 0x86 0x58 0x23 0x98 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> > 0xC6 0x4B 0xD6 0xFE 0x30 ...'
> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> > 0x7A 0xB6 0x43 0x9D 0xF7 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> > 0x27 0xD9 0xE6 0xA4 0x66 ...'
> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> > 0x4A 0xCE 0xDE 0xEC 0x20 ...'
> > krb5KeyVersionNumber: 7
> > cn: Horatio Nelson
> > userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C
> > 0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
> > for kerberos principal name hnelson@EXAMPLE.COM
> <ma...@EXAMPLE.COM>
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Verifying using SAM subsystem.
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Verifying using encrypted timestamp.
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Entry for client principal hnelson@EXAMPLE.COM
> <ma...@EXAMPLE.COM> has no SAM type.
> > Proceeding with standard pre-authentication.
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Pre-authentication by encrypted timestamp successful for
> > hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>.
> > [07:44:26] DEBUG
> >
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> > - Found entry ServerEntry
> > dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: krb5Principal
> > objectClass: inetOrgPerson
> > objectClass: krb5KDCEntry
> > objectClass: top
> > uid: krbtgt
> > sn: Service
> > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> > krb5PrincipalName: krbtgt/EXAMPLE.COM
> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> > 0x25 0x07 0x25 0x68 0x76 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> > 0x87 0x8D 0x80 0x14 0x60 ...'
> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> > 0x98 0x07 0x37 0x31 0xD9 ...'
> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> > 0x0D 0x79 0x98 0x29 0x20 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> > 0x64 0xEB 0x5E 0xDE 0x49 ...'
> > krb5KeyVersionNumber: 0
> > cn: KDC Service
> > for kerberos principal name krbtgt/EXAMPLE.COM
> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
> > [07:44:27] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Ticket will be issued for access to krbtgt/EXAMPLE.COM
> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>.
> > [07:44:27] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Monitoring Authentication Service (AS) context:
> > clockSkew 300000
> > clientAddress /0:0:0:0:0:0:0:1
> > principal hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> > cn null
> > realm null
> > principal hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> > SAM type null
> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM
> <http://EXAMPLE.COM>
> > cn null
> > realm null
> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM
> <http://EXAMPLE.COM>
> > SAM type null
> > Request key type des-cbc-md5 (3)
> > Client key version 0
> > Server key version 0
> > [07:44:27] DEBUG
> >
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
>
> > - Responding with Authentication Service (AS) reply:
> > messageType: AS_REP
> > protocolVersionNumber: 5
> > nonce: 1457316737
> > clientPrincipal: hnelson@EXAMPLE.COM <ma...@EXAMPLE.COM>
> > client realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > serverPrincipal: krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM
> <http://EXAMPLE.COM>
> > server realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > auth time: 20100906024427Z
> > start time: null
> > end time: 20100907024426Z
> > renew-till time: null
> > hostAddresses: null
> > [07:44:27] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 SENT:
> >
> org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67
> >
>
Re: Requesting TGT using Kinit when principle's password type is MD 5
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
Hi Amila,
The current implementation requires a plain text password, because the krb5
keys are derived from the password.
Kind regards,
Stefan
On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <am...@wso2.com> wrote:
> Hi All,
> I am using Kerberos server which comes with apacheds. Currently i am
> facing a strange problem with that. Let me explain the scenario in detail.
> I am requesting a TGT using "kinit" program. For this i am executing
> following command,
>
> > kinit hnelson@EXAMPLE.COM
>
> I was able to successfully retreive a ticket, when hnelson@EXAMPLE.COM's
> password is plain text. But when i convert principle's
> (hnelson@EXAMPLE.COM) password type to MD5, i was not able to get the
> ticket. I am getting an error saying "kinit: Password incorrect while
> getting initial credentials".
>
> aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit hnelson@EXAMPLE.COM
> Password for hnelson@EXAMPLE.COM:
> kinit: Password incorrect while getting initial credentials
>
> Following i have paste the log output of apacheds server for above
> request. According to log output, server has not encountered on any
> error and server has successfully authenticated the principle. The
> response AS_REPLY has also sent back to client. Now i am bit confused
> what has gone wrong. Note that, for this particular case i have disabled
> pre-authentication on server. I beleive, this has something to do with
> the way kinit program works. But i couldnt get more information from
> kinit. Therefore i am not able to find any cause for this error.
>
> I am really grateful, if someone can help me to understand what has gone
> wrong here.
>
> Thanks
> AmilaJ
>
>
==============================================================================================================================================================================================================
>
>
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 CREATED: datagram
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 OPENED
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 RCVD:
> org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Received Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 0:0:0:0:0:0:0:1
> nonce: 1457316737
> kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK
> clientPrincipal: hnelson@EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> encryptionType: des-cbc-md5 (3), rc4-hmac (23),
> aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1),
> aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
> realm: EXAMPLE.COM
> from time: 20100906024426Z
> till time: 20100907024426Z
> renew-till time: null
> hostAddresses: null
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Session will use encryption type des-cbc-md5 (3).
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> - Found entry ServerEntry
> dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: hnelson
> sn: Nelson
> krb5PrincipalName: hnelson@EXAMPLE.COM
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> 0xC7 0x86 0x58 0x23 0x98 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> 0xC6 0x4B 0xD6 0xFE 0x30 ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> 0x7A 0xB6 0x43 0x9D 0xF7 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> 0x27 0xD9 0xE6 0xA4 0x66 ...'
> krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> 0x4A 0xCE 0xDE 0xEC 0x20 ...'
> krb5KeyVersionNumber: 7
> cn: Horatio Nelson
> userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C
> 0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
> for kerberos principal name hnelson@EXAMPLE.COM
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Verifying using SAM subsystem.
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Verifying using encrypted timestamp.
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Entry for client principal hnelson@EXAMPLE.COM has no SAM type.
> Proceeding with standard pre-authentication.
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Pre-authentication by encrypted timestamp successful for
> hnelson@EXAMPLE.COM.
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> - Found entry ServerEntry
> dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: krbtgt
> sn: Service
> userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> 0x25 0x07 0x25 0x68 0x76 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> 0x87 0x8D 0x80 0x14 0x60 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> 0x98 0x07 0x37 0x31 0xD9 ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> 0x0D 0x79 0x98 0x29 0x20 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> 0x64 0xEB 0x5E 0xDE 0x49 ...'
> krb5KeyVersionNumber: 0
> cn: KDC Service
> for kerberos principal name krbtgt/EXAMPLE.COM@EXAMPLE.COM
> [07:44:27] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
> [07:44:27] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Monitoring Authentication Service (AS) context:
> clockSkew 300000
> clientAddress /0:0:0:0:0:0:0:1
> principal hnelson@EXAMPLE.COM
> cn null
> realm null
> principal hnelson@EXAMPLE.COM
> SAM type null
> principal krbtgt/EXAMPLE.COM@EXAMPLE.COM
> cn null
> realm null
> principal krbtgt/EXAMPLE.COM@EXAMPLE.COM
> SAM type null
> Request key type des-cbc-md5 (3)
> Client key version 0
> Server key version 0
> [07:44:27] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Responding with Authentication Service (AS) reply:
> messageType: AS_REP
> protocolVersionNumber: 5
> nonce: 1457316737
> clientPrincipal: hnelson@EXAMPLE.COM
> client realm: EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> server realm: EXAMPLE.COM
> auth time: 20100906024427Z
> start time: null
> end time: 20100907024426Z
> renew-till time: null
> hostAddresses: null
> [07:44:27] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 SENT:
>
org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67
>