Kerberos keys generation

[Alexandre Beaupre <be...@hotmail.com>]

Hi all,


I have recently downloaded ApacheDS 2.0.0-M15 to test Kerberos authentification and GSS-API.


I have tried following the Kerberos user guide, but I am unable to authenticate myself using kinit, I get

"krb_error 9 The client or server has a null key (9) - The client or server has a null key”




I exported the corresponding LDAP entry, and I got


dn: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: person
objectClass: krb5Principal
objectClass: organizationalPerson
cn: Horatio Nelson
krb5KeyVersionNumber: 0
krb5PrincipalName: hnelson@EXAMPLE.COM
sn: Nelson
uid: hnelson




I’m guessing that my problem is that the krb5keys attributes are missing ?  However the documentation states that they should be generated automatically…  Is there a configuration I need to activate ?  


I’m using Apache Directory Studio and I have made sure that the "Enable Kerberos" box was checked and that all Encryptions Types were checked under the Kerberos Tab.


From older post, I have seen reference to configuring a keyDerivationInterceptor in a server.xml file, but I’m not sure if this applies to version 2.0.0 of ApacheDS as I cannot find any server.xml file.


Can anybody give me a pointer as to why my krb5keys attribute are not generated ?


Thank you very much!

Alexandre Beaupré

Re: Kerberos keys generation

[Emmanuel Lécharny <el...@gmail.com>]

Le 2/4/14 2:45 AM, Alexandre Beaupre a écrit :
> Thank you very much for the quick response!
>
> It turns out that for some reason KDC was not properly started.
> I have turned it off/on and restarted ApacheDS.
>
> Now I see the ApacheKDC logo on startup and the keys are properly generated.

Cool, so it works as expected :-)


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 

RE: Kerberos keys generation

[Alexandre Beaupre <be...@hotmail.com>]

Thank you very much for the quick response!

It turns out that for some reason KDC was not properly started.
I have turned it off/on and restarted ApacheDS.

Now I see the ApacheKDC logo on startup and the keys are properly generated.

Merci beaucoup!
Alexandre Beaupré

> Date: Mon, 3 Feb 2014 01:01:15 +0100
> From: elecharny@gmail.com
> To: users@directory.apache.org
> Subject: Re: Kerberos keys generation
> 
> Hi Alexandre,
> 
> yes, the KeyDerivationInterceptor must be enabled. It should be done
> when you activate the kerberos server (and if it's not the case, then
> it's a bug). You can activateit by changing the ads-enabled attribute
> from FALSE to TRUE in the
> ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> entry and restarting the server.
> 
> 
> Le 2/2/14 10:16 PM, Alexandre Beaupre a écrit :
> > Hi all,
> >
> >
> > I have recently downloaded ApacheDS 2.0.0-M15 to test Kerberos authentification and GSS-API.
> >
> >
> > I have tried following the Kerberos user guide, but I am unable to authenticate myself using kinit, I get
> >
> > "krb_error 9 The client or server has a null key (9) - The client or server has a null key”
> >
> >
> >
> >
> > I exported the corresponding LDAP entry, and I got
> >
> >
> > dn: uid=hnelson,ou=Users,dc=example,dc=com
> > objectClass: top
> > objectClass: inetOrgPerson
> > objectClass: krb5KDCEntry
> > objectClass: person
> > objectClass: krb5Principal
> > objectClass: organizationalPerson
> > cn: Horatio Nelson
> > krb5KeyVersionNumber: 0
> > krb5PrincipalName: hnelson@EXAMPLE.COM
> > sn: Nelson
> > uid: hnelson
> >
> >
> >
> >
> > I’m guessing that my problem is that the krb5keys attributes are missing ?  However the documentation states that they should be generated automatically…  Is there a configuration I need to activate ?  
> >
> >
> > I’m using Apache Directory Studio and I have made sure that the "Enable Kerberos" box was checked and that all Encryptions Types were checked under the Kerberos Tab.
> >
> >
> > From older post, I have seen reference to configuring a keyDerivationInterceptor in a server.xml file, but I’m not sure if this applies to version 2.0.0 of ApacheDS as I cannot find any server.xml file.
> >
> >
> > Can anybody give me a pointer as to why my krb5keys attribute are not generated ?
> >
> >
> > Thank you very much!
> >
> > Alexandre Beaupré
> 
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com 
> 
 		 	   		  

Re: Kerberos keys generation

[Emmanuel Lécharny <el...@gmail.com>]

Hi Alexandre,

yes, the KeyDerivationInterceptor must be enabled. It should be done
when you activate the kerberos server (and if it's not the case, then
it's a bug). You can activateit by changing the ads-enabled attribute
from FALSE to TRUE in the
ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
entry and restarting the server.


Le 2/2/14 10:16 PM, Alexandre Beaupre a écrit :
> Hi all,
>
>
> I have recently downloaded ApacheDS 2.0.0-M15 to test Kerberos authentification and GSS-API.
>
>
> I have tried following the Kerberos user guide, but I am unable to authenticate myself using kinit, I get
>
> "krb_error 9 The client or server has a null key (9) - The client or server has a null key”
>
>
>
>
> I exported the corresponding LDAP entry, and I got
>
>
> dn: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: person
> objectClass: krb5Principal
> objectClass: organizationalPerson
> cn: Horatio Nelson
> krb5KeyVersionNumber: 0
> krb5PrincipalName: hnelson@EXAMPLE.COM
> sn: Nelson
> uid: hnelson
>
>
>
>
> I’m guessing that my problem is that the krb5keys attributes are missing ?  However the documentation states that they should be generated automatically…  Is there a configuration I need to activate ?  
>
>
> I’m using Apache Directory Studio and I have made sure that the "Enable Kerberos" box was checked and that all Encryptions Types were checked under the Kerberos Tab.
>
>
> From older post, I have seen reference to configuring a keyDerivationInterceptor in a server.xml file, but I’m not sure if this applies to version 2.0.0 of ApacheDS as I cannot find any server.xml file.
>
>
> Can anybody give me a pointer as to why my krb5keys attribute are not generated ?
>
>
> Thank you very much!
>
> Alexandre Beaupré


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com