directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Issue : Creating KDC principals using Apache DS API
Date Fri, 30 Mar 2012 13:12:43 GMT
Hi,

can you please avoid spreading the same mail to all the possible mailing 
lists ?

Thanks !


Le 3/30/12 3:06 PM, Vamsi Kondadasula a écrit :
> Hi,
>
> We are having a project requiremnt where in which Apache DS java API is used to
> communicate with Heimdal KDC to create the principals.
> We are using heimdal-1.5.2 and Open LDAP as Back end for storing the Principals.
> We are able to add principals using *add* (of kadmin) and authenticate using
> kinit from Terminal.
>
> Please find the attached krb5.conf and source code.
>
>
>
>
> Using the attached java client code able to create the Hiemdal Kerboros
> Principals in Open LDAP. Even Krb5Keys also generated.
> But when *Kinit*(from terminal) i am getting the below mentioned Error.
>
> Kindly provide us any solution for the problem.
>
> sh-3.2# /usr/heimdal/bin/kinit sample@HELLO.COM<mailto:sample@HELLO.COM>
> sample@HELLO.COM<mailto:sample@HELLO.COM>'s Password:<= apple
> kinit: krb5_get_init_creds: KDC has no support for encryption type
>
> *The heimdal log during the kinit for the above principal (created using java
> code) is as follows:*
>
> 2012-03-30T18:01:58 AS-REQ sample@HELLO.COM<mailto:sample@HELLO.COM>  from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<mailto:krbtgt/HELLO.COM@HELLO.COM>
> 2012-03-30T18:01:58 AS-REQ sample@HELLO.COM<mailto:sample@HELLO.COM>  from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<mailto:krbtgt/HELLO.COM@HELLO.COM>
> 2012-03-30T18:01:58 Client (sample@HELLO.COM<mailto:sample@HELLO.COM>) from
> IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
> 2012-03-30T18:01:58 Client (sample@HELLO.COM<mailto:sample@HELLO.COM>) from
> IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
> 2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
> 2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
>
> *The heimdal log during the kinit for the above principal (created using kadmin
> terminal) is as follows:
> *
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<mailto:me100@HELLO.COM>  from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<mailto:krbtgt/HELLO.COM@HELLO.COM>
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<mailto:me100@HELLO.COM>  from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<mailto:krbtgt/HELLO.COM@HELLO.COM>
> 2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED --
> me100@HELLO.COM<mailto:me100@HELLO.COM>
> 2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED --
> me100@HELLO.COM<mailto:me100@HELLO.COM>
> 2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
> 2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<mailto:me100@HELLO.COM>  from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<mailto:krbtgt/HELLO.COM@HELLO.COM>
> 2012-03-30T18:04:55 AS-REQ me100@HELLO.COM<mailto:me100@HELLO.COM>  from
> IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM<mailto:krbtgt/HELLO.COM@HELLO.COM>
> 2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
> 2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
> 2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
> <mailto:me100@HELLO.COM>
> 2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
> <mailto:me100@HELLO.COM>
> 2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
> <mailto:me100@HELLO.COM>
> 2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
> <mailto:me100@HELLO.COM>
> 2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM
> <mailto:me100@HELLO.COM>  using aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM
> <mailto:me100@HELLO.COM>  using aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset
> endtime: 2012-03-31T04:04:55 renew till: unset
> 2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset
> endtime: 2012-03-31T04:04:55 renew till: unset
> 2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> des-cbc-md5, des-cbc-md4, des-cbc-crc, using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> des-cbc-md5, des-cbc-md4, des-cbc-crc, using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2012-03-30T18:04:55 Requested flags: forwardable
> 2012-03-30T18:04:55 Requested flags: forwardable
> 2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
> 2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
>
> *Environment Details:
> *Operating System: Mac OS X - Snow Leopard.
> Kerberos: heimdal-1.5.2
> Back End for Kerberos: Open LDAP 2.4.30
> Apache DS API: apacheds-all-2.0.0-M6.jar
>
> Info: The principal that has been created using Heimdal (*add* of Kadmin) and
> *kinit* able to get the tickets and below are the details:
> /sh-3.2# //usr/heimdal/bin/*kinit* me100@HELLO.COM<mailto:me100@HELLO.COM>
> me100@HELLO.COM<mailto:me100@HELLO.COM>'s Password:
> /sh-3.2#/ /usr/heimdal/bin/*klist* -5Afv
> Credentials cache: API:0
> Principal: me100@HELLO.COM<mailto:me100@HELLO.COM>
> Cache version: 0
> Server: krbtgt/HELLO.COM@HELLO.COM<mailto:krbtgt/HELLO.COM@HELLO.COM>
> Client: me100@HELLO.COM<mailto:me100@HELLO.COM>
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 313
> Auth time: Mar 30 18:04:55 2012
> End time: Mar 31 04:04:55 2012
> Ticket flags: pre-authent, initial, forwardable
> Addresses: addressless
>
>
> Below are the contents of java console log when created principals using the
> attached code:
> Started the process
> Schema Process Done
> entryEntry
> dn: krb5PrincipalName=sample@HELLO.COM
> <mailto:krb5PrincipalName=sample@HELLO.COM>,ou=KerberosPrincipals,dc=example,dc=com
> objectClass: top
> objectClass: account
> objectClass: krb5Principal
> objectClass: krb5KDCEntry
> uid: sample
> krb5MaxRenew: 604800
> krb5KeyVersionNumber: 1
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x18 0x72 0xBF
> 0x9A 0xE2 ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xF2 0xFB 0x13
> 0xD9 0x91 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x5E 0xBE 0x7D
> 0xFA 0x07 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x46 0xAE 0xA1
> 0xD5 0x97 ...'
> krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0xCF 0x89 0xBB
> 0xC2 0xFC ...'
> krb5MaxLife: 86400
> krb5PrincipalName: sample@HELLO.COM<mailto:sample@HELLO.COM>
>
> Entry has been created
> org.apache.directory.ldap.client.api.LdapNetworkConnection@75d709a5
>
> Thanks,
> Vamsi


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com


Mime
View raw message