directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vamsi Kondadasula <vamsikondadas...@apple.com>
Subject Issue : Creating KDC principals using Apache DS API
Date Fri, 30 Mar 2012 13:06:56 GMT
Hi,

We are having a project requiremnt where in which Apache DS java API is used to communicate
with Heimdal KDC to create the principals.
We are using heimdal-1.5.2 and Open LDAP as Back end for storing the Principals.
We are able to add principals using add (of kadmin) and authenticate using kinit from Terminal.

Please find the attached krb5.conf and source code.
 

Using the attached java client code able to create the Hiemdal Kerboros Principals in Open
LDAP. Even Krb5Keys also generated.
But when Kinit(from terminal) i am getting the below mentioned Error.

Kindly provide us any solution for the problem.

sh-3.2# /usr/heimdal/bin/kinit sample@HELLO.COM
sample@HELLO.COM's Password:  <= apple
kinit: krb5_get_init_creds: KDC has no support for encryption type

The heimdal log during the kinit for the above principal (created using java code) is as follows:

2012-03-30T18:01:58 AS-REQ sample@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:01:58 AS-REQ sample@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:01:58 Client (sample@HELLO.COM) from IPv4:127.0.0.1 has no common enctypes with
KDC to use for the session key
2012-03-30T18:01:58 Client (sample@HELLO.COM) from IPv4:127.0.0.1 has no common enctypes with
KDC to use for the session key
2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1

The heimdal log during the kinit for the above principal (created using kadmin terminal) is
as follows:

2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED -- me100@HELLO.COM
2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED -- me100@HELLO.COM
2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 AS-REQ me100@HELLO.COM from IPv4:127.0.0.1 for krbtgt/HELLO.COM@HELLO.COM
2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 Looking for PKINIT pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 Looking for ENC-TS pa-data -- me100@HELLO.COM
2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM using aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- me100@HELLO.COM using aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset endtime: 2012-03-31T04:04:55
renew till: unset
2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset endtime: 2012-03-31T04:04:55
renew till: unset
2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96,
des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96,
des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 Requested flags: forwardable
2012-03-30T18:04:55 Requested flags: forwardable
2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1

Environment Details:
Operating System: Mac OS X - Snow Leopard.
Kerberos: heimdal-1.5.2
Back End for Kerberos: Open LDAP 2.4.30
Apache DS API: apacheds-all-2.0.0-M6.jar

Info: The principal that has been created using Heimdal (add of Kadmin) and kinit able to
get the tickets and below are the details:
sh-3.2# /usr/heimdal/bin/kinit me100@HELLO.COM
me100@HELLO.COM's Password: 
sh-3.2# /usr/heimdal/bin/klist -5Afv
Credentials cache: API:0
       Principal: me100@HELLO.COM
   Cache version: 0
Server: krbtgt/HELLO.COM@HELLO.COM
Client: me100@HELLO.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 313
Auth time:  Mar 30 18:04:55 2012
End time:   Mar 31 04:04:55 2012
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless


Below are the contents of java console log when created principals using the attached code:
Started the process
Schema Process Done
entryEntry
   dn: krb5PrincipalName=sample@HELLO.COM,ou=KerberosPrincipals,dc=example,dc=com
   objectClass: top
   objectClass: account
   objectClass: krb5Principal
   objectClass: krb5KDCEntry
   uid: sample
   krb5MaxRenew: 604800
   krb5KeyVersionNumber: 1
   krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x18 0x72 0xBF 0x9A 0xE2
...'
   krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xF2 0xFB 0x13 0xD9 0x91
...'
   krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x5E 0xBE 0x7D 0xFA 0x07
...'
   krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x46 0xAE 0xA1 0xD5 0x97
...'
   krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0xCF 0x89 0xBB 0xC2 0xFC
...'
   krb5MaxLife: 86400
   krb5PrincipalName: sample@HELLO.COM

Entry has been created
org.apache.directory.ldap.client.api.LdapNetworkConnection@75d709a5

Thanks,
Vamsi

Mime
View raw message