directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Li" <liyilei1...@gmail.com>
Subject Re: [kerberos client]Problem to obtain TGT from KDC.
Date Thu, 25 Oct 2007 03:56:19 GMT
On 10/25/07, Enrique Rodriguez <enriquer9@gmail.com> wrote:
> Hi, Leo,
>
> This looks like an MIT Kerberos configuration issue.  The MIT KDC is
> responding that it is not configured to use encryption type 3
> (DES-CBC-MD5).  The client is simply reporting the error returned by
> the KDC.  I recommend reviewing MIT Kerberos server documentation.
> Alternatively, you can use the "long form" of the ApacheDS Kerberos
> client component to try to use an enc type that is supported by
> default by MIT Kerberos KDC.
>
   Hi, Enrique,

        Thank you for your help.
        But after I look at the kdc.conf, it has

        [kdcdefaults]
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        v4_mode = nopreauth

       [realms]
       EXAMPLE.COM = {
       #master_key_type = des3-hmac-sha1
       supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
       des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
       des-cbc-crc:v4 des-cbc-crc:afs3
       }

      So from the configuration, des-cbd-md5 seems to have been acknowledged.

> Enrique
>
>
> On 10/23/07, Leo Li <liyilei1979@gmail.com> wrote:
> > Hi, all
> >
> >    I am trying to connect to KDC to get a TGT by:
> >    String hostname = "wks107904wss.cn.ibm.com";
> >    int port = 88;
> >    KdcConnection con = new KdcConnection( hostname + ":" + port );
> >    KerberosTicket tgt = con.getTicketGrantingTicket( clientPrincipal,
> > password );
> >
> >    But it fails with such stacktrace:
> >    Exception in thread "main"
> > org.apache.directory.client.kerberos.KdcConnectionException:
> > BAD_ENCRYPTION_TYPE
> > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(GetTicketGrantingTicket.java:167)
> > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(GetTicketGrantingTicket.java:153)
> > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:118)
> > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:101)
> > at org.apache.directory.client.kerberos.Main.go(Main.java:62)
> > at org.apache.directory.client.kerberos.Main.main(Main.java:55)
> >
> >
> >   And on the kdc side, the server has such log:
> >   Oct 23 16:12:28 wks107904wss.cn.ibm.com krb5kdc[2304](info) :
> > AS_REQ(1 etypes{3}) 9.181.106.61:BAD_ENCRYPTION_TYPE:leo@EXAMPLE.COM
> > for krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC has no support for encryption
> > type
> >
> >   The KDC is provided by redhat enterprise 5 with default setup configuration.
> >
> >   And if I try the same program in the machine where KDC resides and
> > run it with "localhost" as host parameter, it will get null TGT and
> > from the KDC log there seems no further log as if no Kerberos Request
> > had been sent to KDC.
> >
> >   Can somebody help?
> >
> >   Thanks,
> >
> > --
> > Leo Li
> > China Software Development Lab, IBM
> >
>


-- 
Leo Li
China Software Development Lab, IBM

Mime
View raw message