directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Li" <liyilei1...@gmail.com>
Subject Re: [kerberos client]Problem to obtain TGT from KDC.
Date Fri, 26 Oct 2007 01:12:48 GMT
On 10/25/07, Leo Li <liyilei1979@gmail.com> wrote:
> On 10/25/07, Enrique Rodriguez <enriquer9@gmail.com> wrote:
> > Hi, Leo,
> >
> > This looks like an MIT Kerberos configuration issue.  The MIT KDC is
> > responding that it is not configured to use encryption type 3
> > (DES-CBC-MD5).  The client is simply reporting the error returned by
> > the KDC.  I recommend reviewing MIT Kerberos server documentation.
> > Alternatively, you can use the "long form" of the ApacheDS Kerberos
> > client component to try to use an enc type that is supported by
> > default by MIT Kerberos KDC.
> >
>    Hi, Enrique,
>
>         Thank you for your help.
>         But after I look at the kdc.conf, it has
>
>         [kdcdefaults]
>         acl_file = /var/kerberos/krb5kdc/kadm5.acl
>         dict_file = /usr/share/dict/words
>         admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>         v4_mode = nopreauth
>
>        [realms]
>        EXAMPLE.COM = {
>        #master_key_type = des3-hmac-sha1
>        supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>        des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
>        des-cbc-crc:v4 des-cbc-crc:afs3
>        }
>
>       So from the configuration, des-cbd-md5 seems to have been acknowledged.

         Besides, the successful kinit has such log for REQ:
         AS_REQ (7 etypes {18 17 16 23 1 3 2}). It has the "7" type
for REQ than "1" type. Does it make some difference?
         Can somebody help?
         Thanks in advance.

>
> > Enrique
> >
> >
> > On 10/23/07, Leo Li <liyilei1979@gmail.com> wrote:
> > > Hi, all
> > >
> > >    I am trying to connect to KDC to get a TGT by:
> > >    String hostname = "wks107904wss.cn.ibm.com";
> > >    int port = 88;
> > >    KdcConnection con = new KdcConnection( hostname + ":" + port );
> > >    KerberosTicket tgt = con.getTicketGrantingTicket( clientPrincipal,
> > > password );
> > >
> > >    But it fails with such stacktrace:
> > >    Exception in thread "main"
> > > org.apache.directory.client.kerberos.KdcConnectionException:
> > > BAD_ENCRYPTION_TYPE
> > > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(GetTicketGrantingTicket.java:167)
> > > at org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(GetTicketGrantingTicket.java:153)
> > > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:118)
> > > at org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:101)
> > > at org.apache.directory.client.kerberos.Main.go(Main.java:62)
> > > at org.apache.directory.client.kerberos.Main.main(Main.java:55)
> > >
> > >
> > >   And on the kdc side, the server has such log:
> > >   Oct 23 16:12:28 wks107904wss.cn.ibm.com krb5kdc[2304](info) :
> > > AS_REQ(1 etypes{3}) 9.181.106.61:BAD_ENCRYPTION_TYPE:leo@EXAMPLE.COM
> > > for krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC has no support for encryption
> > > type
> > >
> > >   The KDC is provided by redhat enterprise 5 with default setup configuration.
> > >
> > >   And if I try the same program in the machine where KDC resides and
> > > run it with "localhost" as host parameter, it will get null TGT and
> > > from the KDC log there seems no further log as if no Kerberos Request
> > > had been sent to KDC.
> > >
> > >   Can somebody help?
> > >
> > >   Thanks,
> > >
> > > --
> > > Leo Li
> > > China Software Development Lab, IBM
> > >
> >
>
>
> --
> Leo Li
> China Software Development Lab, IBM
>


-- 
Leo Li
China Software Development Lab, IBM

Mime
View raw message