directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <ami...@wso2.com>
Subject Requesting TGT using Kinit when principle's password type is MD 5
Date Mon, 06 Sep 2010 03:02:01 GMT
Hi All,
    I am using Kerberos server which comes with apacheds. Currently i am 
facing a strange problem with that. Let me explain the scenario in detail.
I am requesting a TGT using "kinit" program. For this i am executing 
following command,

 > kinit hnelson@EXAMPLE.COM

I was able to successfully retreive a ticket, when hnelson@EXAMPLE.COM's 
password is plain text. But when i convert principle's 
(hnelson@EXAMPLE.COM) password type to MD5, i was not able to get the 
ticket. I am getting an error saying "kinit: Password incorrect while 
getting initial credentials".

aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit hnelson@EXAMPLE.COM
Password for hnelson@EXAMPLE.COM:
kinit: Password incorrect while getting initial credentials

Following i have paste the log output of apacheds server for above 
request. According to log output, server has not encountered on any 
error and server has successfully authenticated the principle. The 
response AS_REPLY has also sent back to client. Now i am bit confused 
what has gone wrong. Note that, for this particular case i have disabled 
pre-authentication on server. I beleive, this has something to do with 
the way kinit program works. But i couldnt get more information from 
kinit. Therefore i am not able to find any cause for this error.

I am really grateful, if someone can help me to understand what has gone 
wrong here.

Thanks
AmilaJ

==============================================================================================================================================================================================================



[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 CREATED:  datagram
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 OPENED
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 RCVD:  
org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Received Authentication Service (AS) request:
    messageType:           AS_REQ
    protocolVersionNumber: 5
    clientAddress:         0:0:0:0:0:0:0:1
    nonce:                 1457316737
    kdcOptions:            FORWARDABLE PROXIABLE RENEWABLE_OK
    clientPrincipal:       hnelson@EXAMPLE.COM
    serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
    encryptionType:        des-cbc-md5 (3), rc4-hmac (23), 
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1), 
aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
    realm:                 EXAMPLE.COM
    from time:             20100906024426Z
    till time:             20100907024426Z
    renew-till time:       null
    hostAddresses:         null
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Session will use encryption type des-cbc-md5 (3).
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] 
- Found entry ServerEntry
    dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: krb5Principal
    objectClass: inetOrgPerson
    objectClass: krb5KDCEntry
    objectClass: top
    uid: hnelson
    sn: Nelson
    krb5PrincipalName: hnelson@EXAMPLE.COM
    krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 
0xC7 0x86 0x58 0x23 0x98 ...'
    krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 
0xC6 0x4B 0xD6 0xFE 0x30 ...'
    krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 
0x7A 0xB6 0x43 0x9D 0xF7 ...'
    krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 
0x27 0xD9 0xE6 0xA4 0x66 ...'
    krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 
0x4A 0xCE 0xDE 0xEC 0x20 ...'
    krb5KeyVersionNumber: 7
    cn: Horatio Nelson
    userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C 
0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
 for kerberos principal name hnelson@EXAMPLE.COM
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Verifying using SAM subsystem.
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Verifying using encrypted timestamp.
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Entry for client principal hnelson@EXAMPLE.COM has no SAM type.  
Proceeding with standard pre-authentication.
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Pre-authentication by encrypted timestamp successful for 
hnelson@EXAMPLE.COM.
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] 
- Found entry ServerEntry
    dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: krb5Principal
    objectClass: inetOrgPerson
    objectClass: krb5KDCEntry
    objectClass: top
    uid: krbtgt
    sn: Service
    userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
    krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
    krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 
0x25 0x07 0x25 0x68 0x76 ...'
    krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 
0x87 0x8D 0x80 0x14 0x60 ...'
    krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 
0x98 0x07 0x37 0x31 0xD9 ...'
    krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 
0x0D 0x79 0x98 0x29 0x20 ...'
    krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 
0x64 0xEB 0x5E 0xDE 0x49 ...'
    krb5KeyVersionNumber: 0
    cn: KDC Service
 for kerberos principal name krbtgt/EXAMPLE.COM@EXAMPLE.COM
[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Monitoring Authentication Service (AS) context:
    clockSkew              300000
    clientAddress          /0:0:0:0:0:0:0:1
    principal              hnelson@EXAMPLE.COM
    cn                     null
    realm                  null
    principal              hnelson@EXAMPLE.COM
    SAM type               null
    principal              krbtgt/EXAMPLE.COM@EXAMPLE.COM
    cn                     null
    realm                  null
    principal              krbtgt/EXAMPLE.COM@EXAMPLE.COM
    SAM type               null
    Request key type       des-cbc-md5 (3)
    Client key version     0
    Server key version     0
[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Responding with Authentication Service (AS) reply:
    messageType:           AS_REP
    protocolVersionNumber: 5
    nonce:                 1457316737
    clientPrincipal:       hnelson@EXAMPLE.COM
    client realm:          EXAMPLE.COM
    serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
    server realm:          EXAMPLE.COM
    auth time:             20100906024427Z
    start time:            null
    end time:              20100907024426Z
    renew-till time:       null
    hostAddresses:         null
[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 SENT:  
org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67


Mime
View raw message