directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <ami...@wso2.com>
Subject Re: Requesting TGT using Kinit when principle's password type is MD 5
Date Mon, 06 Sep 2010 07:33:54 GMT
Hi Stefan,
    Thank you very much for the reply.
    Will there be a new release with the support for hashed password in 
near future ?
Thanks
AmilaJ

Stefan Seelmann wrote:
>
> Hi Amila,
>
> The current implementation requires a plain text password, because the 
> krb5 keys are derived from the password.
>
> Kind regards,
> Stefan
>
> On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <amilaj@wso2.com 
> <mailto:amilaj@wso2.com>> wrote:
> > Hi All,
> > I am using Kerberos server which comes with apacheds. Currently i am
> > facing a strange problem with that. Let me explain the scenario in 
> detail.
> > I am requesting a TGT using "kinit" program. For this i am executing
> > following command,
> >
> > > kinit hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
> >
> > I was able to successfully retreive a ticket, when 
> hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>'s
> > password is plain text. But when i convert principle's
> > (hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>) password type to 
> MD5, i was not able to get the
> > ticket. I am getting an error saying "kinit: Password incorrect while
> > getting initial credentials".
> >
> > aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit 
> hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
> > Password for hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>:
> > kinit: Password incorrect while getting initial credentials
> >
> > Following i have paste the log output of apacheds server for above
> > request. According to log output, server has not encountered on any
> > error and server has successfully authenticated the principle. The
> > response AS_REPLY has also sent back to client. Now i am bit confused
> > what has gone wrong. Note that, for this particular case i have 
> disabled
> > pre-authentication on server. I beleive, this has something to do with
> > the way kinit program works. But i couldnt get more information from
> > kinit. Therefore i am not able to find any cause for this error.
> >
> > I am really grateful, if someone can help me to understand what has 
> gone
> > wrong here.
> >
> > Thanks
> > AmilaJ
> >
> > 
> ==============================================================================================================================================================================================================

>
> >
> >
> > [07:44:26] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 CREATED: datagram
> > [07:44:26] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 OPENED
> > [07:44:26] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 RCVD:
> > org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Received Authentication Service (AS) request:
> > messageType: AS_REQ
> > protocolVersionNumber: 5
> > clientAddress: 0:0:0:0:0:0:0:1
> > nonce: 1457316737
> > kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK
> > clientPrincipal: hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
> > serverPrincipal: krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM 
> <http://EXAMPLE.COM>
> > encryptionType: des-cbc-md5 (3), rc4-hmac (23),
> > aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1),
> > aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
> > realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > from time: 20100906024426Z
> > till time: 20100907024426Z
> > renew-till time: null
> > hostAddresses: null
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Session will use encryption type des-cbc-md5 (3).
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> > - Found entry ServerEntry
> > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: krb5Principal
> > objectClass: inetOrgPerson
> > objectClass: krb5KDCEntry
> > objectClass: top
> > uid: hnelson
> > sn: Nelson
> > krb5PrincipalName: hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> > 0xC7 0x86 0x58 0x23 0x98 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> > 0xC6 0x4B 0xD6 0xFE 0x30 ...'
> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> > 0x7A 0xB6 0x43 0x9D 0xF7 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> > 0x27 0xD9 0xE6 0xA4 0x66 ...'
> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> > 0x4A 0xCE 0xDE 0xEC 0x20 ...'
> > krb5KeyVersionNumber: 7
> > cn: Horatio Nelson
> > userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C
> > 0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
> > for kerberos principal name hnelson@EXAMPLE.COM 
> <mailto:hnelson@EXAMPLE.COM>
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Verifying using SAM subsystem.
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Verifying using encrypted timestamp.
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Entry for client principal hnelson@EXAMPLE.COM 
> <mailto:hnelson@EXAMPLE.COM> has no SAM type.
> > Proceeding with standard pre-authentication.
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Pre-authentication by encrypted timestamp successful for
> > hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>.
> > [07:44:26] DEBUG
> > 
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> > - Found entry ServerEntry
> > dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: krb5Principal
> > objectClass: inetOrgPerson
> > objectClass: krb5KDCEntry
> > objectClass: top
> > uid: krbtgt
> > sn: Service
> > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> > krb5PrincipalName: krbtgt/EXAMPLE.COM 
> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> > 0x25 0x07 0x25 0x68 0x76 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> > 0x87 0x8D 0x80 0x14 0x60 ...'
> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> > 0x98 0x07 0x37 0x31 0xD9 ...'
> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> > 0x0D 0x79 0x98 0x29 0x20 ...'
> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> > 0x64 0xEB 0x5E 0xDE 0x49 ...'
> > krb5KeyVersionNumber: 0
> > cn: KDC Service
> > for kerberos principal name krbtgt/EXAMPLE.COM 
> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
> > [07:44:27] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Ticket will be issued for access to krbtgt/EXAMPLE.COM 
> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>.
> > [07:44:27] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Monitoring Authentication Service (AS) context:
> > clockSkew 300000
> > clientAddress /0:0:0:0:0:0:0:1
> > principal hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
> > cn null
> > realm null
> > principal hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
> > SAM type null
> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM 
> <http://EXAMPLE.COM>
> > cn null
> > realm null
> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM 
> <http://EXAMPLE.COM>
> > SAM type null
> > Request key type des-cbc-md5 (3)
> > Client key version 0
> > Server key version 0
> > [07:44:27] DEBUG
> > 
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>
> > - Responding with Authentication Service (AS) reply:
> > messageType: AS_REP
> > protocolVersionNumber: 5
> > nonce: 1457316737
> > clientPrincipal: hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
> > client realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > serverPrincipal: krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM 
> <http://EXAMPLE.COM>
> > server realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > auth time: 20100906024427Z
> > start time: null
> > end time: 20100907024426Z
> > renew-till time: null
> > hostAddresses: null
> > [07:44:27] DEBUG
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> > - /0:0:0:0:0:0:0:1:57572 SENT:
> > 
> org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67
> >
>


Mime
View raw message