directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <m...@stefan-seelmann.de>
Subject Re: Requesting TGT using Kinit when principle's password type is MD 5
Date Mon, 06 Sep 2010 06:47:23 GMT
Hi Amila,

The current implementation requires a plain text password, because the krb5
keys are derived from the password.

Kind regards,
Stefan

On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <amilaj@wso2.com> wrote:
> Hi All,
> I am using Kerberos server which comes with apacheds. Currently i am
> facing a strange problem with that. Let me explain the scenario in detail.
> I am requesting a TGT using "kinit" program. For this i am executing
> following command,
>
> > kinit hnelson@EXAMPLE.COM
>
> I was able to successfully retreive a ticket, when hnelson@EXAMPLE.COM's
> password is plain text. But when i convert principle's
> (hnelson@EXAMPLE.COM) password type to MD5, i was not able to get the
> ticket. I am getting an error saying "kinit: Password incorrect while
> getting initial credentials".
>
> aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit hnelson@EXAMPLE.COM
> Password for hnelson@EXAMPLE.COM:
> kinit: Password incorrect while getting initial credentials
>
> Following i have paste the log output of apacheds server for above
> request. According to log output, server has not encountered on any
> error and server has successfully authenticated the principle. The
> response AS_REPLY has also sent back to client. Now i am bit confused
> what has gone wrong. Note that, for this particular case i have disabled
> pre-authentication on server. I beleive, this has something to do with
> the way kinit program works. But i couldnt get more information from
> kinit. Therefore i am not able to find any cause for this error.
>
> I am really grateful, if someone can help me to understand what has gone
> wrong here.
>
> Thanks
> AmilaJ
>
>
==============================================================================================================================================================================================================

>
>
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 CREATED: datagram
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 OPENED
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 RCVD:
> org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Received Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 0:0:0:0:0:0:0:1
> nonce: 1457316737
> kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK
> clientPrincipal: hnelson@EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> encryptionType: des-cbc-md5 (3), rc4-hmac (23),
> aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1),
> aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
> realm: EXAMPLE.COM
> from time: 20100906024426Z
> till time: 20100907024426Z
> renew-till time: null
> hostAddresses: null
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Session will use encryption type des-cbc-md5 (3).
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> - Found entry ServerEntry
> dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: hnelson
> sn: Nelson
> krb5PrincipalName: hnelson@EXAMPLE.COM
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> 0xC7 0x86 0x58 0x23 0x98 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> 0xC6 0x4B 0xD6 0xFE 0x30 ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> 0x7A 0xB6 0x43 0x9D 0xF7 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> 0x27 0xD9 0xE6 0xA4 0x66 ...'
> krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> 0x4A 0xCE 0xDE 0xEC 0x20 ...'
> krb5KeyVersionNumber: 7
> cn: Horatio Nelson
> userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C
> 0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
> for kerberos principal name hnelson@EXAMPLE.COM
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Verifying using SAM subsystem.
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Verifying using encrypted timestamp.
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Entry for client principal hnelson@EXAMPLE.COM has no SAM type.
> Proceeding with standard pre-authentication.
> [07:44:26] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Pre-authentication by encrypted timestamp successful for
> hnelson@EXAMPLE.COM.
> [07:44:26] DEBUG
> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]
> - Found entry ServerEntry
> dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: krb5Principal
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: top
> uid: krbtgt
> sn: Service
> userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
> krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
> 0x25 0x07 0x25 0x68 0x76 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
> 0x87 0x8D 0x80 0x14 0x60 ...'
> krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
> 0x98 0x07 0x37 0x31 0xD9 ...'
> krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
> 0x0D 0x79 0x98 0x29 0x20 ...'
> krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
> 0x64 0xEB 0x5E 0xDE 0x49 ...'
> krb5KeyVersionNumber: 0
> cn: KDC Service
> for kerberos principal name krbtgt/EXAMPLE.COM@EXAMPLE.COM
> [07:44:27] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
> [07:44:27] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Monitoring Authentication Service (AS) context:
> clockSkew 300000
> clientAddress /0:0:0:0:0:0:0:1
> principal hnelson@EXAMPLE.COM
> cn null
> realm null
> principal hnelson@EXAMPLE.COM
> SAM type null
> principal krbtgt/EXAMPLE.COM@EXAMPLE.COM
> cn null
> realm null
> principal krbtgt/EXAMPLE.COM@EXAMPLE.COM
> SAM type null
> Request key type des-cbc-md5 (3)
> Client key version 0
> Server key version 0
> [07:44:27] DEBUG
>
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]

> - Responding with Authentication Service (AS) reply:
> messageType: AS_REP
> protocolVersionNumber: 5
> nonce: 1457316737
> clientPrincipal: hnelson@EXAMPLE.COM
> client realm: EXAMPLE.COM
> serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> server realm: EXAMPLE.COM
> auth time: 20100906024427Z
> start time: null
> end time: 20100907024426Z
> renew-till time: null
> hostAddresses: null
> [07:44:27] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
> - /0:0:0:0:0:0:0:1:57572 SENT:
>
org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67
>

Mime
View raw message