Return-Path: 
 <dev-return-35283-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: (qmail 15304 invoked from network); 7 Oct 2010 17:17:22 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 7 Oct 2010 17:17:22 -0000
Received: (qmail 34689 invoked by uid 500); 7 Oct 2010 17:17:22 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 34644 invoked by uid 500); 7 Oct 2010 17:17:21 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Delivered-To: moderator for dev@directory.apache.org
Received: (qmail 10932 invoked by uid 99); 7 Oct 2010 17:06:26 -0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of sidda.eraiah@kaazing.com
 designates 209.85.216.171 as permitted sender)
MIME-Version: 1.0
X-Originating-IP: [98.248.139.5]
Date: Thu, 7 Oct 2010 10:05:56 -0700
Message-ID: <AANLkTi=S7GVzxPCO=t=SgkGiLXExrf87W_1TeB805zwm@mail.gmail.com>
Subject: ApacheDS does not recognize RC4-HMAC encryption type
From: Sidda Eraiah <sidda.eraiah@kaazing.com>
To: users@directory.apache.org, dev@directory.apache.org
Content-Type: multipart/alternative; boundary=00163630f2eb47d00c049209e8d1
X-Virus-Checked: Checked by ClamAV on apache.org

--00163630f2eb47d00c049209e8d1
Content-Type: text/plain; charset=ISO-8859-1

All,

I am resending this mail with the hope that some of you have a
solution for this.

I have Apache-DS (1.5.7) with  Kerberos Domain Controller starting up
correctly and generating tickets using the default encryption type.

Due to a customer requirement, I have to use encryption type of RC4-HMAC.
Based on what I could find this needs me to add a <encryptionsType> property
to the kdcServer like this:

  <kdcServer id="kdcServer"  searchBaseDn="ou=Users,dc=example,dc=com">
    <transports>
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>
    </transports>
    <directoryService>#directoryService</directoryService>
    <encryptionTypes>rc4-hmac</encryptionTypes>
  </kdcServer>

with this change to the server.xml the server comes up fine. But trying to
get a ticket out of KDC fails with the following error:

$~/share/apacheds_1.5.7$ kinit
hnelson@EXAMPLE.COMhnelson@EXAMPLE.COM's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type

I see a warning in the ApacheDS like this:

[14:12:49] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
KDC has no support for encryption type (14)

One of the ApacheDS developer suggested the following in the IRC channel:

<spring:bean id="enc" class="java.util.HashSet">
   <spring:constructor-arg>
    <spring:list>
      <spring:value
type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</spring:value>
    </spring:list>
   </spring:constructor-arg>
  </spring:bean>
  <kdcServer id="kdcServer">
    <transports>
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>
    </transports>
    <directoryService>#directoryService</directoryService>
    <encryptionTypes>#enc</encryptionTypes>
  </kdcServer>

This also gives the same error.

Have any of you got the encryption type of RC4-HMAC to work with ApacheDS
KDC?

Your thoughts and suggestions on how to get this to work is really
appreciated.

Thanks in advance.


-- 
Best Regards,
Sidda

Director of Management Services
>|< <http://kaazing.me> Kaazing Corporation <http://kaazing.com> >|<<http://kaazing.me/visitors.html>
444 Castro St., Suite 1100, Mountain View, CA 94041

--00163630f2eb47d00c049209e8d1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf-8"><s=
pan class=3D"Apple-style-span" style=3D"font-family: &#39;Bitstream Vera Se=
rif&#39;; border-collapse: collapse; "><pre style=3D"white-space: pre-wrap;=
 ">All,
<br></pre><pre style=3D"white-space: pre-wrap; ">I am resending this mail w=
ith the hope that some of you have a solution for this.</pre><pre style=3D"=
white-space: pre-wrap; ">I have Apache-DS (1.5.7) with  Kerberos Domain Con=
troller starting up
correctly and generating tickets using the default encryption type.

Due to a customer requirement, I have to use encryption type of RC4-HMAC.
Based on what I could find this needs me to add a &lt;encryptionsType&gt; p=
roperty
to the kdcServer like this:

  &lt;kdcServer id=3D&quot;kdcServer&quot;  searchBaseDn=3D&quot;ou=3DUsers=
,dc=3Dexample,dc=3Dcom&quot;&gt;
    &lt;transports&gt;
      &lt;tcpTransport port=3D&quot;60088&quot; nbThreads=3D&quot;4&quot; b=
ackLog=3D&quot;50&quot;/&gt;
      &lt;udpTransport port=3D&quot;60088&quot; nbThreads=3D&quot;4&quot; b=
ackLog=3D&quot;50&quot;/&gt;
    &lt;/transports&gt;
    &lt;directoryService&gt;#directoryService&lt;/directoryService&gt;
    &lt;encryptionTypes&gt;rc4-hmac&lt;/encryptionTypes&gt;
  &lt;/kdcServer&gt;

with this change to the server.xml the server comes up fine. But trying to
get a ticket out of KDC fails with the following error:

$~/share/apacheds_1.5.7$ kinit <a href=3D"mailto:hnelson@EXAMPLE.COM">hnels=
on@EXAMPLE.COM</a>
<a href=3D"mailto:hnelson@EXAMPLE.COM">hnelson@EXAMPLE.COM</a>&#39;s Passwo=
rd:
kinit: krb5_get_init_creds: KDC has no support for encryption type

I see a warning in the ApacheDS like this:

[14:12:49] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
KDC has no support for encryption type (14)

One of the ApacheDS developer suggested the following in the IRC channel:

&lt;spring:bean id=3D&quot;enc&quot; class=3D&quot;java.util.HashSet&quot;&=
gt;
   &lt;spring:constructor-arg&gt;
    &lt;spring:list&gt;
      &lt;spring:value
type=3D&quot;org.apache.directory.server.kerberos.shared.crypto.encryption.=
EncryptionType&quot;&gt;RC4_HMAC&lt;/spring:value&gt;
    &lt;/spring:list&gt;
   &lt;/spring:constructor-arg&gt;
  &lt;/spring:bean&gt;
  &lt;kdcServer id=3D&quot;kdcServer&quot;&gt;
    &lt;transports&gt;
      &lt;tcpTransport port=3D&quot;60088&quot; nbThreads=3D&quot;4&quot; b=
ackLog=3D&quot;50&quot;/&gt;
      &lt;udpTransport port=3D&quot;60088&quot; nbThreads=3D&quot;4&quot; b=
ackLog=3D&quot;50&quot;/&gt;
    &lt;/transports&gt;
    &lt;directoryService&gt;#directoryService&lt;/directoryService&gt;
    &lt;encryptionTypes&gt;#enc&lt;/encryptionTypes&gt;
  &lt;/kdcServer&gt;

This also gives the same error.

Have any of you got the encryption type of RC4-HMAC to work with ApacheDS
KDC?

Your thoughts and suggestions on how to get this to work is really
appreciated.

Thanks in advance.</pre></span><br>-- <br>Best Regards,<br>Sidda<br><br>Dir=
ector of Management Services<br><a href=3D"http://kaazing.me" target=3D"_bl=
ank">&gt;|&lt;</a> <a href=3D"http://kaazing.com" target=3D"_blank">Kaazing=
 Corporation</a> <a href=3D"http://kaazing.me/visitors.html" target=3D"_bla=
nk">&gt;|&lt;</a><br>
<font face=3D"arial, sans-serif"><span style=3D"border-collapse:collapse">4=
44 Castro St., Suite 1100, Mountain View, CA 94041</span></font><br>

--00163630f2eb47d00c049209e8d1--