directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: [ApacheDS] [Kerberos] Any idea on how we solve this issue with the missing encryption types?
Date Tue, 22 Nov 2011 14:12:50 GMT
On 22 nov. 2011, at 14:56, Alex Karasulu wrote:

> On Tue, Nov 22, 2011 at 3:14 PM, Pierre-Arnaud Marcelot <pa@marcelot.net> wrote:
>> On 22 nov. 2011, at 14:11, Alex Karasulu wrote:
>> 
>> On Tue, Nov 22, 2011 at 3:04 PM, Pierre-Arnaud Marcelot <pa@marcelot.net>
>> wrote:
>>> 
>>> Hi Alex,
>>> 
>>> I remember having dealt with something similar recently with a user on
>>> IRC.
>>> 
>>> Turns out its /etc/krb5.conf file contained wrong values, if I recall
>>> correctly.
>>> 
>>> You might also make sure you have the 'krb5-user' package installed via
>>> apt-get.
>>> 
>> 
>> Hey thanks for the heads up and I did this installing all the packages
>> needed yet got the same error in the end. :/
>> I even restarted my session just in case something was getting cached in the
>> env.
>> Any other ideas?
>> 
>> What's the content of your krb5.conf file?
>> Regards,
>> Pierre-Arnaud
> 
> Seems I have some commented out encryption types here:
> 
> # Thie only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such as
> # old versions of Sun Java).
> 
> #	default_tgs_enctypes = des3-hmac-sha1
> #	default_tkt_enctypes = des3-hmac-sha1
> #	permitted_enctypes = des3-hmac-sha1
> 
> Did you add any to the default enc types to get this working?

ApacheDS's default (and maybe only supported?) encryption types are 'des-cbc-md5'.
Maybe it has something to do with that.

I don't know which one is used on Mac OS X… I don't have any file under '/etc/krb5.conf'.
Yet again, some OS X specific things here...

> Even if this fixes this issue shouldn't we really leave this test for
> runs in controlled environments so users don't see things blow up
> without the proper configuration?
> 
> Maybe we should have a profile specifically for tests run in our CI
> environment verses when users run the tests?

Probably, as it seems to commonly fail on a latest version of Ubuntu (since you're not the
only one to report this).

Regards,
Pierre-Arnaud


> Thanks,
> Alex
> 
>> Thanks,
>> Alex
>> 
>>> 
>>> On 22 nov. 2011, at 13:54, Alex Karasulu wrote:
>>> 
>>>> Hi all,
>>>> 
>>>> Seems I'm getting the following failure with the kerberos-test module in
>>>> the apacheds trunk due to a lack of supported encryption types when using
>>>> the JDK Krb5 login module. The build is on an Ubuntu machine:
>>>> 
>>>> akarasulu@stein:~$ cat /etc/lsb-release
>>>> DISTRIB_ID=Ubuntu
>>>> DISTRIB_RELEASE=11.10
>>>> DISTRIB_CODENAME=oneiric
>>>> DISTRIB_DESCRIPTION="Ubuntu 11.10"
>>>> 
>>>> with the following Maven + Java setup:
>>>> 
>>>> akarasulu@stein:~$ mvn -v
>>>> Apache Maven 3.0.3 (r1075438; 2011-02-28 19:31:09+0200)
>>>> Maven home: /opt/tools/maven/default
>>>> Java version: 1.6.0_26, vendor: Sun Microsystems Inc.
>>>> Java home: /usr/lib/jvm/java-6-sun-1.6.0.26/jre
>>>> Default locale: en_US, platform encoding: UTF-8
>>>> OS name: "linux", version: "3.0.0-12-generic", arch: "amd64", family:
>>>> "unix"
>>>> 
>>>> Here's the failing test:
>>>> 
>>>> 
>>>> org.apache.directory.server.kerberos.kdc.KerberosTcpITest.testObtainTickets_AES256()
>>>> 
>>>>  ... and the stack trace ...
>>>> 
>>>>   <testcase time="0.05"
>>>> classname="org.apache.directory.server.kerberos.kdc.KerberosTcpITest"
>>>> name="testObtainTickets_AES256">
>>>>     <error message="No supported encryption types listed in
>>>> default_tkt_enctypes"
>>>> type="javax.security.auth.login.LoginException">javax.security.auth.login.LoginException:
>>>> No supported encryption types listed in default_tkt_enctypes
>>>>         at
>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
>>>>         at
>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
>>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>         at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>         at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>         at java.lang.reflect.Method.invoke(Method.java:597)
>>>>         at
>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
>>>>         at
>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
>>>>         at
>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>>         at java.security.AccessController.doPrivileged(Native Method)
>>>>         at
>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>>>>         at
>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>>         at
>>>> org.apache.directory.server.kerberos.kdc.KerberosTestUtils.obtainTGT(KerberosTestUtils.java:295)
>>>>         at
>>>> org.apache.directory.server.kerberos.kdc.AbstractKerberosITest.testObtainTickets(AbstractKerberosITest.java:121)
>>>>         at
>>>> org.apache.directory.server.kerberos.kdc.KerberosTcpITest.testObtainTickets_AES256(KerberosTcpITest.java:130)
>>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> 
>>>>  SNIP ...
>>>> 
>>>> Caused by: KrbException: No supported encryption types listed in
>>>> default_tkt_enctypes
>>>>         at
>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:221)
>>>>         at sun.security.krb5.KrbAsReq.init(KrbAsReq.java:335)
>>>>         at sun.security.krb5.KrbAsReq.&lt;init&gt;(KrbAsReq.java:259)
>>>>         at sun.security.krb5.KrbAsReq.&lt;init&gt;(KrbAsReq.java:61)
>>>>         at
>>>> sun.security.krb5.Credentials.sendASRequest(Credentials.java:391)
>>>>         at
>>>> sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
>>>>         at
>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
>>>>         ... 49 more
>>>> 
>>>> So what should we do because this test will always fail on this Jvm?
>>>> Should I just ignore it until a reliable test is created?
>>>> 
>>>> --
>>>> Best Regards,
>>>> -- Alex
>>>> 
>>> 
>> 
>> 
>> 
>> --
>> Best Regards,
>> -- Alex
>> 
>> 
> 
> 
> 
> -- 
> Best Regards,
> -- Alex


Mime
View raw message