directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: kinit failed on - Integrity check on decrypted field failed
Date Mon, 08 Apr 2013 17:37:41 GMT
Le 4/8/13 7:33 PM, Wu, James C. a écrit :
> I removed the allow_weak_crypto = true from krb5.conf and set the ads-krbEncryptionTypes
to have only one value aes256-cts-hmac-sha1-96. But I still get the same error. See the log
>
> [10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
> [10:29:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Additional pre-authentication required (25)
> [10:29:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication
required (25)
> [10:30:02] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Integrity check on decrypted field failed (31)
> [10:30:02] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted
field failed (31)
>
> I am wondering about the "No timestamp found" error. Does it have any relation to the
"Integrity check on decrypted field failed" error?
No. The 'No Timestamp found' message is just a part of the Kerberos
protocol : in order to guarantee that the client is who he/she is
pretending tobe, a timestamp is sent back to the client, for him/her to
encrypt it. The pb is that the algorihm used to encrypt the password on
the cient side is not the one used to decrypt it on the server side.

I'm pretty sure that it has been fixed in trunk 2 weeks ago.

-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message