directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wu, James C." <James.C...@disney.com>
Subject RE: kinit failed on - Integrity check on decrypted field failed
Date Mon, 08 Apr 2013 17:33:20 GMT
I removed the allow_weak_crypto = true from krb5.conf and set the ads-krbEncryptionTypes to
have only one value aes256-cts-hmac-sha1-96. But I still get the same error. See the log

[10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
[10:29:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Additional pre-authentication required (25)
[10:29:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication
required (25)
[10:30:02] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Integrity check on decrypted field failed (31)
[10:30:02] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted
field failed (31)

I am wondering about the "No timestamp found" error. Does it have any relation to the "Integrity
check on decrypted field failed" error?

Regards,

james

From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Monday, April 08, 2013 10:16 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

very likely that the default weak encryption type set in ApacheDS is the reason.
either you enable the weak encrytion support in krb5.conf

[libdefaults]
       allow_weak_crypto = true
or modify the encryption types configured in ApacheDS

 1. go to the entry ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
 2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can add another value
like aes256-cts-hmac-sha1-96)
 3. restart the server
let us know if you still have an issue




On Mon, Apr 8, 2013 at 10:24 PM, Wu, James C. <James.C.Wu@disney.com<mailto:James.C.Wu@disney.com>>
wrote:
I installed the JCE and using the JVM from Oracle now. But I am getting the same error as
when I used the OpenJDK JVM.

[09:48:32] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
Integrity check on decrypted field failed (31)
[09:48:32] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted
field failed (31)

I tried to use kinit from two machines, both show the same error.  The kinit is part of the
krb5-lib/krb5-workstation library.  Do I have to other implementation of kinit?

Regards,

james


-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com<mailto:elecharny@gmail.com>]
Sent: Sunday, April 07, 2013 10:38 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed
Le 4/8/13 3:35 AM, Wu, James C. a écrit :
> The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
>
> When I switched the JVM to Oracle JVM by installing  the  jdk-7u17-linux-x64.rpm from
Oracle, I even get NullPointerException. See the following stack trace.

AES256 is not included by default in the standard J2SE installation. You have to install JCE
in order to be able to use AES 256.


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com<http://www.iktek.com>



--
Kiran Ayyagari
http://keydap.com

Mime
View raw message