directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wu, James C." <James.C...@disney.com>
Subject RE: kinit failed on - Integrity check on decrypted field failed
Date Mon, 08 Apr 2013 17:56:27 GMT
Hi,

I put some debug log output in the attached file.  Hope it will get us to the cause of the
problem.

Regards,

jame

-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com] 
Sent: Monday, April 08, 2013 10:38 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

Le 4/8/13 7:33 PM, Wu, James C. a écrit :
> I removed the allow_weak_crypto = true from krb5.conf and set the 
> ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96. 
> But I still get the same error. See the log
>
> [10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No 
> timestamp found [10:29:58] WARN 
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
> ] - Additional pre-authentication required (25) [10:29:58] WARN 
> [org.apache.directory.server.KERBEROS_LOG] - Additional 
> pre-authentication required (25) [10:30:02] WARN 
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
> ] - Integrity check on decrypted field failed (31) [10:30:02] WARN 
> [org.apache.directory.server.KERBEROS_LOG] - Integrity check on 
> decrypted field failed (31)
>
> I am wondering about the "No timestamp found" error. Does it have any relation to the
"Integrity check on decrypted field failed" error?
No. The 'No Timestamp found' message is just a part of the Kerberos protocol : in order to
guarantee that the client is who he/she is pretending tobe, a timestamp is sent back to the
client, for him/her to encrypt it. The pb is that the algorihm used to encrypt the password
on the cient side is not the one used to decrypt it on the server side.

I'm pretty sure that it has been fixed in trunk 2 weeks ago.

--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 

Mime
View raw message