directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: kinit failed on - Integrity check on decrypted field failed
Date Wed, 10 Apr 2013 03:52:02 GMT
On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <James.C.Wu@disney.com> wrote:

> Hi,
>
> I came across this page which describes how Kerberos key are derived from
> the passwords of an entry.
> http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
>
> It mentioned that the Kerberos keys are basically a hashed value of the
> passwords with the salt be the realm name. I am wondering how does the
> kinit program know the salt for the Kerberos key? Is it passed from
> apacheds? I did not see

just like you mentioned above, realm name is used as salt and kinit knows
the realm name

> something like that mentioned in the log output.
>
> I guess the kinit has to know both the encryption type and the salt in
> order to reproduce the Kerberos encryption key so that it can decrypt
> message from apacheds. Am I right?
>
> Regards,
>
> James
>
> -----Original Message-----
> From: dev-return-42835-James.C.Wu=disney.com@directory.apache.org [mailto:
> dev-return-42835-James.C.Wu=disney.com@directory.apache.org] On Behalf Of
> Wu, James C.
> Sent: Tuesday, April 09, 2013 9:49 AM
> To: Apache Directory Developers List
> Subject: RE: kinit failed on - Integrity check on decrypted field failed
>
> I am very sure of that. I just deleted the hnelson entry and recreate it
> using the ldapadd command. The hnelson.ldif file is as follows:
>
>   dn: uid=hnelson,ou=users,dc=example,dc=com
>   objectclass: top
>   objectclass: person
>   objectclass: inetOrgPerson
>   objectclass: krb5Principal
>   objectclass: krb5KDCEntry
>   cn: Horatio Nelson
>   sn: Nelson
>   uid: hnelson
>   userpassword: secret01
>   krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
> The ldap command I used to add the entry is
>
>   ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H
> ldap://localhost:10389
>
> When I do a ldapsearch, I saw the hnelson entry as follows
>
>   # hnelson, users, example.com
>   dn: uid=hnelson,ou=users,dc=example,dc=com
>   uid: hnelson
>   userpassword::
> e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
>    =
>   objectclass: organizationalPerson
>   objectclass: krb5Principal
>   objectclass: person
>   objectclass: krb5KDCEntry
>   objectclass: inetOrgPerson
>   objectclass: top
>   cn: Horatio Nelson
>   sn: Nelson
>   krb5KeyVersionNumber: 0
>   krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
>   krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
>   krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
>   krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
>   krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
>   krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
>
> -----Original Message-----
> From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
> Sent: Tuesday, April 09, 2013 9:34 AM
> To: Apache Directory Developers List
> Subject: Re: kinit failed on - Integrity check on decrypted field failed
>
> Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> > I will do it.  The log output are also attached below in this email.  If
> anyone can take a quick look at it, I would really appreciate.      --
>  james
>
> Just looked at the logs, so far, it seems that everyting goes find, up to
> a point you get the error.
>
> Are you *sure* that the password is the one stored in the entry ?
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message