directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James C. Wu (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (DIRKRB-88) kinit failed - Integrity check on decrypted field failed
Date Wed, 10 Apr 2013 18:52:15 GMT

     [ https://issues.apache.org/jira/browse/DIRKRB-88?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James C. Wu resolved DIRKRB-88.
-------------------------------

    Resolution: Not A Problem
    
> kinit failed - Integrity check on decrypted field failed
> --------------------------------------------------------
>
>                 Key: DIRKRB-88
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-88
>             Project: Directory Kerberos
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M11
>         Environment: JVM 7.0 from OpenJDK and Oracle.
>            Reporter: James C. Wu
>            Assignee: Emmanuel Lecharny
>
>  The hnelson.ldif file is as follows:
>   dn: uid=hnelson,ou=users,dc=example,dc=com
>   objectclass: top
>   objectclass: person
>   objectclass: inetOrgPerson
>   objectclass: krb5Principal
>   objectclass: krb5KDCEntry
>   cn: Horatio Nelson
>   sn: Nelson
>   uid: hnelson
>   userpassword: secret01
>   krb5PrincipalName: hnelson@EXAMPLE.COM
> The ldap command I used to add the entry is 
>   ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H ldap://localhost:10389
> When I do a ldapsearch, I saw the hnelson entry as follows
>   # hnelson, users, example.com
>   dn: uid=hnelson,ou=users,dc=example,dc=com
>   uid: hnelson
>   userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
>    =
>   objectclass: organizationalPerson
>   objectclass: krb5Principal
>   objectclass: person
>   objectclass: krb5KDCEntry
>   objectclass: inetOrgPerson
>   objectclass: top
>   cn: Horatio Nelson
>   sn: Nelson
>   krb5KeyVersionNumber: 0
>   krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
>   krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
>   krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
>   krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
>   krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
>   krb5PrincipalName: hnelson@EXAMPLE.COM
> Here is the logout at debug level after running kinit hnelson.
> [10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PaData] - PreAuthenticationData
encoding : 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1
0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12 [10:44:15]
DEBUG [org.apache.directory.shared.kerberos.components.PaData] - PreAuthenticationData initial
value : PreAuthenticationData :
>     padata-type: Encryption info.(19)
>     padata-value:0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
> [10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.MethodData] - METHOD-DATA
encoding : 0x30 0x1F
> 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01
0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12 [10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.MethodData]
- METHOD-DATA initial value : METHOD-DATA : PreAuthenticationData :
>     padata-type: Encrypted timestamp.(2) , PreAuthenticationData :
>     padata-type: Encryption info.(19)
>     padata-value:0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
> [10:44:15] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Additional pre-authentication required (25) [10:44:15] WARN [org.apache.directory.server.KERBEROS_LOG]
- Additional pre-authentication required (25) [10:44:15] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
>         explanatory text:      Additional pre-authentication required
>         error code:            Additional pre-authentication required
>         clientPrincipal:       null@null
>         client time:           null
>         serverPrincipal:       { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
'EXAMPLE.COM'> }@EXAMPLE.COM
>         server time:           20130408174415Z
> [10:44:15] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to request with
error:
>         explanatory text:      Additional pre-authentication required
>         error code:            Additional pre-authentication required
>         clientPrincipal:       null@null
>         client time:           null
>         serverPrincipal:       { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
'EXAMPLE.COM'> }@EXAMPLE.COM
>         server time:           20130408174415Z
> [10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PrincipalName] - PrinipalName
encoding : 0x7E 0x81 0xA8 0x30 0x81 0xA5 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E
0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x35
0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02 0x01 0x19 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53
0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1
> 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E
0x45 0x59 0x2E 0x43 0x4F 0x4D 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 [10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PrincipalName]
- PrinipalName initial value : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
} [10:44:15] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError encoding
: 0x7E 0x81 0xA8 0x30 0x81 0xA5 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11
0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34
> 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x35 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02
0x01 0x19 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F
0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67
0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAB 0x28 0x1B 0x26 0x41
0x64 0x64 0x69 0x74 0x69 0x6F 0x6E 0x61 0x6C 0x20 0x70 0x72 0x65 0x2D 0x61 0x75 0x74 0x68
0x65 0x6E 0x74 0x69 0x63 0x61 0x74 0x69 0x6F 0x6E 0x20 0x72 0x65 0x71 0x75 0x69 0x72 0x65
0x64 0xAC 0x23 0x04 0x21 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00
0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02
0x01 0x12 [10:44:15] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError
initial value :
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20130408174415Z
>     susec: 0
>     errorCode: Additional pre-authentication required
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     eText: Additional pre-authentication required
>     eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12
0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
}
> [10:44:15] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /10.42.12.54:55923 SENT:
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20130408174415Z
>     susec: 0
>     errorCode: Additional pre-authentication required
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     eText: Additional pre-authentication required
>     eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12
0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
}
> [10:44:15] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:55923 SENT:
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20130408174415Z
>     susec: 0
>     errorCode: Additional pre-authentication required
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     eText: Additional pre-authentication required
>     eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12
0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
}
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /10.42.12.54:41991 CREATED:  datagram [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- /10.42.12.54:41991 CREATED:  datagram [10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /10.42.12.54:41991 OPENED [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] -
/10.42.12.54:41991 OPENED [10:44:17] DEBUG [org.apache.mina.filter.codec.ProtocolCodecFilter]
- Processing a MESSAGE_RECEIVED for session 9 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPvno]
- pvno : 5 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.PaDataInit]
- PaData created [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.StoreDataType]
- padata-type : 2 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReq.actions.AddPaData]
- Added PA-DATA:  PreAuthenticationData :
>     padata-type: Encrypted timestamp.(2)
>     padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A 0x25
0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C 0x64
0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE
0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.PaDataInit]
- PaData created [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.padata.actions.StoreDataType]
- padata-type : 149 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReq.actions.AddPaData]
- Added PA-DATA:  PreAuthenticationData :
>     padata-type: null(0)
> [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.KdcReqBodyInit]
- KdcReqBody created [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreKdcOptions]
- KDCOptions : FORWARDABLE RENEWABLE [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.PrincipalNameInit]
- PrincipalName created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 1 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameType]
- name-type : {}Just the name of the principal as in DCE, or for users(1) [10:44:17] DEBUG
[org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString] - PrincipalName
String : hnelson [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPrincipalName]
- PrincipalName : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> } [10:44:17]
DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadRealm] - read realm
value : EXAMPLE.COM [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.PrincipalNameInit]
- PrincipalName created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 2 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameType]
- name-type : {}Service and other unique instance (krbtgt)(2) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString]
- PrincipalName String : krbtgt [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString]
- PrincipalName String : EXAMPLE.COM [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPrincipalName]
- PrincipalName : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
} [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreFrom]
- From : 20130408174415Z [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreTill]
- Till : 20130409174415Z [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.actions.AbstractReadKerberosTime]
- decoded kerberos time is : 20130415174415Z [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 1801102745 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType]
- EncryptionType : aes256-cts-hmac-sha1-96 (18) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType]
- EncryptionType : aes128-cts-hmac-sha1-96 (17) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType]
- EncryptionType : des3-cbc-sha1-kd (16) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType]
- EncryptionType : rc4-hmac (23) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.kdcReq.actions.StoreKdcReqBody]
- KDC-REQ-BODY : KDCOptions : FORWARDABLE RENEWABLE cname : { name-type: KRB_NT_PRINCIPAL,
name-string : <'hnelson'> } realm : EXAMPLE.COM sname : { name-type: KRB_NT_SRV_INST,
name-string : <'krbtgt', 'EXAMPLE.COM'> } from : 20130408174415Z till : 20130409174415Z
rtime : 20130415174415Z nonce : 1801102745 etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96
(17) des3-cbc-sha1-kd (16) rc4-hmac (23) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.asReq.actions.StoreKdcReq]
- AS-REQ :
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
>     PreAuthenticationData :
>         padata-type: Encrypted timestamp.(2)
>         padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A
0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C
0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3
0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
>     PreAuthenticationData :
>         padata-type: null(0)
> kdc-req-body :
>     KDCOptions : FORWARDABLE RENEWABLE
>     cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
>     realm : EXAMPLE.COM
>     sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     from : 20130408174415Z
>     till : 20130409174415Z
>     rtime : 20130415174415Z
>     nonce : 1801102745
>     etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd
(16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.KerberosMessageGrammar]
- Decoded KerberosMessage
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
>     PreAuthenticationData :
>         padata-type: Encrypted timestamp.(2)
>         padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A
0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C
0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3
0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
>     PreAuthenticationData :
>         padata-type: null(0)
> kdc-req-body :
>     KDCOptions : FORWARDABLE RENEWABLE
>     cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
>     realm : EXAMPLE.COM
>     sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     from : 20130408174415Z
>     till : 20130409174415Z
>     rtime : 20130415174415Z
>     nonce : 1801102745
>     etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd
(16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder]
- Decoded KerberosMessage
> :
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
>     PreAuthenticationData :
>         padata-type: Encrypted timestamp.(2)
>         padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A
0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C
0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3
0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
>     PreAuthenticationData :
>         padata-type: null(0)
> kdc-req-body :
>     KDCOptions : FORWARDABLE RENEWABLE
>     cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
>     realm : EXAMPLE.COM
>     sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     from : 20130408174415Z
>     till : 20130409174415Z
>     rtime : 20130415174415Z
>     nonce : 1801102745
>     etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd
(16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /10.42.12.54:41991 RCVD:
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
>     PreAuthenticationData :
>         padata-type: Encrypted timestamp.(2)
>         padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A
0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C
0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3
0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
>     PreAuthenticationData :
>         padata-type: null(0)
> kdc-req-body :
>     KDCOptions : FORWARDABLE RENEWABLE
>     cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
>     realm : EXAMPLE.COM
>     sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     from : 20130408174415Z
>     till : 20130409174415Z
>     rtime : 20130415174415Z
>     nonce : 1801102745
>     etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd
(16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 RCVD:
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
>     PreAuthenticationData :
>         padata-type: Encrypted timestamp.(2)
>         padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1 0x9A
0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36 0x39 0xAE 0xF1 0x6C
0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2 0xF3
0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
>     PreAuthenticationData :
>         padata-type: null(0)
> kdc-req-body :
>     KDCOptions : FORWARDABLE RENEWABLE
>     cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
>     realm : EXAMPLE.COM
>     sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     from : 20130408174415Z
>     till : 20130409174415Z
>     rtime : 20130415174415Z
>     nonce : 1801102745
>     etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17) des3-cbc-sha1-kd
(16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Received Authentication Service (AS) request:
>         messageType:           AS_REQ
>         protocolVersionNumber: 5
>         clientAddress:         10.42.12.54
>         nonce:                 1801102745
>         kdcOptions:            FORWARDABLE RENEWABLE
>         clientPrincipal:       { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'>
}
>         serverPrincipal:       { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
'EXAMPLE.COM'> }
>         encryptionType:        aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96
(17), des3-cbc-sha1-kd (16), rc4-hmac (23)
>         realm:                 EXAMPLE.COM
>         from time:             20130408174415Z
>         till time:             20130409174415Z
>         renew-till time:       20130415174415Z
>         hostAddresses:         null
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Received Authentication
Service (AS) request:
>         messageType:           AS_REQ
>         protocolVersionNumber: 5
>         clientAddress:         10.42.12.54
>         nonce:                 1801102745
>         kdcOptions:            FORWARDABLE RENEWABLE
>         clientPrincipal:       { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'>
}
>         serverPrincipal:       { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
'EXAMPLE.COM'> }
>         encryptionType:        aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96
(17), des3-cbc-sha1-kd (16), rc4-hmac (23)
>         realm:                 EXAMPLE.COM
>         from time:             20130408174415Z
>         till time:             20130409174415Z
>         renew-till time:       20130415174415Z
>         hostAddresses:         null
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Selecting the EncryptionType
[10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Encryption types requested by client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96
(17), des3-cbc-sha1-kd (16), rc4-hmac (23)].
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Encryption types requested
by client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16),
rc4-hmac (23)].
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Session will use encryption type aes256-cts-hmac-sha1-96 (18).
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Session will use encryption
type aes256-cts-hmac-sha1-96 (18).
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Getting the client
Entry [10:44:17] DEBUG [org.apache.directory.server.core.DefaultOperationManager] - >>
SearchOperation : SearchContext for Dn 'ou=users,dc=disney,dc=com', filter :'(krb5PrincipalName=hnelson@EXAMPLE.COM)'
> [10:44:17] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] -
Operation Context: SearchContext for Dn 'ou=users,dc=disney,dc=com', filter :'(krb5PrincipalName=hnelson@EXAMPLE.COM)'
> [10:44:17] DEBUG [org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine] -
Nb results : 1 for filter : (&:[1](krb5PrincipalName=hnelson@EXAMPLE.COM:[1])(#{SUBTREE_SCOPE
(Estimated), 'ou=users,dc=disney,dc=com', DEREF_ALWAYS})) [10:44:17] DEBUG [org.apache.directory.server.core.DefaultOperationManager]
- << SearchOperation successful [10:44:17] DEBUG [org.apache.directory.server.protocol.shared.kerberos.StoreUtils]
- Found entry uid=hnelson,ou=users,dc=disney,dc=com for kerberos principal name hnelson@EXAMPLE.COM
[10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Found entry uid=hnelson,ou=users,dc=disney,dc=com
for kerberos principal name hnelson@EXAMPLE.COM [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
- EncryptionKey created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 3 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
- keytype : des-cbc-md5 (3) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
- EncryptionKey created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 23 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
- keytype : rc4-hmac (23) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
- EncryptionKey created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 17 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
- keytype : aes128-cts-hmac-sha1-96 (17) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
- EncryptionKey created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 16 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
- keytype : des3-cbc-sha1-kd (16) [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
- EncryptionKey created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 18 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
- keytype : aes256-cts-hmac-sha1-96 (18) [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Found entry uid=hnelson,ou=users,dc=disney,dc=com for principal hnelson@EXAMPLE.COM [10:44:17]
DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying the policy [10:44:17]
DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] - Verifying
using SAM subsystem.
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using
SAM subsystem.
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Verifying using encrypted timestamp.
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using
encrypted timestamp.
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
- Entry for client principal hnelson@EXAMPLE.COM has no SAM type.  Proceeding with standard
pre-authentication.
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Entry for client principal
hnelson@EXAMPLE.COM has no SAM type.  Proceeding with standard pre-authentication.
> [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptedData.actions.EncryptedDataInit]
- EncryptedData created [10:44:17] DEBUG [org.apache.directory.api.asn1.actions.AbstractReadInteger]
- read integer value : 18 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.codec.encryptedData.actions.StoreEType]
- e-type : aes256-cts-hmac-sha1-96 (18) [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Decrypting data using key aes256-cts-hmac-sha1-96 (18) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP
padata timestamp, encrypted with the client key (1) [10:44:17] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Integrity check on decrypted field failed (31) [10:44:17] WARN [org.apache.directory.server.KERBEROS_LOG]
- Integrity check on decrypted field failed (31) [10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
>         explanatory text:      Integrity check on decrypted field failed
>         error code:            Integrity check on decrypted field failed
>         clientPrincipal:       null@null
>         client time:           null
>         serverPrincipal:       { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
'EXAMPLE.COM'> }@EXAMPLE.COM
>         server time:           20130408174417Z
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to request with
error:
>         explanatory text:      Integrity check on decrypted field failed
>         error code:            Integrity check on decrypted field failed
>         clientPrincipal:       null@null
>         client time:           null
>         serverPrincipal:       { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
'EXAMPLE.COM'> }@EXAMPLE.COM
>         server time:           20130408174417Z
> [10:44:17] DEBUG [org.apache.directory.shared.kerberos.components.PrincipalName] - PrinipalName
encoding : 0x7E 0x81 0x86 0x30 0x81 0x83 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E
0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x37
0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02 0x01 0x1F 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53
0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1
> 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E
0x45 0x59 0x2E 0x43 0x4F 0x4D 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 [10:44:17] DEBUG
[org.apache.directory.shared.kerberos.components.PrincipalName] - PrinipalName initial value
: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> } [10:44:17]
DEBUG [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError encoding : 0x7E
0x81 0x86 0x30 0x81 0x83 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18
0x0F 0x32 0x30 0x31 0x33 0x30 0x34
> 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x37 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6 0x03 0x02
0x01 0x1F 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAA 0x1F
0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67
0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAB 0x2B 0x1B 0x29 0x49
0x6E 0x74 0x65 0x67 0x72 0x69 0x74 0x79 0x20 0x63 0x68 0x65 0x63 0x6B 0x20 0x6F 0x6E 0x20
0x64 0x65 0x63 0x72 0x79 0x70 0x74 0x65 0x64 0x20 0x66 0x69 0x65 0x6C 0x64 0x20 0x66 0x61
0x69 0x6C 0x65 0x64 [10:44:17] DEBUG [org.apache.directory.shared.kerberos.messages.KrbError]
- KrbError initial value :
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20130408174417Z
>     susec: 0
>     errorCode: Integrity check on decrypted field failed
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     eText: Integrity check on decrypted field failed }
> [10:44:17] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /10.42.12.54:41991 SENT:
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20130408174417Z
>     susec: 0
>     errorCode: Integrity check on decrypted field failed
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     eText: Integrity check on decrypted field failed }
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 SENT:
> KRB-ERROR : {
>     pvno: 5
>     msgType: KRB_ERROR
>     sTime: 20130408174417Z
>     susec: 0
>     errorCode: Integrity check on decrypted field failed
>     realm: EXAMPLE.COM
>     sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>
}
>     eText: Integrity check on decrypted field failed }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message