I removed the allow_weak_crypto = true from krb5.conf and set the ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96. But I still get the same error. See the log

 

[10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found

[10:29:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25)

[10:29:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25)

[10:30:02] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)

[10:30:02] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)

 

I am wondering about the “No timestamp found” error. Does it have any relation to the “Integrity check on decrypted field failed” error?

 

Regards,

 

james

 

From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Monday, April 08, 2013 10:16 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

 

very likely that the default weak encryption type set in ApacheDS is the reason.

either you enable the weak encrytion support in krb5.conf

[libdefaults]
       allow_weak_crypto = true

or modify the encryption types configured in ApacheDS

 1. go to the entry ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config

 2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can add another value like aes256-cts-hmac-sha1-96)

 3. restart the server

let us know if you still have an issue

 

 

 

 

On Mon, Apr 8, 2013 at 10:24 PM, Wu, James C. <James.C.Wu@disney.com> wrote:

I installed the JCE and using the JVM from Oracle now. But I am getting the same error as when I used the OpenJDK JVM.

[09:48:32] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
[09:48:32] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)

I tried to use kinit from two machines, both show the same error.  The kinit is part of the krb5-lib/krb5-workstation library.  Do I have to other implementation of kinit?

Regards,

james



-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]

Sent: Sunday, April 07, 2013 10:38 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

Le 4/8/13 3:35 AM, Wu, James C. a écrit :
> The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
>
> When I switched the JVM to Oracle JVM by installing  the  jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the following stack trace.

AES256 is not included by default in the standard J2SE installation. You have to install JCE in order to be able to use AES 256.


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com




--
Kiran Ayyagari
http://keydap.com