Hi,

 

I re-installed the apacheds 2.0.0 M11 and wiped out all the existing stuff and used all default settings. The kinit does work.

 

So I guess my problem is the config error because in my actual config, I use a different realm, not the EXAMPLE.COM.

 

I am going to play compare the configs to find out what mistake I make when changing the realm. I will update in this thread.

 

Thanks.

 

James

 

From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, April 09, 2013 8:52 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

 

 

 

On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <James.C.Wu@disney.com> wrote:

Hi,

I came across this page which describes how Kerberos key are derived from the passwords of an entry.
http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html

It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see

just like you mentioned above, realm name is used as salt and kinit knows the realm name

something like that mentioned in the log output.

I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right?

Regards,

James


-----Original Message-----
From: dev-return-42835-James.C.Wu=disney.com@directory.apache.org [mailto:dev-return-42835-James.C.Wu=disney.com@directory.apache.org] On Behalf Of Wu, James C.
Sent: Tuesday, April 09, 2013 9:49 AM
To: Apache Directory Developers List

Subject: RE: kinit failed on - Integrity check on decrypted field failed

I am very sure of that. I just deleted the hnelson entry and recreate it using the ldapadd command. The hnelson.ldif file is as follows:

  dn: uid=hnelson,ou=users,dc=example,dc=com
  objectclass: top
  objectclass: person
  objectclass: inetOrgPerson
  objectclass: krb5Principal
  objectclass: krb5KDCEntry
  cn: Horatio Nelson
  sn: Nelson
  uid: hnelson
  userpassword: secret01
  krb5PrincipalName: hnelson@EXAMPLE.COM


The ldap command I used to add the entry is

  ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H ldap://localhost:10389

When I do a ldapsearch, I saw the hnelson entry as follows

  # hnelson, users, example.com
  dn: uid=hnelson,ou=users,dc=example,dc=com
  uid: hnelson
  userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
   =
  objectclass: organizationalPerson
  objectclass: krb5Principal
  objectclass: person
  objectclass: krb5KDCEntry
  objectclass: inetOrgPerson
  objectclass: top
  cn: Horatio Nelson
  sn: Nelson
  krb5KeyVersionNumber: 0
  krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
  krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
  krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
  krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
  krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
  krb5PrincipalName: hnelson@EXAMPLE.COM



-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Tuesday, April 09, 2013 9:34 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> I will do it.  The log output are also attached below in this email.  If anyone can take a quick look at it, I would really appreciate.      --  james

Just looked at the logs, so far, it seems that everyting goes find, up to a point you get the error.

Are you *sure* that the password is the one stored in the entry ?


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com




--
Kiran Ayyagari
http://keydap.com