Return-Path: 
 <dev-return-42840-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-dev-archive@www.apache.org
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9920B101A3
	for <apmail-directory-dev-archive@www.apache.org>;
 Tue,  9 Apr 2013 22:52:01 +0000 (UTC)
Received: (qmail 16973 invoked by uid 500); 9 Apr 2013 22:52:01 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 16900 invoked by uid 500); 9 Apr 2013 22:52:01 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 16892 invoked by uid 99); 9 Apr 2013 22:52:01 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Apr 2013 22:52:01 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates
 74.125.82.48 as permitted sender)
Received: from [74.125.82.48] (HELO mail-wg0-f48.google.com) (74.125.82.48)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Apr 2013 22:51:53 +0000
Received: by mail-wg0-f48.google.com with SMTP id m15so7363293wgh.15
        for <dev@directory.apache.org>; Tue, 09 Apr 2013 15:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:message-id:date:from:user-agent:mime-version:to:subject
         :references:in-reply-to:x-enigmail-version:content-type
         :content-transfer-encoding;
        bh=EtZDY57rNckphbkYwHF2ECacIeHkZJxMQFlGCv0KH+Y=;
        b=labZbLmzfKXKWM0dHbRkBR0Ode9C/ffhK1pShvt6X71CBMHzDrjr1msm4+ajXZ0onh
         AaHLLZV8o6UlJ4AmXH8yVogvS2aoYN+PwAg2E/ONcwufNUG8w4peMEOJZvXatw2zKHsb
         luU4h91TqfKVmYfn8pbWP1mL/J2upKiIbyPUNwfqXhs8YD/adLxPBuPO0kW9JzMJBaGk
         AfRGdRD37yQYfFcnjhpM1XMuEGIyQPHE8VS+b3+Dy2okKkxtUMnrdQoyNUMQePXsLtXr
         CoItiSNXnOf2Y/Ee+4mURtvXlg/tUc3i+JPbfifWezK8xJzqlHkCKdHMp85yx8kvl98m
         ExPQ==
X-Received: by 10.180.188.3 with SMTP id fw3mr22382617wic.33.1365547893191;
        Tue, 09 Apr 2013 15:51:33 -0700 (PDT)
Received: from Emmanuels-MacBook-Pro.local
 (ran75-1-78-192-106-184.fbxo.proxad.net. [78.192.106.184])
        by mx.google.com with ESMTPS id dp5sm28628810wib.1.2013.04.09.15.51.31
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 09 Apr 2013 15:51:32 -0700 (PDT)
Message-ID: <51649B73.4090104@gmail.com>
Date: Wed, 10 Apr 2013 00:51:31 +0200
From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= <elecharny@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7;
 rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Apache Directory Developers List <dev@directory.apache.org>
Subject: Re: kinit failed on - Integrity check on decrypted field failed
References: 
 <7D664BE6CF058A4CB1A06984A7AA678F180012B0B4@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <7D664BE6CF058A4CB1A06984A7AA678F180012B182@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <516257D2.4000703@gmail.com>
 <7D664BE6CF058A4CB1A06984A7AA678F180012B37F@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <CABzFU-dPsMKOF+egqn0fz_ehgtnAcy5yLiKa=TTO38sGgrT+3A@mail.gmail.com>
 <7D664BE6CF058A4CB1A06984A7AA678F180012B435@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <51630065.3010801@gmail.com>
 <7D664BE6CF058A4CB1A06984A7AA678F180012B4B8@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <7D664BE6CF058A4CB1A06984A7AA678F180012B8F0@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <51639AFA.4030906@gmail.com>
 <7D664BE6CF058A4CB1A06984A7AA678F180012BC34@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <516442E4.2040806@gmail.com>
 <7D664BE6CF058A4CB1A06984A7AA678F180012BCA4@SM-CALA-VXMB06A.swna.wdpr.disney.com>
 <7D664BE6CF058A4CB1A06984A7AA678F18003661B1@SM-CALA-VXMB06A.swna.wdpr.disney.com>
In-Reply-To: 
 <7D664BE6CF058A4CB1A06984A7AA678F18003661B1@SM-CALA-VXMB06A.swna.wdpr.disney.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Virus-Checked: Checked by ClamAV on apache.org

Le 4/9/13 11:13 PM, Wu, James C. a écrit :
> Hi,
>
> I came across this page which describes how Kerberos key are derived from the passwords of an entry. 
> http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
>
> It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see something like that mentioned in the log output.
Kinit will not create the hashed values of the password. It's coputed on
the fly when the password is added, on the server. The salt is not used
by kinit.
>
> I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right?
No, it's not what happens. The encryption key is negociated by the
server and the client during the very first steps of the kerberos
exchange. In your case, the AES 256 algorithm is being selected.

I'm sorry, I'm in the middle of a release atm, but I'll try to test the
full kinit sequence asap (ie, probably tomorrow my time)

-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com