Return-Path: 
 <dev-return-42844-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-dev-archive@www.apache.org
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2B1CBF135
	for <apmail-directory-dev-archive@www.apache.org>;
 Wed, 10 Apr 2013 03:52:33 +0000 (UTC)
Received: (qmail 80116 invoked by uid 500); 10 Apr 2013 03:52:33 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 79844 invoked by uid 500); 10 Apr 2013 03:52:29 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 79521 invoked by uid 99); 10 Apr 2013 03:52:27 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Apr 2013 03:52:27 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of ayyagarikiran@gmail.com
 designates 209.85.223.173 as permitted sender)
Received: from [209.85.223.173] (HELO mail-ie0-f173.google.com)
 (209.85.223.173)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Apr 2013 03:52:23 +0000
Received: by mail-ie0-f173.google.com with SMTP id 9so41532iec.32
        for <dev@directory.apache.org>; Tue, 09 Apr 2013 20:52:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        bh=g/YyFqXTZf0tl8+y1c7dVQ420+tnHld4l7SY4hUcXH4=;
        b=UAb/ukN64jW1/FCZIlCnP+RkAmnPTUjVDs7OqSnKCaCq0FoYqN5C33/KdCzPsDq5+I
         tSnC/VfdGrInDAxljVGCWvBCSV5lgNdeamp6xVLAuEGZsAeo5GiKtS86VgT1OqATUMt2
         6hVrgC102HYcHCTRrqFB6WvGorXoPLKg+iRisDHx+VL+iEoZJRab3VWRZmwv+HbVgphv
         UoF83ykqNYs6s9iLCGP/8iFsWtWj9LylysUvTQwsZ3tcltkjGGcOn2GhDZdXZF6sC1qr
         Lts2s5DDI2IoepClScZsJYp07kODcuze1wYCd4ZufxVTb0DYmZ4olSgHGSR1H/p5Jr5W
         U6kA==
MIME-Version: 1.0
X-Received: by 10.50.135.8 with SMTP id po8mr269253igb.41.1365565922813; Tue,
 09 Apr 2013 20:52:02 -0700 (PDT)
Sender: ayyagarikiran@gmail.com
Received: by 10.231.121.5 with HTTP; Tue, 9 Apr 2013 20:52:02 -0700 (PDT)
In-Reply-To: 
 <7D664BE6CF058A4CB1A06984A7AA678F18003661B1@SM-CALA-VXMB06A.swna.wdpr.disney.com>
References: 
 <7D664BE6CF058A4CB1A06984A7AA678F180012B0B4@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<515FB38C.2030600@gmail.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012B17F@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012B182@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<516257D2.4000703@gmail.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012B37F@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<CABzFU-dPsMKOF+egqn0fz_ehgtnAcy5yLiKa=TTO38sGgrT+3A@mail.gmail.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012B435@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<51630065.3010801@gmail.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012B4B8@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012B8F0@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<51639AFA.4030906@gmail.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012BC34@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<516442E4.2040806@gmail.com>
	<7D664BE6CF058A4CB1A06984A7AA678F180012BCA4@SM-CALA-VXMB06A.swna.wdpr.disney.com>
	<7D664BE6CF058A4CB1A06984A7AA678F18003661B1@SM-CALA-VXMB06A.swna.wdpr.disney.com>
Date: Wed, 10 Apr 2013 09:22:02 +0530
X-Google-Sender-Auth: yMPvp2gzTk2bKXEx0OwHrAaJbNc
Message-ID: 
 <CABzFU-cpJ4Fz-bBZJshX8PN_m13tuKO2pyAMjhcLKtS6xKZkAg@mail.gmail.com>
Subject: Re: kinit failed on - Integrity check on decrypted field failed
From: Kiran Ayyagari <kayyagari@apache.org>
To: Apache Directory Developers List <dev@directory.apache.org>
Content-Type: multipart/alternative; boundary=e89a8f83ab13bf2ca804d9f99701
X-Virus-Checked: Checked by ClamAV on apache.org

--e89a8f83ab13bf2ca804d9f99701
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <James.C.Wu@disney.com> wrote=
:

> Hi,
>
> I came across this page which describes how Kerberos key are derived from
> the passwords of an entry.
> http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
>
> It mentioned that the Kerberos keys are basically a hashed value of the
> passwords with the salt be the realm name. I am wondering how does the
> kinit program know the salt for the Kerberos key? Is it passed from
> apacheds? I did not see

just like you mentioned above, realm name is used as salt and kinit knows
the realm name

> something like that mentioned in the log output.
>
> I guess the kinit has to know both the encryption type and the salt in
> order to reproduce the Kerberos encryption key so that it can decrypt
> message from apacheds. Am I right?
>
> Regards,
>
> James
>
> -----Original Message-----
> From: dev-return-42835-James.C.Wu=3Ddisney.com@directory.apache.org [mail=
to:
> dev-return-42835-James.C.Wu=3Ddisney.com@directory.apache.org] On Behalf =
Of
> Wu, James C.
> Sent: Tuesday, April 09, 2013 9:49 AM
> To: Apache Directory Developers List
> Subject: RE: kinit failed on - Integrity check on decrypted field failed
>
> I am very sure of that. I just deleted the hnelson entry and recreate it
> using the ldapadd command. The hnelson.ldif file is as follows:
>
>   dn: uid=3Dhnelson,ou=3Dusers,dc=3Dexample,dc=3Dcom
>   objectclass: top
>   objectclass: person
>   objectclass: inetOrgPerson
>   objectclass: krb5Principal
>   objectclass: krb5KDCEntry
>   cn: Horatio Nelson
>   sn: Nelson
>   uid: hnelson
>   userpassword: secret01
>   krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
> The ldap command I used to add the entry is
>
>   ldapadd -x -W -D "uid=3Dadmin,ou=3Dsystem" -f hnelson.ldif -H
> ldap://localhost:10389
>
> When I do a ldapsearch, I saw the hnelson entry as follows
>
>   # hnelson, users, example.com
>   dn: uid=3Dhnelson,ou=3Dusers,dc=3Dexample,dc=3Dcom
>   uid: hnelson
>   userpassword::
> e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=3D
>    =3D
>   objectclass: organizationalPerson
>   objectclass: krb5Principal
>   objectclass: person
>   objectclass: krb5KDCEntry
>   objectclass: inetOrgPerson
>   objectclass: top
>   cn: Horatio Nelson
>   sn: Nelson
>   krb5KeyVersionNumber: 0
>   krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
>   krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A=3D=3D
>   krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=3D
>   krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
>   krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw=3D=
=3D
>   krb5PrincipalName: hnelson@EXAMPLE.COM
>
>
>
> -----Original Message-----
> From: Emmanuel L=E9charny [mailto:elecharny@gmail.com]
> Sent: Tuesday, April 09, 2013 9:34 AM
> To: Apache Directory Developers List
> Subject: Re: kinit failed on - Integrity check on decrypted field failed
>
> Le 4/9/13 6:24 PM, Wu, James C. a =E9crit :
> > I will do it.  The log output are also attached below in this email.  I=
f
> anyone can take a quick look at it, I would really appreciate.      --
>  james
>
> Just looked at the logs, so far, it seems that everyting goes find, up to
> a point you get the error.
>
> Are you *sure* that the password is the one stored in the entry ?
>
>
> --
> Regards,
> Cordialement,
> Emmanuel L=E9charny
> www.iktek.com
>
>


--=20
Kiran Ayyagari
http://keydap.com

--e89a8f83ab13bf2ca804d9f99701
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <span dir=3D"ltr">&lt=
;<a href=3D"mailto:James.C.Wu@disney.com" target=3D"_blank">James.C.Wu@disn=
ey.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Hi,<br>
<br>
I came across this page which describes how Kerberos key are derived from t=
he passwords of an entry.<br>
<a href=3D"http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html=
" target=3D"_blank">http://directory.apache.org/apacheds/kerberos-ug/1.1.3-=
keys.html</a><br>
<br>
It mentioned that the Kerberos keys are basically a hashed value of the pas=
swords with the salt be the realm name. I am wondering how does the kinit p=
rogram know the salt for the Kerberos key? Is it passed from apacheds? I di=
d not see </blockquote>
<div>just like you mentioned above, realm name is used as salt and kinit kn=
ows the realm name<br></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">something like t=
hat mentioned in the log output.<br>

<br>
I guess the kinit has to know both the encryption type and the salt in orde=
r to reproduce the Kerberos encryption key so that it can decrypt message f=
rom apacheds. Am I right?<br>
<br>
Regards,<br>
<br>
James<br>
<div class=3D"im HOEnZb"><br>
-----Original Message-----<br>
From: dev-return-42835-James.C.Wu=3D<a href=3D"mailto:disney.com@directory.=
apache.org">disney.com@directory.apache.org</a> [mailto:<a href=3D"mailto:d=
ev-return-42835-James.C.Wu">dev-return-42835-James.C.Wu</a>=3D<a href=3D"ma=
ilto:disney.com@directory.apache.org">disney.com@directory.apache.org</a>] =
On Behalf Of Wu, James C.<br>

Sent: Tuesday, April 09, 2013 9:49 AM<br>
To: Apache Directory Developers List<br>
</div><div class=3D"HOEnZb"><div class=3D"h5">Subject: RE: kinit failed on =
- Integrity check on decrypted field failed<br>
<br>
I am very sure of that. I just deleted the hnelson entry and recreate it us=
ing the ldapadd command. The hnelson.ldif file is as follows:<br>
<br>
=A0 dn: uid=3Dhnelson,ou=3Dusers,dc=3Dexample,dc=3Dcom<br>
=A0 objectclass: top<br>
=A0 objectclass: person<br>
=A0 objectclass: inetOrgPerson<br>
=A0 objectclass: krb5Principal<br>
=A0 objectclass: krb5KDCEntry<br>
=A0 cn: Horatio Nelson<br>
=A0 sn: Nelson<br>
=A0 uid: hnelson<br>
=A0 userpassword: secret01<br>
=A0 krb5PrincipalName: <a href=3D"mailto:hnelson@EXAMPLE.COM">hnelson@EXAMP=
LE.COM</a><br>
<br>
<br>
The ldap command I used to add the entry is<br>
<br>
=A0 ldapadd -x -W -D &quot;uid=3Dadmin,ou=3Dsystem&quot; -f hnelson.ldif -H=
 ldap://localhost:10389<br>
<br>
When I do a ldapsearch, I saw the hnelson entry as follows<br>
<br>
=A0 # hnelson, users, <a href=3D"http://example.com" target=3D"_blank">exam=
ple.com</a><br>
=A0 dn: uid=3Dhnelson,ou=3Dusers,dc=3Dexample,dc=3Dcom<br>
=A0 uid: hnelson<br>
=A0 userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMv=
Z1E9PQ=3D<br>
=A0 =A0=3D<br>
=A0 objectclass: organizationalPerson<br>
=A0 objectclass: krb5Principal<br>
=A0 objectclass: person<br>
=A0 objectclass: krb5KDCEntry<br>
=A0 objectclass: inetOrgPerson<br>
=A0 objectclass: top<br>
=A0 cn: Horatio Nelson<br>
=A0 sn: Nelson<br>
=A0 krb5KeyVersionNumber: 0<br>
=A0 krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP<br>
=A0 krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A=3D=3D<br>
=A0 krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=3D<br>
=A0 krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o<br>
=A0 krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw=3D=
=3D<br>
=A0 krb5PrincipalName: <a href=3D"mailto:hnelson@EXAMPLE.COM">hnelson@EXAMP=
LE.COM</a><br>
<br>
<br>
<br>
-----Original Message-----<br>
From: Emmanuel L=E9charny [mailto:<a href=3D"mailto:elecharny@gmail.com">el=
echarny@gmail.com</a>]<br>
Sent: Tuesday, April 09, 2013 9:34 AM<br>
To: Apache Directory Developers List<br>
Subject: Re: kinit failed on - Integrity check on decrypted field failed<br=
>
<br>
Le 4/9/13 6:24 PM, Wu, James C. a =E9crit :<br>
&gt; I will do it. =A0The log output are also attached below in this email.=
 =A0If anyone can take a quick look at it, I would really appreciate. =A0 =
=A0 =A0-- =A0james<br>
<br>
Just looked at the logs, so far, it seems that everyting goes find, up to a=
 point you get the error.<br>
<br>
Are you *sure* that the password is the one stored in the entry ?<br>
<br>
<br>
--<br>
Regards,<br>
Cordialement,<br>
Emmanuel L=E9charny<br>
<a href=3D"http://www.iktek.com" target=3D"_blank">www.iktek.com</a><br>
<br>
</div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>Kiran Ayyag=
ari<br><a href=3D"http://keydap.com" target=3D"_blank">http://keydap.com</a=
>
</div></div>

--e89a8f83ab13bf2ca804d9f99701--