From users-return-314-apmail-directory-users-archive=directory.apache.org@directory.apache.org Mon Apr 23 15:47:46 2007 Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 11609 invoked from network); 23 Apr 2007 15:47:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 23 Apr 2007 15:47:45 -0000 Received: (qmail 61046 invoked by uid 500); 23 Apr 2007 15:47:52 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 61025 invoked by uid 500); 23 Apr 2007 15:47:52 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 61014 invoked by uid 99); 23 Apr 2007 15:47:51 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Apr 2007 08:47:51 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [199.89.234.138] (HELO gateway2.monsanto.com) (199.89.234.138) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Apr 2007 08:47:44 -0700 Received: from NA1000EXR02.na.ds.monsanto.com (na1000exr02.na.ds.monsanto.com [10.30.52.46]) by gateway2.monsanto.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id l3NFlEXR026034 for ; Mon, 23 Apr 2007 10:47:20 -0500 (CDT) Received: from NA1000EXR02.na.ds.monsanto.com ([10.30.55.35]) by NA1000EXR02.na.ds.monsanto.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 23 Apr 2007 10:46:47 -0500 Received: from NA1000EXR04.na.ds.monsanto.com ([10.30.64.102]) by NA1000EXR02.na.ds.monsanto.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 23 Apr 2007 10:46:47 -0500 Received: from NA1000EXM03.na.ds.monsanto.com ([10.30.53.37]) by NA1000EXR04.na.ds.monsanto.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 23 Apr 2007 10:46:47 -0500 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: [ApacheDS] 1.5 Experience and Kerberos (any Kerberos experts out there?) Date: Mon, 23 Apr 2007 10:46:47 -0500 Message-ID: <67ABD23687EA2A4FBB847F157EFAD6CF0332A18B@NA1000EXM03.na.ds.monsanto.com> In-Reply-To: <67ABD23687EA2A4FBB847F157EFAD6CF0332A180@NA1000EXM03.na.ds.monsanto.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [ApacheDS] 1.5 Experience and Kerberos (any Kerberos experts out there?) Priority: normal Importance: normal Thread-Index: AceFUaXDi4sCepBGSSW6194mlHf+XQAAZOnwAAEX5/AAAHEkoAAYil/A From: "CORUM, M E [AG/1000]" To: X-OriginalArrivalTime: 23 Apr 2007 15:46:47.0414 (UTC) FILETIME=[99CF7960:01C785BE] X-Virus-Checked: Checked by ClamAV on apache.org (Just an aside on the issue of not being able to load the ldif file on startup in Windows. It appears to be somehow related to the filename itself. I found that if the ldif filename started with "ad", then the weird parsing took place and it always failed. Perhaps this is an issue that only occurs on Windows.) Since I was trying to do Kerberos anyway, I found that kerberos-example.ldif file and modified it for my environment. I was able to get it loaded. I am using a different domain than example.com so I'm wondering if something in the server is hard-coded to example.com. I had lots of trouble getting it to recognize anything other than example.com. I do have a partition matching my new domain and was able to load the file from the startup and verify the entries in JXplorer. Now, here is my next problem. In my test code, I'm using JAAS with a callbackhandler to just shove in a password (rather than using a keytab) since all of this is just for test code. I'm trying to figure out what value I need to provide for the userid (principal) from JAAS code. For now, I use userid@MY.DOMAIN.COM with the appropriate values of course. When I do this, it fails with the following message in the IDE: [ERROR] Mon Apr 23 10:33:02 CDT 2007 jcsi.kerberos: login failed: Kerberos error creating ticket: com.dstc.security.kerberos.KerberosError: Integrity checked on decrypted field failed (Integrity check on decrypted field failed) javax.security.auth.login.LoginException: Kerberos error creating ticket: com.dstc.security.kerberos.KerberosError: Integrity checked on decrypted field failed (Integrity check on decrypted field failed) Since the log file is set to INFO in the log4j properties file, all I get is: [10:33:01] ERROR [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required [10:33:02] ERROR [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed I don't know what to do from here. I'm using the exact same password for all my users and it is the one I'm providing. I'm using the ldifFilters entry in server.xml to invoke Krb5KdcEntryFilter on loading the users in the file so the krb5key and userPassword are set. I checked that in JXplorer and they are there. So, I'm thinking I'll turn on DEBUG. Now, here is the bad part. When I switch log4j.properties to have DEBUG as the log level, the server WON'T START! Bummer! Here is the error message I get trying to start the server with DEBUG as the log level (this worked in 1.0.1 by the way): [10:16:39] DEBUG [org.apache.directory.server.schema.registries.DefaultNormalizerRegistry ] - registered normalizer with oid: 1.3.6.1.4.1.18060.0.4.1.1.1 [10:16:39] ERROR [org.apache.directory.daemon.Bootstrapper] - Failed on org.apache.directory.server.Service.init(InstallationLayout, String[]) java.lang.ArrayIndexOutOfBoundsException: 0 at org.apache.directory.shared.ldap.schema.AbstractSchemaObject.toString(Ab stractSchemaObject.java:320) at java.lang.String.valueOf(Unknown Source) at java.lang.StringBuilder.append(Unknown Source) at org.apache.directory.server.schema.registries.DefaultSyntaxRegistry.regi ster(DefaultSyntaxRegistry.java:110) at org.apache.directory.server.core.schema.PartitionSchemaLoader.loadSyntax es(PartitionSchemaLoader.java:654) at org.apache.directory.server.core.schema.PartitionSchemaLoader.load(Parti tionSchemaLoader.java:348) at org.apache.directory.server.schema.registries.AbstractSchemaLoader.loadD epsFirst(AbstractSchemaLoader.java:107) at org.apache.directory.server.schema.registries.AbstractSchemaLoader.loadD epsFirst(AbstractSchemaLoader.java:143) at org.apache.directory.server.schema.registries.AbstractSchemaLoader.loadD epsFirst(AbstractSchemaLoader.java:143) at org.apache.directory.server.core.schema.PartitionSchemaLoader.loadWithDe pendencies(PartitionSchemaLoader.java:320) at org.apache.directory.server.core.schema.PartitionSchemaLoader.loadEnable d(PartitionSchemaLoader.java:222) at org.apache.directory.server.core.DefaultDirectoryService.initialize(Defa ultDirectoryService.java:914) at org.apache.directory.server.core.DefaultDirectoryService.startup(Default DirectoryService.java:254) at org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialC ontext(AbstractContextFactory.java:118) at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) at javax.naming.InitialContext.init(Unknown Source) at javax.naming.InitialContext.(Unknown Source) at javax.naming.directory.InitialDirContext.(Unknown Source) at org.apache.directory.server.Service.init(Service.java:96) at org.apache.directory.daemon.Bootstrapper.callInit(Bootstrapper.java:151) at org.apache.directory.daemon.ProcrunBootstrapper.prunsrvStart(ProcrunBoot strapper.java:65) When I flip back to INFO, the server starts fine but I can't get the deep details in the log. Can anybody help? By the way, I'm wondering if the default algorithm for the key is different. I'm on Windows and use to using 23. I noticed that the Krb5EncryptionType is 3 rather than 23 in the directory so I'll look into that to see if that is my problem with Kerberos. MikeC -------------------------------------------------------------------------= -------------------------------- This e-mail message may contain privileged and/or confidential = information, and is intended to be received only by persons entitled to = receive such information. If you have received this e-mail in error, = please notify the sender immediately. Please delete it and all = attachments from any servers, hard drives or any other media. Other use = of this e-mail by you is strictly prohibited. All e-mails and attachments sent and received are subject to monitoring, = reading and archival by Monsanto. The recipient of this e-mail is solely = responsible for checking for the presence of "Viruses" or other = "Malware". Monsanto accepts no liability for any damage caused by any = such code transmitted by or accompanying this e-mail or any attachment. -------------------------------------------------------------------------= --------------------------------