Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 42480 invoked from network); 25 Jun 2010 08:48:07 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 25 Jun 2010 08:48:07 -0000 Received: (qmail 38276 invoked by uid 500); 25 Jun 2010 08:48:07 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 38090 invoked by uid 500); 25 Jun 2010 08:48:04 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 38081 invoked by uid 99); 25 Jun 2010 08:48:03 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jun 2010 08:48:03 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.214.178] (HELO mail-iw0-f178.google.com) (209.85.214.178) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jun 2010 08:47:56 +0000 Received: by iwn34 with SMTP id 34so1473976iwn.37 for ; Fri, 25 Jun 2010 01:47:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.166.132 with SMTP id m4mr430840iby.27.1277455655493; Fri, 25 Jun 2010 01:47:35 -0700 (PDT) Sender: mail@stefan-seelmann.de Received: by 10.231.168.207 with HTTP; Fri, 25 Jun 2010 01:47:35 -0700 (PDT) In-Reply-To: <1277455029.30779.39.camel@navig> References: <1277299978.2723.6.camel@navig> <4C2250FE.2080106@apache.org> <1277367278.2723.18.camel@navig> <1277399778.2723.509.camel@navig> <1277455029.30779.39.camel@navig> Date: Fri, 25 Jun 2010 10:47:35 +0200 X-Google-Sender-Auth: ir8Wo2_l0OdpSMU4sGIy74GgDU4 Message-ID: Subject: Re: ApacheDS and kerberos problems From: Stefan Seelmann To: users@directory.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Fri, Jun 25, 2010 at 10:37 AM, lkecir wrote: > thank you. > > I made the changes you told me but still not working. > my kinit doesn't work > > # kinit hnelson@EXAMPLE.COM > kinit(v5): Client or server has a null key while getting initial > credentials > > tail -f /var/lib/apacheds-1.5.7/default/log/apacheds-rolling.log > > [10:15:29] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationSe= rvice] - Session will use encryption type des-cbc-md5 (3). > [10:15:29] DEBUG > [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils]= - Found entry ServerEntry > =C2=A0 =C2=A0dn[n]: uid=3Dhnelson,ou=3DUsers,dc=3Dexample,dc=3Dcom > =C2=A0 =C2=A0objectClass: organizationalPerson > =C2=A0 =C2=A0objectClass: person > =C2=A0 =C2=A0objectClass: krb5Principal > =C2=A0 =C2=A0objectClass: inetOrgPerson > =C2=A0 =C2=A0objectClass: krb5KDCEntry > =C2=A0 =C2=A0objectClass: top > =C2=A0 =C2=A0uid: hnelson > =C2=A0 =C2=A0sn: Nelson > =C2=A0 =C2=A0krb5PrincipalName: hnelson@EXAMPLE.COM > =C2=A0 =C2=A0krb5KeyVersionNumber: 0 > =C2=A0 =C2=A0cn: Horatio Nelson > =C2=A0 =C2=A0userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 ' > =C2=A0for kerberos principal name hnelson@EXAMPLE.COM It's pretty clear: the krb5Key attribute wasn't created. It is important that you activate the "keyDerivationInterceptor" before you create the principal entries. Please make sure that the interceptor is activated in server.xml, then delete the entries in ApacheDS and import them again. Then double check that the krb5Key attribute for all entries was created. Kind Regards, Stefan