Return-Path: 
 <users-return-3574-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: (qmail 20615 invoked from network); 30 Sep 2010 22:38:34 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 30 Sep 2010 22:38:34 -0000
Received: (qmail 34497 invoked by uid 500); 30 Sep 2010 22:38:34 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 34405 invoked by uid 500); 30 Sep 2010 22:38:33 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Delivered-To: moderator for users@directory.apache.org
Received: (qmail 5388 invoked by uid 99); 30 Sep 2010 22:13:38 -0000
X-ASF-Spam-Status: No, hits=2.5 required=10.0
	tests=HTML_FONT_FACE_BAD,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of sidda.eraiah@kaazing.com
 designates 209.85.216.50 as permitted sender)
MIME-Version: 1.0
X-Originating-IP: [75.61.87.93]
Date: Thu, 30 Sep 2010 15:13:07 -0700
Message-ID: <AANLkTi=xbG-Q1mJxKxt8yzRu34Rq7UdUXFMb_K7pe1d_@mail.gmail.com>
Subject: [ApacheDS] Getting ApacheDS KDC to recognize rc4-hmac encryption type
From: Sidda Eraiah <sidda.eraiah@kaazing.com>
To: users@directory.apache.org
Cc: Sidda Eraiah <sidda.eraiah@kaazing.com>
Content-Type: multipart/alternative; boundary=0015175cb966f8e09b04918161a2
X-Virus-Checked: Checked by ClamAV on apache.org

--0015175cb966f8e09b04918161a2
Content-Type: text/plain; charset=ISO-8859-1

All,

I have Apache-DS (1.5.7) with  Kerberos Domain Controller starting up
correctly and generating tickets using the default encryption type.

Due to a customer requirement, I have to use encryption type of RC4-HMAC.
Based on what I could find this needs me to add a <encryptionsType> property
to the kdcServer like this:

  <kdcServer id="kdcServer"  searchBaseDn="ou=Users,dc=example,dc=com">
    <transports>
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>
    </transports>
    <directoryService>#directoryService</directoryService>
    <encryptionTypes>rc4-hmac</encryptionTypes>
  </kdcServer>

with this change to the server.xml the server comes up fine. But trying to
get a ticket out of KDC fails with the following error:

$~/share/apacheds_1.5.7$ kinit hnelson@EXAMPLE.COM
hnelson@EXAMPLE.COM's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type

I see a warning in the ApacheDS like this:

[14:12:49] WARN
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
KDC has no support for encryption type (14)

One of the ApacheDS developer suggested the following in the IRC channel:

<spring:bean id="enc" class="java.util.HashSet">
   <spring:constructor-arg>
    <spring:list>
      <spring:value
type="org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType">RC4_HMAC</spring:value>
    </spring:list>
   </spring:constructor-arg>
  </spring:bean>
  <kdcServer id="kdcServer">
    <transports>
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>
    </transports>
    <directoryService>#directoryService</directoryService>
    <encryptionTypes>#enc</encryptionTypes>
  </kdcServer>

This also gives the same error.

Have any of you got the encryption type of RC4-HMAC to work with ApacheDS
KDC?

Your thoughts and suggestions on how to get this to work is really
appreciated.

Thanks in advance.

-- 
Best Regards,
Sidda

Director of Management Services
>|< Kaazing Corporation >|<
888, Villa St. Suite #410, Mountain View, CA 94041, USA

--0015175cb966f8e09b04918161a2--