Solved it by removing:

	forwardable = true
	proxiable = true

from the krb5.conf file used.

Rob

On 11/03/11 10:44, Rob Hebron wrote:
> Hi,
>
> I'm experimenting with GSSAPI authentication against ApacheDS 1.5.7.
> Following various guides I have it working such that I am successfully
> issued a TGT using kinit (on Debian) - changes mainly involved enabling
> crypto protocols in server.xml. However, when I try to authenticate with
> a java client I get always get this error:
>
> Kerberos username [rob]: hnelson@EXAMPLE.COM
> Kerberos password for hnelson@EXAMPLE.COM:
> default etypes for default_tkt_enctypes: 16.
> default etypes for default_tkt_enctypes: 16.
>   >>>  KrbAsReq calling createMessage
>   >>>  KrbAsReq in createMessage
>   >>>  KrbKdcReq send: kdc=<kdc address>  UDP:60088, timeout=30000, number
> of retries =3, #bytes=134
>   >>>  KDCCommunication: kdc=<kdc address>  UDP:60088,
> timeout=30000,Attempt =1, #bytes=134
>   >>>  KrbKdcReq send: #bytes read=536
>   >>>  KrbKdcReq send: #bytes read=536
>   >>>  KdcAccessibility: remove<kdc address>:60088
>   >>>  EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
> Authentication failed:
>     Checksum failed
>
> .. with no error logged on the server. I'm guessing that a checksum
> verification has failed. This error is also logged when I try to
> authenticate to ApacheDS server in Apache Directory Studio. I'm able to
> log on to a production MIT KDC using the same java code with no problem.
>
> A search hasn't turned up much - any ideas of what I could try?
>
> Thanks,
>
> Rob
>
>