directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Kerberos keys generation
Date Mon, 03 Feb 2014 00:01:15 GMT
Hi Alexandre,

yes, the KeyDerivationInterceptor must be enabled. It should be done
when you activate the kerberos server (and if it's not the case, then
it's a bug). You can activateit by changing the ads-enabled attribute
from FALSE to TRUE in the
ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
entry and restarting the server.


Le 2/2/14 10:16 PM, Alexandre Beaupre a écrit :
> Hi all,
>
>
> I have recently downloaded ApacheDS 2.0.0-M15 to test Kerberos authentification and GSS-API.
>
>
> I have tried following the Kerberos user guide, but I am unable to authenticate myself
using kinit, I get
>
> "krb_error 9 The client or server has a null key (9) - The client or server has a null
key”
>
>
>
>
> I exported the corresponding LDAP entry, and I got
>
>
> dn: uid=hnelson,ou=Users,dc=example,dc=com
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: krb5KDCEntry
> objectClass: person
> objectClass: krb5Principal
> objectClass: organizationalPerson
> cn: Horatio Nelson
> krb5KeyVersionNumber: 0
> krb5PrincipalName: hnelson@EXAMPLE.COM
> sn: Nelson
> uid: hnelson
>
>
>
>
> I’m guessing that my problem is that the krb5keys attributes are missing ?  However
the documentation states that they should be generated automatically…  Is there a configuration
I need to activate ?  
>
>
> I’m using Apache Directory Studio and I have made sure that the "Enable Kerberos" box
was checked and that all Encryptions Types were checked under the Kerberos Tab.
>
>
> From older post, I have seen reference to configuring a keyDerivationInterceptor in a
server.xml file, but I’m not sure if this applies to version 2.0.0 of ApacheDS as I cannot
find any server.xml file.
>
>
> Can anybody give me a pointer as to why my krb5keys attribute are not generated ?
>
>
> Thank you very much!
>
> Alexandre Beaupré


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message