directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Laskey <brian.las...@gmail.com>
Subject Re: [ApacheDS] Generating keytab file for Websphere Kerberos configuration, now with KRB-ERROR in logs
Date Fri, 25 Jul 2014 19:14:00 GMT
> the default enctypes are
> aes128-cts-hmac-sha1-96
> des3-cbc-sha1-kd
> des-cbc-md5
> what error are you getting? the preauth error?
If I set my conf file to only:
     default_tkt_enctypes = aes128-cts-hmac-sha1-96
     default_tgs_enctypes = aes128-cts-hmac-sha1-96

And only check that off in the Kerberos setting page of ApacheDS

I get this in kinit (on linux)  for any user I've tried, with either
manually typing password or keytab file
kinit: Password incorrect while getting initial credentials

I think I was seeing encryption type not supported by server error if I
checked the RC4-HMAC box in ApacheDS and put that in my conf.


> I would suggest to first test with kinit(to rule out any non-Studio
> related issues), and
> once this succeeds we can try with Studio

I agree. But I can't seem to figure out why the password incorrect error is
coming up?


On Fri, Jul 25, 2014 at 2:44 PM, Kiran Ayyagari <kayyagari@apache.org>
wrote:

> On Sat, Jul 26, 2014 at 12:00 AM, Brian Laskey <brian.laskey@gmail.com>
> wrote:
>
> > What are the supported encryption types for ApacheDS?
> >
> > the default enctypes are
> aes128-cts-hmac-sha1-96
> des3-cbc-sha1-kd
> des-cbc-md5
>
>
> > I've had some issues on the Linux side with kinit, I had configured my
> > krb.conf file with:
> >     default_tkt_enctypes = aes128-cts-hmac-sha1-96
> >     default_tgs_enctypes = aes128-cts-hmac-sha1-96
> >
> > And tried checking that off only in the Kerberos settings of Studio.
> Didn't
> > seem to solve the password error with kinit. If I tried other enctypes I
> >
> what error are you getting? the preauth error?
>
> > got other errors like encryption type not supported. Eg.g had problems
> with
> > below, not sure if it's the cause of my issues.
> >     #default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts
> > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
> >     #default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts
> > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
> >
> > I can try to install Studio on my red hat linux server, but that only has
> > IBM JDK 6 on it if that matters.
> >
> > I would suggest to first test with kinit(to rule out any non-Studio
> related issues), and
> once this succeeds we can try with Studio
>
> > Thanks
> > Brian
> >
> >
> > On Fri, Jul 25, 2014 at 2:23 PM, Kiran Ayyagari <kayyagari@apache.org>
> > wrote:
> >
> > > On Fri, Jul 25, 2014 at 11:50 PM, Brian Laskey <brian.laskey@gmail.com
> >
> > > wrote:
> > >
> > > > Apologies for the multiple emails, but if I change Directory Studio
> vm
> > to
> > > >
> > > np, feel free to post
> > >
> > > > Sun/Oracle jdk1.6.0_31\jre\bin I get a different exception in logging
> > in
> > > > with Kerberos or using the 'Check Authentication' button.
> > > >
> > > >  can you try with Studio on Linux/Unix? I suspect that RC4 is being
> > used
> > > on Windows
> > > box (RC4 encryption type is not yet supported in ApacheDS)
> > >
> > > > I don't seem to see any errors in apacheds.log
> > > >
> > > >
> > > > Error while opening connection
> > > >  - *javax.security.auth.login.LoginException: Checksum failed*
> > > > org.apache.directory.api.ldap.model.exception.LdapException:
> > > > javax.security.auth.login.LoginException: Checksum failed
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
> > > >     at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> > > > Caused by: javax.security.auth.login.LoginException: Checksum failed
> > > >     at
> > > >
> > > >
> > >
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
> > > >     at
> > > >
> > > >
> > >
> >
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
> > > >     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > >     at
> > > >
> > > >
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > > >     at
> > > >
> > > >
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > > >     at java.lang.reflect.Method.invoke(Method.java:597)
> > > >     at
> > > javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> > > >     at
> > > >
> > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> > > >     at
> > > javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> > > >     at java.security.AccessController.doPrivileged(Native Method)
> > > >     at
> > > >
> > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> > > >     at
> > > javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> > > >     at
> > > >
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1522)
> > > >     ... 8 more
> > > > Caused by: KrbException: Checksum failed
> > > >     at
> > > >
> > > >
> > >
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:85)
> > > >     at
> > > >
> > > >
> > >
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:77)
> > > >     at
> sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
> > > >     at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
> > > >     at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
> > > >     at
> > sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
> > > >     at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
> > > >     at
> > > >
> > > >
> > >
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
> > > >     ... 20 more
> > > > Caused by: java.security.GeneralSecurityException: Checksum failed
> > > >     at
> > > >
> > > >
> > >
> >
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
> > > >     at
> > > >
> > > >
> > >
> >
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
> > > >     at
> sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:59)
> > > >     at
> > > >
> > > >
> > >
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:83)
> > > >     ... 27 more
> > > >
> > > > javax.security.auth.login.LoginException: Checksum failed
> > > >
> > > >
> > > > On Fri, Jul 25, 2014 at 2:06 PM, Brian Laskey <
> brian.laskey@gmail.com>
> > > > wrote:
> > > >
> > > > >
> > > > > I appreciate the help with this. I am new to ApacheDS and Kerberos.
> > > > >
> > > > > I have now tried that tutorial (of course I hadn't got that far,
I
> > was
> > > > > trying the tutorial before it, 4.1 - Authenticate with kinit on
> > Linux!)
> > > > >
> > > > > Adding krbtgt/EXAMPLE.COM@EXAMPLE.COM SOLVES the "Server not found
> > in
> > > > the
> > > > > Kerberos database while getting initial credentials" error with
> > kinit.
> > > So
> > > > > that's good.
> > > > >
> > > > > However, now in kinit I get a new error for any principal I try
> > (either
> > > > > using my generated keytab or by typing in the password).
> > > > > Verbose output of kinit -V monkey@EXAMPLE.COM
> > > > > Using default cache: /tmp/krb5cc_13553
> > > > > Using principal: monkey@EXAMPLE.COM
> > > > > Password for monkey@EXAMPLE.COM:
> > > > > kinit: Password incorrect while getting initial credentials
> > > > >
> > > > > I am trying kinit on a linux machine.
> > > > >
> > > > > On a separate Windows 7 machine, I have Apache Directory Studio.
> > > > Following
> > > > > the tutorial as best I can (Kerberos settings tab seems subtly
> > > different
> > > > > than the screens I see on Apache Directory Studio 2.0.0.v20130628
/
> > > Win7
> > > > /
> > > > > IBM Java 1.7 JRE)
> > > > >
> > > > > After I set up krbtgt and ldap principals, when I try to connect
as
> > one
> > > > of
> > > > > my principals using Apache directory Studio I get this exception:
> > > > >
> > > > > Error while opening connection
> > > > >  - java.lang.IllegalArgumentException
> > > > > org.apache.directory.api.ldap.model.exception.LdapException:
> > > > > java.lang.IllegalArgumentException
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
> > > > >     at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> > > > > Caused by: java.lang.IllegalArgumentException
> > > > >     at
> > > > >
> > > >
> > >
> >
> javax.security.auth.login.AppConfigurationEntry.<init>(AppConfigurationEntry.java:84)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$InnerConfiguration.getAppConfigurationEntry(DirectoryApiConnectionWrapper.java:1222)
> > > > >     at
> > > javax.security.auth.login.LoginContext.init(LoginContext.java:269)
> > > > >     at
> > > > javax.security.auth.login.LoginContext.<init>(LoginContext.java:427)
> > > > >     at
> > > > >
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1520)
> > > > >     ... 8 more
> > > > >
> > > > > java.lang.IllegalArgumentException
> > > > >
> > > > >
> > > > > Seems like no matter which way I go I am finding all the hurdles.
> > > > >
> > > > > Thank you,
> > > > > Brian
> > > > >
> > > > > On Fri, Jul 25, 2014 at 12:12 PM, Emmanuel Lécharny <
> > > elecharny@gmail.com
> > > > >
> > > > > wrote:
> > > > >
> > > > >> Le 25/07/2014 17:19, Brian Laskey a écrit :
> > > > >> > Actually, I solved the "Additional pre-authentication required"
> > > error
> > > > by
> > > > >> > Opening Configuration on my ApacheDS server with Directory
> Studio,
> > > on
> > > > >> the
> > > > >> > Kerberos Server tab, uncheck Require Pre-AuthenticationBy
> > Encrypted
> > > > >> > TimeStamp check box under Ticket Settings.
> > > > >> >
> > > > >> >
> > > > >> > Now I receive a different error with kinit using the same
keytab
> > and
> > > > >> conf
> > > > >> > file:
> > > > >> > kinit: Server not found in Kerberos database while getting
> initial
> > > > >> > credentials
> > > > >> >
> > > > >> >
> > > > >> > Should I create a principal krbtgt manually?
> > > > >>
> > > > >> I think so.
> > > > >>
> > > > >> Have you followed the tutorial on
> > > > >>
> > > > >>
> > > >
> > >
> >
> http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
> > > > >> ?
> > > > >>
> > > > >>
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> > >
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message