Return-Path: 
 <users-return-6134-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-users-archive@www.apache.org
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4171510893
	for <apmail-directory-users-archive@www.apache.org>;
 Fri, 25 Jul 2014 18:31:17 +0000 (UTC)
Received: (qmail 46475 invoked by uid 500); 25 Jul 2014 18:31:16 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 46437 invoked by uid 500); 25 Jul 2014 18:31:16 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Received: (qmail 46422 invoked by uid 99); 25 Jul 2014 18:31:16 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jul 2014 18:31:16 +0000
X-ASF-Spam-Status: No, hits=2.5 required=5.0
	tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of brian.laskey@gmail.com
 designates 209.85.216.43 as permitted sender)
Received: from [209.85.216.43] (HELO mail-qa0-f43.google.com) (209.85.216.43)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jul 2014 18:31:13 +0000
Received: by mail-qa0-f43.google.com with SMTP id w8so4896828qac.2
        for <users@directory.apache.org>;
 Fri, 25 Jul 2014 11:30:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=EGdibBqSZjviJpxxx7kPuVzQcFmRLOrqzDN2DeyhLbc=;
        b=Ww8LPi57Ck4GROEm17kVOXdDdkkuAMLnJ9ph4xBilWRZe4ju5nzeXZDxD/95Qi7MA1
         AyN1Y90FjItfxZBBUE0yP3m2NGIchKKa3K5U2ydqrPXuZRuTmcgXbfTeY2aIa9kNNzEn
         17A9aNe0keLEF22eVavgP0PICTvA5BxMYqqoYK7FrAqGSPlipYT6oQli2MnEdxXP6RsM
         ttDL6ipEuIZFX5t5XZ/9qrXMGsBqLsj3CjcYWLrEmM5dhbva8Mq6oXJJ1E17oUW+VKFS
         pYjUz0aZ6L0DJSvWOb3tLa4DUtOPT08TegjJZu8XIs4Pido0XDAY8zS4YGIDBDRckDlG
         /boQ==
MIME-Version: 1.0
X-Received: by 10.224.28.133 with SMTP id m5mr29985429qac.16.1406313048524;
 Fri, 25 Jul 2014 11:30:48 -0700 (PDT)
Received: by 10.140.26.112 with HTTP; Fri, 25 Jul 2014 11:30:48 -0700 (PDT)
In-Reply-To: 
 <CABzFU-cy1KZiP3vuFtzD+hFYhNbC25YDrzEkt9aB_RN=hU95Zw@mail.gmail.com>
References: 
 <CAFkPuBHHW0ccY-LHQN7syR792iUiqm4HkSoHc_aF69aDMT47Eg@mail.gmail.com>
	<CAFkPuBFvM2a3SQhQB0PuA5EP6e4kqKzV+g9Ng+P60yvHa0gYrQ@mail.gmail.com>
	<53D281E4.4060700@gmail.com>
	<CAFkPuBFNCMFhasEfyjsoZDdBTEAYAtPi3i_RzhyObxnj9vNAwQ@mail.gmail.com>
	<CAFkPuBHNTvN+6wWuFkiRZcn8XXHUdWthO3BCFv39qshG7rHGRA@mail.gmail.com>
	<CABzFU-cy1KZiP3vuFtzD+hFYhNbC25YDrzEkt9aB_RN=hU95Zw@mail.gmail.com>
Date: Fri, 25 Jul 2014 14:30:48 -0400
Message-ID: 
 <CAFkPuBHt=t77xwZpLFDugbgFEcp190bKDMJCLdOd5fTpt_QazQ@mail.gmail.com>
Subject: Re: [ApacheDS] Generating keytab file for Websphere Kerberos
 configuration, now with KRB-ERROR in logs
From: Brian Laskey <brian.laskey@gmail.com>
To: users@directory.apache.org
Content-Type: multipart/alternative; boundary=001a11c1db70b352dc04ff08c558
X-Virus-Checked: Checked by ClamAV on apache.org

--001a11c1db70b352dc04ff08c558
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

What are the supported encryption types for ApacheDS?

I've had some issues on the Linux side with kinit, I had configured my
krb.conf file with:
    default_tkt_enctypes =3D aes128-cts-hmac-sha1-96
    default_tgs_enctypes =3D aes128-cts-hmac-sha1-96

And tried checking that off only in the Kerberos settings of Studio. Didn't
seem to solve the password error with kinit. If I tried other enctypes I
got other errors like encryption type not supported. Eg.g had problems with
below, not sure if it's the cause of my issues.
    #default_tkt_enctypes =3D des3-cbc-sha1 des-cbc-md5 aes128-cts
des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
    #default_tgs_enctypes =3D des3-cbc-sha1 des-cbc-md5 aes128-cts
des3-cbc-sha1-kd aes128-cts-hmac-sha1-96

I can try to install Studio on my red hat linux server, but that only has
IBM JDK 6 on it if that matters.

Thanks
Brian


On Fri, Jul 25, 2014 at 2:23 PM, Kiran Ayyagari <kayyagari@apache.org>
wrote:

> On Fri, Jul 25, 2014 at 11:50 PM, Brian Laskey <brian.laskey@gmail.com>
> wrote:
>
> > Apologies for the multiple emails, but if I change Directory Studio vm =
to
> >
> np, feel free to post
>
> > Sun/Oracle jdk1.6.0_31\jre\bin I get a different exception in logging i=
n
> > with Kerberos or using the 'Check Authentication' button.
> >
> >  can you try with Studio on Linux/Unix? I suspect that RC4 is being use=
d
> on Windows
> box (RC4 encryption type is not yet supported in ApacheDS)
>
> > I don't seem to see any errors in apacheds.log
> >
> >
> > Error while opening connection
> >  - *javax.security.auth.login.LoginException: Checksum failed*
> > org.apache.directory.api.ldap.model.exception.LdapException:
> > javax.security.auth.login.LoginException: Checksum failed
> >     at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(Ldap=
NetworkConnection.java:1535)
> >     at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetwo=
rkConnection.java:1421)
> >     at
> >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> >     at
> >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
> >     at
> >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> >     at
> >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper.bind(DirectoryApiConnectionWrapper.java:306)
> >     at
> >
> >
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.=
run(OpenConnectionsRunnable.java:114)
> >     at
> >
> >
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(=
StudioConnectionJob.java:109)
> >     at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> > Caused by: javax.security.auth.login.LoginException: Checksum failed
> >     at
> >
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5Lo=
ginModule.java:696)
> >     at
> >
> >
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:5=
42)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >     at
> >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java=
:39)
> >     at
> >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI=
mpl.java:25)
> >     at java.lang.reflect.Method.invoke(Method.java:597)
> >     at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> >     at
> > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186=
)
> >     at
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> >     at java.security.AccessController.doPrivileged(Native Method)
> >     at
> > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680=
)
> >     at
> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> >     at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(Ldap=
NetworkConnection.java:1522)
> >     ... 8 more
> > Caused by: KrbException: Checksum failed
> >     at
> >
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128Ct=
sHmacSha1EType.java:85)
> >     at
> >
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128Ct=
sHmacSha1EType.java:77)
> >     at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
> >     at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
> >     at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
> >     at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401=
)
> >     at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
> >     at
> >
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5Lo=
ginModule.java:662)
> >     ... 20 more
> > Caused by: java.security.GeneralSecurityException: Checksum failed
> >     at
> >
> >
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.j=
ava:431)
> >     at
> >
> >
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java=
:254)
> >     at sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:59)
> >     at
> >
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128Ct=
sHmacSha1EType.java:83)
> >     ... 27 more
> >
> > javax.security.auth.login.LoginException: Checksum failed
> >
> >
> > On Fri, Jul 25, 2014 at 2:06 PM, Brian Laskey <brian.laskey@gmail.com>
> > wrote:
> >
> > >
> > > I appreciate the help with this. I am new to ApacheDS and Kerberos.
> > >
> > > I have now tried that tutorial (of course I hadn't got that far, I wa=
s
> > > trying the tutorial before it, 4.1 - Authenticate with kinit on Linux=
!)
> > >
> > > Adding krbtgt/EXAMPLE.COM@EXAMPLE.COM SOLVES the "Server not found in
> > the
> > > Kerberos database while getting initial credentials" error with kinit=
.
> So
> > > that's good.
> > >
> > > However, now in kinit I get a new error for any principal I try (eith=
er
> > > using my generated keytab or by typing in the password).
> > > Verbose output of kinit -V monkey@EXAMPLE.COM
> > > Using default cache: /tmp/krb5cc_13553
> > > Using principal: monkey@EXAMPLE.COM
> > > Password for monkey@EXAMPLE.COM:
> > > kinit: Password incorrect while getting initial credentials
> > >
> > > I am trying kinit on a linux machine.
> > >
> > > On a separate Windows 7 machine, I have Apache Directory Studio.
> > Following
> > > the tutorial as best I can (Kerberos settings tab seems subtly
> different
> > > than the screens I see on Apache Directory Studio 2.0.0.v20130628 /
> Win7
> > /
> > > IBM Java 1.7 JRE)
> > >
> > > After I set up krbtgt and ldap principals, when I try to connect as o=
ne
> > of
> > > my principals using Apache directory Studio I get this exception:
> > >
> > > Error while opening connection
> > >  - java.lang.IllegalArgumentException
> > > org.apache.directory.api.ldap.model.exception.LdapException:
> > > java.lang.IllegalArgumentException
> > >     at
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(Ldap=
NetworkConnection.java:1535)
> > >     at
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetwo=
rkConnection.java:1421)
> > >     at
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> > >     at
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
> > >     at
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> > >     at
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper.bind(DirectoryApiConnectionWrapper.java:306)
> > >     at
> > >
> >
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.=
run(OpenConnectionsRunnable.java:114)
> > >     at
> > >
> >
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(=
StudioConnectionJob.java:109)
> > >     at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> > > Caused by: java.lang.IllegalArgumentException
> > >     at
> > >
> >
> javax.security.auth.login.AppConfigurationEntry.<init>(AppConfigurationEn=
try.java:84)
> > >     at
> > >
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnection=
Wrapper$InnerConfiguration.getAppConfigurationEntry(DirectoryApiConnectionW=
rapper.java:1222)
> > >     at
> javax.security.auth.login.LoginContext.init(LoginContext.java:269)
> > >     at
> > javax.security.auth.login.LoginContext.<init>(LoginContext.java:427)
> > >     at
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(Ldap=
NetworkConnection.java:1520)
> > >     ... 8 more
> > >
> > > java.lang.IllegalArgumentException
> > >
> > >
> > > Seems like no matter which way I go I am finding all the hurdles.
> > >
> > > Thank you,
> > > Brian
> > >
> > > On Fri, Jul 25, 2014 at 12:12 PM, Emmanuel L=C3=A9charny <
> elecharny@gmail.com
> > >
> > > wrote:
> > >
> > >> Le 25/07/2014 17:19, Brian Laskey a =C3=A9crit :
> > >> > Actually, I solved the "Additional pre-authentication required"
> error
> > by
> > >> > Opening Configuration on my ApacheDS server with Directory Studio,
> on
> > >> the
> > >> > Kerberos Server tab, uncheck Require Pre-AuthenticationBy Encrypte=
d
> > >> > TimeStamp check box under Ticket Settings.
> > >> >
> > >> >
> > >> > Now I receive a different error with kinit using the same keytab a=
nd
> > >> conf
> > >> > file:
> > >> > kinit: Server not found in Kerberos database while getting initial
> > >> > credentials
> > >> >
> > >> >
> > >> > Should I create a principal krbtgt manually?
> > >>
> > >> I think so.
> > >>
> > >> Have you followed the tutorial on
> > >>
> > >>
> >
> http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.=
html
> > >> ?
> > >>
> > >>
> > >
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

--001a11c1db70b352dc04ff08c558--