directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yu Wei <yu20...@hotmail.com>
Subject Failed to setup kerberos with Apache DS
Date Tue, 17 Jan 2017 08:13:27 GMT
Hi Guys,

I tried to setup Apache DS with kerberos server enabled.

After creating entry by following Apache DS document about "Kerberos User guide", I got following
exception when trying to create connection with Apache Directory Studio.

The authentication failed
 - javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
- Integrity check on decrypted field failed
  org.apache.directory.api.ldap.model.exception.LdapException: javax.security.auth.login.LoginException:
Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
    at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1671)
    at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1557)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:436)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1163)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:449)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:295)
    at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:79)
    at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:127)
    at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:119)
Caused by: javax.security.auth.login.LoginException: Integrity check on decrypted field failed
(31) - Integrity check on decrypted field failed
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1658)
    ... 8 more
Caused by: KrbException: Integrity check on decrypted field failed (31) - Integrity check
on decrypted field failed
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
    ... 21 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
    ... 24 more

  javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
- Integrity check on decrypted field failed



Then I tried again with kinit and got another error as below,

[dcos@mesos-ds apacheds-2.0.0-M23]$ sudo kinit krbtest
Password for krbtest@ISTUARY.COM:
kinit: Password incorrect while getting initial credentials


How could I fix such problem?


Another question is about krb5key. I created the entry and set password with Apache Directory
Studio and krb5key was generated successfully. Where are the krb5key stored?



Thanks,

Jared, (??)
Software developer
Interested in open source software, big data, Linux

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message