directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yu Wei <yu20...@hotmail.com>
Subject Re: Failed to setup kerberos with Apache DS
Date Wed, 18 Jan 2017 08:22:01 GMT
Stefan,


My problem was fixed with your advice.


Thanks very much for the information.



Thanks,

Jared, (韦煜)
Software developer
Interested in open source software, big data, Linux

________________________________
From: Stefan Seelmann <mail@stefan-seelmann.de>
Sent: Wednesday, January 18, 2017 3:41:46 AM
To: users@directory.apache.org
Subject: Re: Failed to setup kerberos with Apache DS

On 01/17/2017 09:13 AM, Yu Wei wrote:
> Hi Guys,
>
> I tried to setup Apache DS with kerberos server enabled.
>
> After creating entry by following Apache DS document about "Kerberos User guide", I got
following exception when trying to create connection with Apache Directory Studio.
>
>   javax.security.auth.login.LoginException: Integrity check on decrypted field failed
(31) - Integrity check on decrypted field failed
>
> Then I tried again with kinit and got another error as below,
>
> [dcos@mesos-ds apacheds-2.0.0-M23]$ sudo kinit krbtest
> Password for krbtest@ISTUARY.COM:
> kinit: Password incorrect while getting initial credentials

Sounds like a password problem:

Please verify that the password you use for authentication is the same
you used when you created the entry.

For entry creation the password must be plain text (but password hash
interceptor will SSHA hash it by default)

Please make sure that the key derivation interceptor is enabled. If it
is enabled then the entry you imported has 5 krb5Key attributes that
were derived from the password. When you configured ApacheDS via the
Studio configuration editor (as described on [1]) the interceptor is
enabled by default. You can verify by checking entry [2], ads-enabled
must not be "false" (either true or absent).

Kind Regards,
Stefan


[1]
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
[2]
ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config





Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message