Re: Issue : Creating KDC principals using Apache DS API

Emmanuel Lécharny Fri, 30 Mar 2012 06:13:24 -0700

Hi,

can you please avoid spreading the same mail to all the possible mailinglists ?


Thanks !


Le 3/30/12 3:06 PM, Vamsi Kondadasula a écrit :

Hi,

We are having a project requiremnt where in which Apache DS java API is used to
communicate with Heimdal KDC to create the principals.
We are using heimdal-1.5.2 and Open LDAP as Back end for storing the Principals.
We are able to add principals using *add* (of kadmin) and authenticate using
kinit from Terminal.

Please find the attached krb5.conf and source code.




Using the attached java client code able to create the Hiemdal Kerboros
Principals in Open LDAP. Even Krb5Keys also generated.
But when *Kinit*(from terminal) i am getting the below mentioned Error.

Kindly provide us any solution for the problem.

sh-3.2# /usr/heimdal/bin/kinit [email protected]<mailto:[email protected]>
[email protected]<mailto:[email protected]>'s Password:<= apple
kinit: krb5_get_init_creds: KDC has no support for encryption type

*The heimdal log during the kinit for the above principal (created using java
code) is as follows:*

2012-03-30T18:01:58 AS-REQ [email protected]<mailto:[email protected]>  from
IPv4:127.0.0.1 for krbtgt/[email protected]<mailto:krbtgt/[email protected]>
2012-03-30T18:01:58 AS-REQ [email protected]<mailto:[email protected]>  from
IPv4:127.0.0.1 for krbtgt/[email protected]<mailto:krbtgt/[email protected]>
2012-03-30T18:01:58 Client ([email protected]<mailto:[email protected]>) from
IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
2012-03-30T18:01:58 Client ([email protected]<mailto:[email protected]>) from
IPv4:127.0.0.1 has no common enctypes with KDC to use for the session key
2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1
2012-03-30T18:01:58 sending 124 bytes to IPv4:127.0.0.1

*The heimdal log during the kinit for the above principal (created using kadmin
terminal) is as follows:
*
2012-03-30T18:04:55 AS-REQ [email protected]<mailto:[email protected]>  from
IPv4:127.0.0.1 for krbtgt/[email protected]<mailto:krbtgt/[email protected]>
2012-03-30T18:04:55 AS-REQ [email protected]<mailto:[email protected]>  from
IPv4:127.0.0.1 for krbtgt/[email protected]<mailto:krbtgt/[email protected]>
2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED --
[email protected]<mailto:[email protected]>
2012-03-30T18:04:55 No preauth found, returning PREAUTH-REQUIRED --
[email protected]<mailto:[email protected]>
2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 sending 255 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 AS-REQ [email protected]<mailto:[email protected]>  from
IPv4:127.0.0.1 for krbtgt/[email protected]<mailto:krbtgt/[email protected]>
2012-03-30T18:04:55 AS-REQ [email protected]<mailto:[email protected]>  from
IPv4:127.0.0.1 for krbtgt/[email protected]<mailto:krbtgt/[email protected]>
2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
2012-03-30T18:04:55 Client sent patypes: encrypted-timestamp
2012-03-30T18:04:55 Looking for PKINIT pa-data -- [email protected]
<mailto:[email protected]>
2012-03-30T18:04:55 Looking for PKINIT pa-data -- [email protected]
<mailto:[email protected]>
2012-03-30T18:04:55 Looking for ENC-TS pa-data -- [email protected]
<mailto:[email protected]>
2012-03-30T18:04:55 Looking for ENC-TS pa-data -- [email protected]
<mailto:[email protected]>
2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- [email protected]
<mailto:[email protected]>  using aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 ENC-TS Pre-authentication succeeded -- [email protected]
<mailto:[email protected]>  using aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset
endtime: 2012-03-31T04:04:55 renew till: unset
2012-03-30T18:04:55 AS-REQ authtime: 2012-03-30T18:04:55 starttime: unset
endtime: 2012-03-31T04:04:55 renew till: unset
2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-03-30T18:04:55 Requested flags: forwardable
2012-03-30T18:04:55 Requested flags: forwardable
2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1
2012-03-30T18:04:55 sending 628 bytes to IPv4:127.0.0.1

*Environment Details:
*Operating System: Mac OS X - Snow Leopard.
Kerberos: heimdal-1.5.2
Back End for Kerberos: Open LDAP 2.4.30
Apache DS API: apacheds-all-2.0.0-M6.jar

Info: The principal that has been created using Heimdal (*add* of Kadmin) and
*kinit* able to get the tickets and below are the details:
/sh-3.2# //usr/heimdal/bin/*kinit* [email protected]<mailto:[email protected]>
[email protected]<mailto:[email protected]>'s Password:
/sh-3.2#/ /usr/heimdal/bin/*klist* -5Afv
Credentials cache: API:0
Principal: [email protected]<mailto:[email protected]>
Cache version: 0
Server: krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Client: [email protected]<mailto:[email protected]>
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 313
Auth time: Mar 30 18:04:55 2012
End time: Mar 31 04:04:55 2012
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless


Below are the contents of java console log when created principals using the
attached code:
Started the process
Schema Process Done
entryEntry
dn: [email protected]
<mailto:[email protected]>,ou=KerberosPrincipals,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: sample
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0x18 0x72 0xBF
0x9A 0xE2 ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0xF2 0xFB 0x13
0xD9 0x91 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x5E 0xBE 0x7D
0xFA 0x07 ...'
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0x46 0xAE 0xA1
0xD5 0x97 ...'
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0xCF 0x89 0xBB
0xC2 0xFC ...'
krb5MaxLife: 86400
krb5PrincipalName: [email protected]<mailto:[email protected]>

Entry has been created
org.apache.directory.ldap.client.api.LdapNetworkConnection@75d709a5

Thanks,
Vamsi



--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Issue : Creating KDC principals using Apache DS API

Reply via email to