Any experts on Kerberos here? I'm wondering if this is even fixable? It might not be possible to create a ticket from a hashed pw. What do other kerberos systems do?
Paul On 6 September 2010 10:49, Amila Jayasekara <[email protected]> wrote: > Hi All, > This is about using ApacheDS as a KDC in IS. It seems to be there is > a limitation in ApacheDS when using ApacheDS as a Kerberos Ticket > Granting Server. ApacheDS ticket granting server is not able to issue > tickets when principles have hashed passwords. (See mail thread below > for more details.) In other words apacheds is only able to issue tickets > if stored principles (users/ servers) have plain text passwords. I > personally believe storing plain text passwords is not a good idea and > many clients will not like it. > At the moment i am kind of in a confused situation on how to proceed > with this. One thing we can do is to contribute our effort to implement > above mentioned requirement. (i.e. KDC functionality for principles with > hashed passwords) > > Appreciate your feedback. > Thanks > AmilaJ > > > Subject: Re: Requesting TGT using Kinit when principle's password type > is MD 5 > Stefan Seelmann wrote: > > > > Hi Amila, > > > > The current implementation requires a plain text password, because the > > krb5 keys are derived from the password. > > > > Kind regards, > > Stefan > > > > On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <[email protected] > > <mailto:[email protected]>> wrote: > > > Hi All, > > > I am using Kerberos server which comes with apacheds. Currently i am > > > facing a strange problem with that. Let me explain the scenario in > > detail. > > > I am requesting a TGT using "kinit" program. For this i am executing > > > following command, > > > > > > > kinit [email protected] <mailto:[email protected]> > > > > > > I was able to successfully retreive a ticket, when > > [email protected] <mailto:[email protected]>'s > > > password is plain text. But when i convert principle's > > > ([email protected] <mailto:[email protected]>) password type to > > MD5, i was not able to get the > > > ticket. I am getting an error saying "kinit: Password incorrect while > > > getting initial credentials". > > > > > > a...@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit > > [email protected] <mailto:[email protected]> > > > Password for [email protected] <mailto:[email protected]>: > > > kinit: Password incorrect while getting initial credentials > > > > > > Following i have paste the log output of apacheds server for above > > > request. According to log output, server has not encountered on any > > > error and server has successfully authenticated the principle. The > > > response AS_REPLY has also sent back to client. Now i am bit confused > > > what has gone wrong. Note that, for this particular case i have > > disabled > > > pre-authentication on server. I beleive, this has something to do with > > > the way kinit program works. But i couldnt get more information from > > > kinit. Therefore i am not able to find any cause for this error. > > > > > > I am really grateful, if someone can help me to understand what has > > gone > > > wrong here. > > > > > > Thanks > > > AmilaJ > > > > > > > > > ============================================================================================================================================================================================================== > > > > > > > > > > > [07:44:26] DEBUG > > > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > > > - /0:0:0:0:0:0:0:1:57572 CREATED: datagram > > > [07:44:26] DEBUG > > > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > > > - /0:0:0:0:0:0:0:1:57572 OPENED > > > [07:44:26] DEBUG > > > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > > > - /0:0:0:0:0:0:0:1:57572 RCVD: > > > > org.apache.directory.server.kerberos.shared.messages.kdcrequ...@2c3299f6 > > > [07:44:26] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Received Authentication Service (AS) request: > > > messageType: AS_REQ > > > protocolVersionNumber: 5 > > > clientAddress: 0:0:0:0:0:0:0:1 > > > nonce: 1457316737 > > > kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK > > > clientPrincipal: [email protected] <mailto:[email protected]> > > > serverPrincipal: krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM > > <http://EXAMPLE.COM> > > > encryptionType: des-cbc-md5 (3), rc4-hmac (23), > > > aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1), > > > aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2) > > > realm: EXAMPLE.COM <http://EXAMPLE.COM> > > > from time: 20100906024426Z > > > till time: 20100907024426Z > > > renew-till time: null > > > hostAddresses: null > > > [07:44:26] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Session will use encryption type des-cbc-md5 (3). > > > [07:44:26] DEBUG > > > > > [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] > > > - Found entry ServerEntry > > > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com > > > objectClass: organizationalPerson > > > objectClass: person > > > objectClass: krb5Principal > > > objectClass: inetOrgPerson > > > objectClass: krb5KDCEntry > > > objectClass: top > > > uid: hnelson > > > sn: Nelson > > > krb5PrincipalName: [email protected] <mailto:[email protected]> > > > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 > > > 0xC7 0x86 0x58 0x23 0x98 ...' > > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 > > > 0xC6 0x4B 0xD6 0xFE 0x30 ...' > > > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 > > > 0x7A 0xB6 0x43 0x9D 0xF7 ...' > > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 > > > 0x27 0xD9 0xE6 0xA4 0x66 ...' > > > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 > > > 0x4A 0xCE 0xDE 0xEC 0x20 ...' > > > krb5KeyVersionNumber: 7 > > > cn: Horatio Nelson > > > userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C > > > 0x4F 0x7A 0x51 0x34 0x50 0x43 ...' > > > for kerberos principal name [email protected] > > <mailto:[email protected]> > > > [07:44:26] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Verifying using SAM subsystem. > > > [07:44:26] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Verifying using encrypted timestamp. > > > [07:44:26] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Entry for client principal [email protected] > > <mailto:[email protected]> has no SAM type. > > > Proceeding with standard pre-authentication. > > > [07:44:26] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Pre-authentication by encrypted timestamp successful for > > > [email protected] <mailto:[email protected]>. > > > [07:44:26] DEBUG > > > > > [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] > > > - Found entry ServerEntry > > > dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com > > > objectClass: organizationalPerson > > > objectClass: person > > > objectClass: krb5Principal > > > objectClass: inetOrgPerson > > > objectClass: krb5KDCEntry > > > objectClass: top > > > uid: krbtgt > > > sn: Service > > > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 ' > > > krb5PrincipalName: krbtgt/EXAMPLE.COM > > <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM> > > > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 > > > 0x25 0x07 0x25 0x68 0x76 ...' > > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 > > > 0x87 0x8D 0x80 0x14 0x60 ...' > > > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 > > > 0x98 0x07 0x37 0x31 0xD9 ...' > > > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 > > > 0x0D 0x79 0x98 0x29 0x20 ...' > > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 > > > 0x64 0xEB 0x5E 0xDE 0x49 ...' > > > krb5KeyVersionNumber: 0 > > > cn: KDC Service > > > for kerberos principal name krbtgt/EXAMPLE.COM > > <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM> > > > [07:44:27] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Ticket will be issued for access to krbtgt/EXAMPLE.COM > > <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>. > > > [07:44:27] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Monitoring Authentication Service (AS) context: > > > clockSkew 300000 > > > clientAddress /0:0:0:0:0:0:0:1 > > > principal [email protected] <mailto:[email protected]> > > > cn null > > > realm null > > > principal [email protected] <mailto:[email protected]> > > > SAM type null > > > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM > > <http://EXAMPLE.COM> > > > cn null > > > realm null > > > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM > > <http://EXAMPLE.COM> > > > SAM type null > > > Request key type des-cbc-md5 (3) > > > Client key version 0 > > > Server key version 0 > > > [07:44:27] DEBUG > > > > > > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > > > > > - Responding with Authentication Service (AS) reply: > > > messageType: AS_REP > > > protocolVersionNumber: 5 > > > nonce: 1457316737 > > > clientPrincipal: [email protected] <mailto:[email protected]> > > > client realm: EXAMPLE.COM <http://EXAMPLE.COM> > > > serverPrincipal: krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM > > <http://EXAMPLE.COM> > > > server realm: EXAMPLE.COM <http://EXAMPLE.COM> > > > auth time: 20100906024427Z > > > start time: null > > > end time: 20100907024426Z > > > renew-till time: null > > > hostAddresses: null > > > [07:44:27] DEBUG > > > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > > > - /0:0:0:0:0:0:0:1:57572 SENT: > > > > > > org.apache.directory.server.kerberos.shared.messages.authenticationre...@1a87ad67 > > > > > > > > _______________________________________________ > Carbon-dev mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > -- Paul Fremantle CTO and Co-Founder, WSO2 OASIS WS-RX TC Co-chair, VP, Apache Synapse Office: +44 844 484 8143 Cell: +44 798 447 4618 blog: http://pzf.fremantle.org twitter.com/pzfreo [email protected] wso2.com Lean Enterprise Middleware Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, retransmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
_______________________________________________ Carbon-dev mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
