On Mon, Sep 6, 2010 at 3:30 PM, Paul Fremantle <[email protected]> wrote:
> Any experts on Kerberos here? I'm wondering if this is even fixable? It > might not be possible to create a ticket from a hashed pw. What do other > kerberos systems do? > I guess this could be fixable. AD stores as an hashed password - which also acts a KDC. Will investigate more on this.. Thanks & regards. -Prabath > > Paul > > > On 6 September 2010 10:49, Amila Jayasekara <[email protected]> wrote: > >> Hi All, >> This is about using ApacheDS as a KDC in IS. It seems to be there is >> a limitation in ApacheDS when using ApacheDS as a Kerberos Ticket >> Granting Server. ApacheDS ticket granting server is not able to issue >> tickets when principles have hashed passwords. (See mail thread below >> for more details.) In other words apacheds is only able to issue tickets >> if stored principles (users/ servers) have plain text passwords. I >> personally believe storing plain text passwords is not a good idea and >> many clients will not like it. >> At the moment i am kind of in a confused situation on how to proceed >> with this. One thing we can do is to contribute our effort to implement >> above mentioned requirement. (i.e. KDC functionality for principles with >> hashed passwords) >> >> Appreciate your feedback. >> Thanks >> AmilaJ >> >> >> Subject: Re: Requesting TGT using Kinit when principle's password type >> is MD 5 >> Stefan Seelmann wrote: >> > >> > Hi Amila, >> > >> > The current implementation requires a plain text password, because the >> > krb5 keys are derived from the password. >> > >> > Kind regards, >> > Stefan >> > >> > On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <[email protected] >> > <mailto:[email protected]>> wrote: >> > > Hi All, >> > > I am using Kerberos server which comes with apacheds. Currently i am >> > > facing a strange problem with that. Let me explain the scenario in >> > detail. >> > > I am requesting a TGT using "kinit" program. For this i am executing >> > > following command, >> > > >> > > > kinit [email protected] <mailto:[email protected]> >> > > >> > > I was able to successfully retreive a ticket, when >> > [email protected] <mailto:[email protected]>'s >> > > password is plain text. But when i convert principle's >> > > ([email protected] <mailto:[email protected]>) password type to >> > MD5, i was not able to get the >> > > ticket. I am getting an error saying "kinit: Password incorrect while >> > > getting initial credentials". >> > > >> > > a...@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit >> > [email protected] <mailto:[email protected]> >> > > Password for [email protected] <mailto:[email protected]>: >> > > kinit: Password incorrect while getting initial credentials >> > > >> > > Following i have paste the log output of apacheds server for above >> > > request. According to log output, server has not encountered on any >> > > error and server has successfully authenticated the principle. The >> > > response AS_REPLY has also sent back to client. Now i am bit confused >> > > what has gone wrong. Note that, for this particular case i have >> > disabled >> > > pre-authentication on server. I beleive, this has something to do with >> > > the way kinit program works. But i couldnt get more information from >> > > kinit. Therefore i am not able to find any cause for this error. >> > > >> > > I am really grateful, if someone can help me to understand what has >> > gone >> > > wrong here. >> > > >> > > Thanks >> > > AmilaJ >> > > >> > > >> > >> ============================================================================================================================================================================================================== >> > >> > > >> > > >> > > [07:44:26] DEBUG >> > > >> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] >> > > - /0:0:0:0:0:0:0:1:57572 CREATED: datagram >> > > [07:44:26] DEBUG >> > > >> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] >> > > - /0:0:0:0:0:0:0:1:57572 OPENED >> > > [07:44:26] DEBUG >> > > >> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] >> > > - /0:0:0:0:0:0:0:1:57572 RCVD: >> > > >> org.apache.directory.server.kerberos.shared.messages.kdcrequ...@2c3299f6 >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Received Authentication Service (AS) request: >> > > messageType: AS_REQ >> > > protocolVersionNumber: 5 >> > > clientAddress: 0:0:0:0:0:0:0:1 >> > > nonce: 1457316737 >> > > kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK >> > > clientPrincipal: [email protected] <mailto:[email protected]> >> > > serverPrincipal: krbtgt/EXAMPLE.COM <http://example.com/> < >> http://EXAMPLE.COM <http://example.com/>>@EXAMPLE.COM<http://example.com/> >> > <http://EXAMPLE.COM <http://example.com/>> >> > > encryptionType: des-cbc-md5 (3), rc4-hmac (23), >> > > aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1), >> > > aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2) >> > > realm: EXAMPLE.COM <http://example.com/> >> > > <http://EXAMPLE.COM<http://example.com/> >> > >> > > from time: 20100906024426Z >> > > till time: 20100907024426Z >> > > renew-till time: null >> > > hostAddresses: null >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Session will use encryption type des-cbc-md5 (3). >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] >> > > - Found entry ServerEntry >> > > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com >> > > objectClass: organizationalPerson >> > > objectClass: person >> > > objectClass: krb5Principal >> > > objectClass: inetOrgPerson >> > > objectClass: krb5KDCEntry >> > > objectClass: top >> > > uid: hnelson >> > > sn: Nelson >> > > krb5PrincipalName: [email protected] <mailto:[email protected]> >> > > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 >> > > 0xC7 0x86 0x58 0x23 0x98 ...' >> > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 >> > > 0xC6 0x4B 0xD6 0xFE 0x30 ...' >> > > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 >> > > 0x7A 0xB6 0x43 0x9D 0xF7 ...' >> > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 >> > > 0x27 0xD9 0xE6 0xA4 0x66 ...' >> > > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 >> > > 0x4A 0xCE 0xDE 0xEC 0x20 ...' >> > > krb5KeyVersionNumber: 7 >> > > cn: Horatio Nelson >> > > userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C >> > > 0x4F 0x7A 0x51 0x34 0x50 0x43 ...' >> > > for kerberos principal name [email protected] >> > <mailto:[email protected]> >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Verifying using SAM subsystem. >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Verifying using encrypted timestamp. >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Entry for client principal [email protected] >> > <mailto:[email protected]> has no SAM type. >> > > Proceeding with standard pre-authentication. >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Pre-authentication by encrypted timestamp successful for >> > > [email protected] <mailto:[email protected]>. >> > > [07:44:26] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] >> > > - Found entry ServerEntry >> > > dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com >> > > objectClass: organizationalPerson >> > > objectClass: person >> > > objectClass: krb5Principal >> > > objectClass: inetOrgPerson >> > > objectClass: krb5KDCEntry >> > > objectClass: top >> > > uid: krbtgt >> > > sn: Service >> > > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 ' >> > > krb5PrincipalName: krbtgt/EXAMPLE.COM <http://example.com/> >> > <http://EXAMPLE.COM >> > <http://example.com/>>@EXAMPLE.COM<http://example.com/>< >> http://EXAMPLE.COM <http://example.com/>> >> > > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 >> > > 0x25 0x07 0x25 0x68 0x76 ...' >> > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 >> > > 0x87 0x8D 0x80 0x14 0x60 ...' >> > > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 >> > > 0x98 0x07 0x37 0x31 0xD9 ...' >> > > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 >> > > 0x0D 0x79 0x98 0x29 0x20 ...' >> > > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 >> > > 0x64 0xEB 0x5E 0xDE 0x49 ...' >> > > krb5KeyVersionNumber: 0 >> > > cn: KDC Service >> > > for kerberos principal name krbtgt/EXAMPLE.COM <http://example.com/> >> > <http://EXAMPLE.COM >> > <http://example.com/>>@EXAMPLE.COM<http://example.com/>< >> http://EXAMPLE.COM <http://example.com/>> >> > > [07:44:27] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Ticket will be issued for access to >> > > krbtgt/EXAMPLE.COM<http://example.com/> >> > <http://EXAMPLE.COM >> > <http://example.com/>>@EXAMPLE.COM<http://example.com/>< >> http://EXAMPLE.COM <http://example.com/>>. >> > > [07:44:27] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Monitoring Authentication Service (AS) context: >> > > clockSkew 300000 >> > > clientAddress /0:0:0:0:0:0:0:1 >> > > principal [email protected] <mailto:[email protected]> >> > > cn null >> > > realm null >> > > principal [email protected] <mailto:[email protected]> >> > > SAM type null >> > > principal krbtgt/EXAMPLE.COM <http://example.com/> < >> http://EXAMPLE.COM <http://example.com/>>@EXAMPLE.COM<http://example.com/> >> > <http://EXAMPLE.COM <http://example.com/>> >> > > cn null >> > > realm null >> > > principal krbtgt/EXAMPLE.COM <http://example.com/> < >> http://EXAMPLE.COM <http://example.com/>>@EXAMPLE.COM<http://example.com/> >> > <http://EXAMPLE.COM <http://example.com/>> >> > > SAM type null >> > > Request key type des-cbc-md5 (3) >> > > Client key version 0 >> > > Server key version 0 >> > > [07:44:27] DEBUG >> > > >> > >> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] >> > >> > > - Responding with Authentication Service (AS) reply: >> > > messageType: AS_REP >> > > protocolVersionNumber: 5 >> > > nonce: 1457316737 >> > > clientPrincipal: [email protected] <mailto:[email protected]> >> > > client realm: EXAMPLE.COM <http://example.com/> >> > > <http://EXAMPLE.COM<http://example.com/> >> > >> > > serverPrincipal: krbtgt/EXAMPLE.COM <http://example.com/> < >> http://EXAMPLE.COM <http://example.com/>>@EXAMPLE.COM<http://example.com/> >> > <http://EXAMPLE.COM <http://example.com/>> >> > > server realm: EXAMPLE.COM <http://example.com/> >> > > <http://EXAMPLE.COM<http://example.com/> >> > >> > > auth time: 20100906024427Z >> > > start time: null >> > > end time: 20100907024426Z >> > > renew-till time: null >> > > hostAddresses: null >> > > [07:44:27] DEBUG >> > > >> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] >> > > - /0:0:0:0:0:0:0:1:57572 SENT: >> > > >> > >> org.apache.directory.server.kerberos.shared.messages.authenticationre...@1a87ad67 >> > > >> > >> >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> > > > > -- > Paul Fremantle > CTO and Co-Founder, WSO2 > OASIS WS-RX TC Co-chair, VP, Apache Synapse > > Office: +44 844 484 8143 > Cell: +44 798 447 4618 > > blog: http://pzf.fremantle.org > twitter.com/pzfreo > [email protected] > > wso2.com Lean Enterprise Middleware > > Disclaimer: This communication may contain privileged or other confidential > information and is intended exclusively for the addressee/s. If you are not > the intended recipient/s, or believe that you may have received this > communication in error, please reply to the sender indicating that fact and > delete the copy you received and in addition, you should not print, copy, > retransmit, disseminate, or otherwise use the information contained in this > communication. Internet communications cannot be guaranteed to be timely, > secure, error or virus-free. The sender does not accept liability for any > errors or omissions. > > _______________________________________________ > Carbon-dev mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > -- Thanks & Regards, Prabath Siriwardena http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Carbon-dev mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
