Hi Amila, The current implementation requires a plain text password, because the krb5 keys are derived from the password.
Kind regards, Stefan On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <[email protected]> wrote: > Hi All, > I am using Kerberos server which comes with apacheds. Currently i am > facing a strange problem with that. Let me explain the scenario in detail. > I am requesting a TGT using "kinit" program. For this i am executing > following command, > > > kinit [email protected] > > I was able to successfully retreive a ticket, when [email protected]'s > password is plain text. But when i convert principle's > ([email protected]) password type to MD5, i was not able to get the > ticket. I am getting an error saying "kinit: Password incorrect while > getting initial credentials". > > a...@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit [email protected] > Password for [email protected]: > kinit: Password incorrect while getting initial credentials > > Following i have paste the log output of apacheds server for above > request. According to log output, server has not encountered on any > error and server has successfully authenticated the principle. The > response AS_REPLY has also sent back to client. Now i am bit confused > what has gone wrong. Note that, for this particular case i have disabled > pre-authentication on server. I beleive, this has something to do with > the way kinit program works. But i couldnt get more information from > kinit. Therefore i am not able to find any cause for this error. > > I am really grateful, if someone can help me to understand what has gone > wrong here. > > Thanks > AmilaJ > > ============================================================================================================================================================================================================== > > > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > - /0:0:0:0:0:0:0:1:57572 CREATED: datagram > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > - /0:0:0:0:0:0:0:1:57572 OPENED > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > - /0:0:0:0:0:0:0:1:57572 RCVD: > org.apache.directory.server.kerberos.shared.messages.kdcrequ...@2c3299f6 > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Received Authentication Service (AS) request: > messageType: AS_REQ > protocolVersionNumber: 5 > clientAddress: 0:0:0:0:0:0:0:1 > nonce: 1457316737 > kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK > clientPrincipal: [email protected] > serverPrincipal: krbtgt/[email protected] > encryptionType: des-cbc-md5 (3), rc4-hmac (23), > aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1), > aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2) > realm: EXAMPLE.COM > from time: 20100906024426Z > till time: 20100907024426Z > renew-till time: null > hostAddresses: null > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Session will use encryption type des-cbc-md5 (3). > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] > - Found entry ServerEntry > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com > objectClass: organizationalPerson > objectClass: person > objectClass: krb5Principal > objectClass: inetOrgPerson > objectClass: krb5KDCEntry > objectClass: top > uid: hnelson > sn: Nelson > krb5PrincipalName: [email protected] > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 > 0xC7 0x86 0x58 0x23 0x98 ...' > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 > 0xC6 0x4B 0xD6 0xFE 0x30 ...' > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 > 0x7A 0xB6 0x43 0x9D 0xF7 ...' > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 > 0x27 0xD9 0xE6 0xA4 0x66 ...' > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 > 0x4A 0xCE 0xDE 0xEC 0x20 ...' > krb5KeyVersionNumber: 7 > cn: Horatio Nelson > userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C > 0x4F 0x7A 0x51 0x34 0x50 0x43 ...' > for kerberos principal name [email protected] > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Verifying using SAM subsystem. > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Verifying using encrypted timestamp. > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Entry for client principal [email protected] has no SAM type. > Proceeding with standard pre-authentication. > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Pre-authentication by encrypted timestamp successful for > [email protected]. > [07:44:26] DEBUG > [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] > - Found entry ServerEntry > dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com > objectClass: organizationalPerson > objectClass: person > objectClass: krb5Principal > objectClass: inetOrgPerson > objectClass: krb5KDCEntry > objectClass: top > uid: krbtgt > sn: Service > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 ' > krb5PrincipalName: krbtgt/[email protected] > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 > 0x25 0x07 0x25 0x68 0x76 ...' > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 > 0x87 0x8D 0x80 0x14 0x60 ...' > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 > 0x98 0x07 0x37 0x31 0xD9 ...' > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 > 0x0D 0x79 0x98 0x29 0x20 ...' > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 > 0x64 0xEB 0x5E 0xDE 0x49 ...' > krb5KeyVersionNumber: 0 > cn: KDC Service > for kerberos principal name krbtgt/[email protected] > [07:44:27] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Ticket will be issued for access to krbtgt/[email protected]. > [07:44:27] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Monitoring Authentication Service (AS) context: > clockSkew 300000 > clientAddress /0:0:0:0:0:0:0:1 > principal [email protected] > cn null > realm null > principal [email protected] > SAM type null > principal krbtgt/[email protected] > cn null > realm null > principal krbtgt/[email protected] > SAM type null > Request key type des-cbc-md5 (3) > Client key version 0 > Server key version 0 > [07:44:27] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Responding with Authentication Service (AS) reply: > messageType: AS_REP > protocolVersionNumber: 5 > nonce: 1457316737 > clientPrincipal: [email protected] > client realm: EXAMPLE.COM > serverPrincipal: krbtgt/[email protected] > server realm: EXAMPLE.COM > auth time: 20100906024427Z > start time: null > end time: 20100907024426Z > renew-till time: null > hostAddresses: null > [07:44:27] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] > - /0:0:0:0:0:0:0:1:57572 SENT: > org.apache.directory.server.kerberos.shared.messages.authenticationre...@1a87ad67 >
