On 10/25/07, Leo Li <[EMAIL PROTECTED]> wrote:
> On 10/25/07, Enrique Rodriguez <[EMAIL PROTECTED]> wrote:
> > Hi, Leo,
> >
> > This looks like an MIT Kerberos configuration issue. The MIT KDC is
> > responding that it is not configured to use encryption type 3
> > (DES-CBC-MD5). The client is simply reporting the error returned by
> > the KDC. I recommend reviewing MIT Kerberos server documentation.
> > Alternatively, you can use the "long form" of the ApacheDS Kerberos
> > client component to try to use an enc type that is supported by
> > default by MIT Kerberos KDC.
> >
> Hi, Enrique,
>
> Thank you for your help.
> But after I look at the kdc.conf, it has
>
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
>
> [realms]
> EXAMPLE.COM = {
> #master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3
> }
>
> So from the configuration, des-cbd-md5 seems to have been acknowledged.
Besides, the successful kinit has such log for REQ:
AS_REQ (7 etypes {18 17 16 23 1 3 2}). It has the "7" type
for REQ than "1" type. Does it make some difference?
Can somebody help?
Thanks in advance.
>
> > Enrique
> >
> >
> > On 10/23/07, Leo Li <[EMAIL PROTECTED]> wrote:
> > > Hi, all
> > >
> > > I am trying to connect to KDC to get a TGT by:
> > > String hostname = "wks107904wss.cn.ibm.com";
> > > int port = 88;
> > > KdcConnection con = new KdcConnection( hostname + ":" + port );
> > > KerberosTicket tgt = con.getTicketGrantingTicket( clientPrincipal,
> > > password );
> > >
> > > But it fails with such stacktrace:
> > > Exception in thread "main"
> > > org.apache.directory.client.kerberos.KdcConnectionException:
> > > BAD_ENCRYPTION_TYPE
> > > at
> > > org.apache.directory.client.kerberos.GetTicketGrantingTicket.processError(GetTicketGrantingTicket.java:167)
> > > at
> > > org.apache.directory.client.kerberos.GetTicketGrantingTicket.execute(GetTicketGrantingTicket.java:153)
> > > at
> > > org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:118)
> > > at
> > > org.apache.directory.client.kerberos.KdcConnection.getTicketGrantingTicket(KdcConnection.java:101)
> > > at org.apache.directory.client.kerberos.Main.go(Main.java:62)
> > > at org.apache.directory.client.kerberos.Main.main(Main.java:55)
> > >
> > >
> > > And on the kdc side, the server has such log:
> > > Oct 23 16:12:28 wks107904wss.cn.ibm.com krb5kdc[2304](info) :
> > > AS_REQ(1 etypes{3}) 9.181.106.61:BAD_ENCRYPTION_TYPE:[EMAIL PROTECTED]
> > > for krbtgt/[EMAIL PROTECTED], KDC has no support for encryption
> > > type
> > >
> > > The KDC is provided by redhat enterprise 5 with default setup
> > > configuration.
> > >
> > > And if I try the same program in the machine where KDC resides and
> > > run it with "localhost" as host parameter, it will get null TGT and
> > > from the KDC log there seems no further log as if no Kerberos Request
> > > had been sent to KDC.
> > >
> > > Can somebody help?
> > >
> > > Thanks,
> > >
> > > --
> > > Leo Li
> > > China Software Development Lab, IBM
> > >
> >
>
>
> --
> Leo Li
> China Software Development Lab, IBM
>
--
Leo Li
China Software Development Lab, IBM
