Requesting TGT using Kinit when principle's password type is MD 5

Sun, 05 Sep 2010 20:02:55 -0700 

Hi All,
I am using Kerberos server which comes with apacheds. Currently i am facing a strange problem with that. Let me explain the scenario in detail. I am requesting a TGT using "kinit" program. For this i am executing following command, 

> kinit [email protected]


I was able to successfully retreive a ticket, when [email protected]'s 
password is plain text. But when i convert principle's 
([email protected]) password type to MD5, i was not able to get the 
ticket. I am getting an error saying "kinit: Password incorrect while 
getting initial credentials".


a...@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit [email protected]
Password for [email protected]:
kinit: Password incorrect while getting initial credentials


Following i have paste the log output of apacheds server for above 
request. According to log output, server has not encountered on any 
error and server has successfully authenticated the principle. The 
response AS_REPLY has also sent back to client. Now i am bit confused 
what has gone wrong. Note that, for this particular case i have disabled 
pre-authentication on server. I beleive, this has something to do with 
the way kinit program works. But i couldnt get more information from 
kinit. Therefore i am not able to find any cause for this error.



I am really grateful, if someone can help me to understand what has gone 
wrong here.


Thanks
AmilaJ


============================================================================================================================================================================================================== 




[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 CREATED:  datagram
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 OPENED
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 RCVD:  
org.apache.directory.server.kerberos.shared.messages.kdcrequ...@2c3299f6
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Received Authentication Service (AS) request:

   messageType:           AS_REQ
   protocolVersionNumber: 5
   clientAddress:         0:0:0:0:0:0:0:1
   nonce:                 1457316737
   kdcOptions:            FORWARDABLE PROXIABLE RENEWABLE_OK
   clientPrincipal:       [email protected]
   serverPrincipal:       krbtgt/[email protected]

   encryptionType:        des-cbc-md5 (3), rc4-hmac (23), 
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1), 
aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)

   realm:                 EXAMPLE.COM
   from time:             20100906024426Z
   till time:             20100907024426Z
   renew-till time:       null
   hostAddresses:         null

[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Session will use encryption type des-cbc-md5 (3).
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] 
- Found entry ServerEntry

   dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
   objectClass: organizationalPerson
   objectClass: person
   objectClass: krb5Principal
   objectClass: inetOrgPerson
   objectClass: krb5KDCEntry
   objectClass: top
   uid: hnelson
   sn: Nelson
   krb5PrincipalName: [email protected]

   krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 
0xC7 0x86 0x58 0x23 0x98 ...'
   krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 
0xC6 0x4B 0xD6 0xFE 0x30 ...'
   krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 
0x7A 0xB6 0x43 0x9D 0xF7 ...'
   krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 
0x27 0xD9 0xE6 0xA4 0x66 ...'
   krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 
0x4A 0xCE 0xDE 0xEC 0x20 ...'

   krb5KeyVersionNumber: 7
   cn: Horatio Nelson

   userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C 
0x4F 0x7A 0x51 0x34 0x50 0x43 ...'

for kerberos principal name [email protected]

[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Verifying using SAM subsystem.
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Verifying using encrypted timestamp.
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Entry for client principal [email protected] has no SAM type.  
Proceeding with standard pre-authentication.
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Pre-authentication by encrypted timestamp successful for 
[email protected].
[07:44:26] DEBUG 
[org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] 
- Found entry ServerEntry

   dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
   objectClass: organizationalPerson
   objectClass: person
   objectClass: krb5Principal
   objectClass: inetOrgPerson
   objectClass: krb5KDCEntry
   objectClass: top
   uid: krbtgt
   sn: Service
   userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
   krb5PrincipalName: krbtgt/[email protected]

   krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 
0x25 0x07 0x25 0x68 0x76 ...'
   krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 
0x87 0x8D 0x80 0x14 0x60 ...'
   krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 
0x98 0x07 0x37 0x31 0xD9 ...'
   krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 
0x0D 0x79 0x98 0x29 0x20 ...'
   krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 
0x64 0xEB 0x5E 0xDE 0x49 ...'

   krb5KeyVersionNumber: 0
   cn: KDC Service
for kerberos principal name krbtgt/[email protected]

[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Ticket will be issued for access to krbtgt/[email protected].
[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Monitoring Authentication Service (AS) context:

   clockSkew              300000
   clientAddress          /0:0:0:0:0:0:0:1
   principal              [email protected]
   cn                     null
   realm                  null
   principal              [email protected]
   SAM type               null
   principal              krbtgt/[email protected]
   cn                     null
   realm                  null
   principal              krbtgt/[email protected]
   SAM type               null
   Request key type       des-cbc-md5 (3)
   Client key version     0
   Server key version     0

[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
- Responding with Authentication Service (AS) reply:

   messageType:           AS_REP
   protocolVersionNumber: 5
   nonce:                 1457316737
   clientPrincipal:       [email protected]
   client realm:          EXAMPLE.COM
   serverPrincipal:       krbtgt/[email protected]
   server realm:          EXAMPLE.COM
   auth time:             20100906024427Z
   start time:            null
   end time:              20100907024426Z
   renew-till time:       null
   hostAddresses:         null

[07:44:27] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] 
- /0:0:0:0:0:0:0:1:57572 SENT:  
org.apache.directory.server.kerberos.shared.messages.authenticationre...@1a87ad67
























					Reply via email to