RE: kinit failed on - Integrity check on decrypted field failed

[Wu, James C.]

The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin

When I switched the JVM to Oracle JVM by installing  the  
jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the 
following stack trace. 


[cloud-user@host ~]$ sudo tail -f  
/var/lib/apacheds-2.0.0-M11/default/log/apacheds.log
 [18:30:44] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp 
found
[18:30:44] WARN 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
Additional pre-authentication required (25)
[18:30:44] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional 
pre-authentication required (25)
[18:30:47] ERROR 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
ERR_152 Unexpected exception: null
java.lang.NullPointerException
        at 
org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionEngine.deriveRandom(EncryptionEngine.java:77)
        at 
org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.deriveKey(AesCtsSha1Encryption.java:148)
        at 
org.apache.directory.server.kerberos.shared.crypto.encryption.AesCtsSha1Encryption.getDecryptedData(AesCtsSha1Encryption.java:86)
        at 
org.apache.directory.server.kerberos.shared.crypto.encryption.Aes256CtsSha1Encryption.getDecryptedData(Aes256CtsSha1Encryption.java:30)
        at 
org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decrypt(CipherTextHandler.java:121)
        at 
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:335)
        at 
org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:126)
        at 
org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:206)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
        at 
org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:407)
        at 
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:236)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
        at 
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
        at 
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:701)
        at 
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:670)
        at 
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$800(AbstractPollingConnectionlessIoAcceptor.java:61)
        at 
org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:607)
        at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:722)

regards,


james


-----Original Message-----
From: dev-return-42802-James.C.Wu=disney....@directory.apache.org 
[mailto:dev-return-42802-James.C.Wu=disney....@directory.apache.org] On Behalf 
Of Wu, James C.
Sent: Sunday, April 07, 2013 6:15 PM
To: Apache Directory Developers List
Subject: RE: kinit failed on - Integrity check on decrypted field failed

Here is the content of the krb5.conf file. 


 [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 debug = true
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 forwardable = true
 allow_weak_crypto = yes

[realms]
 EXAMPLE.COM = {
  kdc = 127.0.0.1:60088
  admin_server = 127.0.0.1:60464
  default_domain = EXAMPLE.COM
 }


[domain_realm]
 .EXAMPLE.COM = EXAMPLE.COM
 EXAMPLE.COM = EXAMPLE.COM

-----Original Message-----
From: Emmanuel Lécharny [mailto:elecha...@gmail.com]
Sent: Friday, April 05, 2013 10:33 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

Le 4/6/13 2:23 AM, Wu, James C. a écrit :
> Hi,

Hi,
>
> I am trying to set up ApacheDS as a KDC. After adding hnelson using 
> the following ldif, I could not get kinit to get the ticket
>
>        dn: uid=hnelson,ou=users,dc=example,dc=com
>       objectclass: top
>       objectclass: person
>       objectclass: inetOrgPerson
>       objectclass: krb5Principal
>       objectclass: krb5KDCEntry
>       cn: Horatio Nelson
>       sn: Nelson
>       uid: hnelson
>       userpassword: secret
>       krb5PrincipalName: hnel...@example.com
>
>
> The log output of ApacheDS show the following output:
>
>       [cloud-user@n7-z01-0a2a0c3a ~]$ [17:15:57] ERROR 
> [org.apache.directory.server.KERBEROS_LOG] - No timestamp found
>       [17:15:57] WARN 
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
> Additional pre-authentication required (25)
>       [17:15:57] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional 
> pre-authentication required (25)
>       [17:16:00] WARN 
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
> Integrity check on decrypted field failed (31)
>       [17:16:00] WARN [org.apache.directory.server.KERBEROS_LOG] - 
> Integrity check on decrypted field failed (31)
>
> Could someone give me some hint?

First, can you give us the version you are using ?

Can you also provide the krb5.conf file you are using ?

Its very likely that the encryptionType you are using on the client is not 
correctly recognized by the server.

--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com