Le 4/8/13 7:33 PM, Wu, James C. a écrit : > I removed the allow_weak_crypto = true from krb5.conf and set the > ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96. But I > still get the same error. See the log > > [10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp > found > [10:29:58] WARN > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > Additional pre-authentication required (25) > [10:29:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional > pre-authentication required (25) > [10:30:02] WARN > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > Integrity check on decrypted field failed (31) > [10:30:02] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check > on decrypted field failed (31) > > I am wondering about the "No timestamp found" error. Does it have any > relation to the "Integrity check on decrypted field failed" error? No. The 'No Timestamp found' message is just a part of the Kerberos protocol : in order to guarantee that the client is who he/she is pretending tobe, a timestamp is sent back to the client, for him/her to encrypt it. The pb is that the algorihm used to encrypt the password on the cient side is not the one used to decrypt it on the server side.
I'm pretty sure that it has been fixed in trunk 2 weeks ago. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
