Hi Guys, Has anyone take a look at the log file I attached in my previous email?
Regards, james -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Wu, James C. Sent: Monday, April 08, 2013 10:56 AM To: Apache Directory Developers List Subject: RE: kinit failed on - Integrity check on decrypted field failed Hi, I put some debug log output in the attached file. Hope it will get us to the cause of the problem. Regards, jame -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Monday, April 08, 2013 10:38 AM To: Apache Directory Developers List Subject: Re: kinit failed on - Integrity check on decrypted field failed Le 4/8/13 7:33 PM, Wu, James C. a écrit : > I removed the allow_weak_crypto = true from krb5.conf and set the > ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96. > But I still get the same error. See the log > > [10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No > timestamp found [10:29:58] WARN > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler > ] - Additional pre-authentication required (25) [10:29:58] WARN > [org.apache.directory.server.KERBEROS_LOG] - Additional > pre-authentication required (25) [10:30:02] WARN > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler > ] - Integrity check on decrypted field failed (31) [10:30:02] WARN > [org.apache.directory.server.KERBEROS_LOG] - Integrity check on > decrypted field failed (31) > > I am wondering about the "No timestamp found" error. Does it have any > relation to the "Integrity check on decrypted field failed" error? No. The 'No Timestamp found' message is just a part of the Kerberos protocol : in order to guarantee that the client is who he/she is pretending tobe, a timestamp is sent back to the client, for him/her to encrypt it. The pb is that the algorihm used to encrypt the password on the cient side is not the one used to decrypt it on the server side. I'm pretty sure that it has been fixed in trunk 2 weeks ago. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
