Hi, I came across this page which describes how Kerberos key are derived from the passwords of an entry. http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html
It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see something like that mentioned in the log output. I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right? Regards, James -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Wu, James C. Sent: Tuesday, April 09, 2013 9:49 AM To: Apache Directory Developers List Subject: RE: kinit failed on - Integrity check on decrypted field failed I am very sure of that. I just deleted the hnelson entry and recreate it using the ldapadd command. The hnelson.ldif file is as follows: dn: uid=hnelson,ou=users,dc=example,dc=com objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: krb5Principal objectclass: krb5KDCEntry cn: Horatio Nelson sn: Nelson uid: hnelson userpassword: secret01 krb5PrincipalName: [email protected] The ldap command I used to add the entry is ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H ldap://localhost:10389 When I do a ldapsearch, I saw the hnelson entry as follows # hnelson, users, example.com dn: uid=hnelson,ou=users,dc=example,dc=com uid: hnelson userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ= = objectclass: organizationalPerson objectclass: krb5Principal objectclass: person objectclass: krb5KDCEntry objectclass: inetOrgPerson objectclass: top cn: Horatio Nelson sn: Nelson krb5KeyVersionNumber: 0 krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A== krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk= krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw== krb5PrincipalName: [email protected] -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Tuesday, April 09, 2013 9:34 AM To: Apache Directory Developers List Subject: Re: kinit failed on - Integrity check on decrypted field failed Le 4/9/13 6:24 PM, Wu, James C. a écrit : > I will do it. The log output are also attached below in this email. If > anyone can take a quick look at it, I would really appreciate. -- james Just looked at the logs, so far, it seems that everyting goes find, up to a point you get the error. Are you *sure* that the password is the one stored in the entry ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
