On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <[email protected]> wrote:
> Hi, > > I came across this page which describes how Kerberos key are derived from > the passwords of an entry. > http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html > > It mentioned that the Kerberos keys are basically a hashed value of the > passwords with the salt be the realm name. I am wondering how does the > kinit program know the salt for the Kerberos key? Is it passed from > apacheds? I did not see just like you mentioned above, realm name is used as salt and kinit knows the realm name > something like that mentioned in the log output. > > I guess the kinit has to know both the encryption type and the salt in > order to reproduce the Kerberos encryption key so that it can decrypt > message from apacheds. Am I right? > > Regards, > > James > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of > Wu, James C. > Sent: Tuesday, April 09, 2013 9:49 AM > To: Apache Directory Developers List > Subject: RE: kinit failed on - Integrity check on decrypted field failed > > I am very sure of that. I just deleted the hnelson entry and recreate it > using the ldapadd command. The hnelson.ldif file is as follows: > > dn: uid=hnelson,ou=users,dc=example,dc=com > objectclass: top > objectclass: person > objectclass: inetOrgPerson > objectclass: krb5Principal > objectclass: krb5KDCEntry > cn: Horatio Nelson > sn: Nelson > uid: hnelson > userpassword: secret01 > krb5PrincipalName: [email protected] > > > The ldap command I used to add the entry is > > ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H > ldap://localhost:10389 > > When I do a ldapsearch, I saw the hnelson entry as follows > > # hnelson, users, example.com > dn: uid=hnelson,ou=users,dc=example,dc=com > uid: hnelson > userpassword:: > e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ= > = > objectclass: organizationalPerson > objectclass: krb5Principal > objectclass: person > objectclass: krb5KDCEntry > objectclass: inetOrgPerson > objectclass: top > cn: Horatio Nelson > sn: Nelson > krb5KeyVersionNumber: 0 > krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP > krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A== > krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk= > krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o > krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw== > krb5PrincipalName: [email protected] > > > > -----Original Message----- > From: Emmanuel Lécharny [mailto:[email protected]] > Sent: Tuesday, April 09, 2013 9:34 AM > To: Apache Directory Developers List > Subject: Re: kinit failed on - Integrity check on decrypted field failed > > Le 4/9/13 6:24 PM, Wu, James C. a écrit : > > I will do it. The log output are also attached below in this email. If > anyone can take a quick look at it, I would really appreciate. -- > james > > Just looked at the logs, so far, it seems that everyting goes find, up to > a point you get the error. > > Are you *sure* that the password is the one stored in the entry ? > > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Kiran Ayyagari http://keydap.com
