This is what I tried to fix the kinit for the myrealm.com realm. 1 Install the apacheds 2.0.0 M11 using the default settings 2 Replace all "example" with "myrealm" in the config.ldif 3 Replace all "EXAMPLE" with "MYREALM" in the config.ldif 4 Create the dc=myrealm,dc=com partition following this guide http://hasini-gunasinghe.blogspot.com/2011/07/how-to-created-new-partition-in.html
Regards, James From: [email protected] [mailto:[email protected]] On Behalf Of Wu, James C. Sent: Wednesday, April 10, 2013 11:11 AM To: Apache Directory Developers List Subject: RE: kinit failed on - Integrity check on decrypted field failed Hi, I re-installed the apacheds 2.0.0 M11 and wiped out all the existing stuff and used all default settings. The kinit does work. So I guess my problem is the config error because in my actual config, I use a different realm, not the EXAMPLE.COM. I am going to play compare the configs to find out what mistake I make when changing the realm. I will update in this thread. Thanks. James From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kiran Ayyagari Sent: Tuesday, April 09, 2013 8:52 PM To: Apache Directory Developers List Subject: Re: kinit failed on - Integrity check on decrypted field failed On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. <[email protected]<mailto:[email protected]>> wrote: Hi, I came across this page which describes how Kerberos key are derived from the passwords of an entry. http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html It mentioned that the Kerberos keys are basically a hashed value of the passwords with the salt be the realm name. I am wondering how does the kinit program know the salt for the Kerberos key? Is it passed from apacheds? I did not see just like you mentioned above, realm name is used as salt and kinit knows the realm name something like that mentioned in the log output. I guess the kinit has to know both the encryption type and the salt in order to reproduce the Kerberos encryption key so that it can decrypt message from apacheds. Am I right? Regards, James -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:dev-return-42835-James.C.Wu<mailto:dev-return-42835-James.C.Wu>[email protected]<mailto:[email protected]>] On Behalf Of Wu, James C. Sent: Tuesday, April 09, 2013 9:49 AM To: Apache Directory Developers List Subject: RE: kinit failed on - Integrity check on decrypted field failed I am very sure of that. I just deleted the hnelson entry and recreate it using the ldapadd command. The hnelson.ldif file is as follows: dn: uid=hnelson,ou=users,dc=example,dc=com objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: krb5Principal objectclass: krb5KDCEntry cn: Horatio Nelson sn: Nelson uid: hnelson userpassword: secret01 krb5PrincipalName: [email protected]<mailto:[email protected]> The ldap command I used to add the entry is ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H ldap://localhost:10389 When I do a ldapsearch, I saw the hnelson entry as follows # hnelson, users, example.com<http://example.com> dn: uid=hnelson,ou=users,dc=example,dc=com uid: hnelson userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ= = objectclass: organizationalPerson objectclass: krb5Principal objectclass: person objectclass: krb5KDCEntry objectclass: inetOrgPerson objectclass: top cn: Horatio Nelson sn: Nelson krb5KeyVersionNumber: 0 krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A== krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk= krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw== krb5PrincipalName: [email protected]<mailto:[email protected]> -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, April 09, 2013 9:34 AM To: Apache Directory Developers List Subject: Re: kinit failed on - Integrity check on decrypted field failed Le 4/9/13 6:24 PM, Wu, James C. a écrit : > I will do it. The log output are also attached below in this email. If > anyone can take a quick look at it, I would really appreciate. -- james Just looked at the logs, so far, it seems that everyting goes find, up to a point you get the error. Are you *sure* that the password is the one stored in the entry ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com<http://www.iktek.com> -- Kiran Ayyagari http://keydap.com
