RE: kinit failed on - Integrity check on decrypted field failed SOLVED

[Wu, James C.]

This is what I tried to fix the kinit for the myrealm.com realm.

1 Install the apacheds 2.0.0 M11 using the default settings
2 Replace all "example" with "myrealm" in the config.ldif
3 Replace all "EXAMPLE" with "MYREALM" in the config.ldif
4 Create the dc=myrealm,dc=com partition following this guide  
http://hasini-gunasinghe.blogspot.com/2011/07/how-to-created-new-partition-in.html

Regards,

James

From: dev-return-42854-James.C.Wu=myrealm....@directory.apache.org 
[mailto:dev-return-42854-James.C.Wu=myrealm....@directory.apache.org] On Behalf 
Of Wu, James C.
Sent: Wednesday, April 10, 2013 11:11 AM
To: Apache Directory Developers List
Subject: RE: kinit failed on - Integrity check on decrypted field failed

Hi,

I re-installed the apacheds 2.0.0 M11 and wiped out all the existing stuff and 
used all default settings. The kinit does work.

So I guess my problem is the config error because in my actual config, I use a 
different realm, not the EXAMPLE.COM.

I am going to play compare the configs to find out what mistake I make when 
changing the realm. I will update in this thread.

Thanks.

James

From: ayyagariki...@gmail.com<mailto:ayyagariki...@gmail.com> 
[mailto:ayyagariki...@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, April 09, 2013 8:52 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed



On Wed, Apr 10, 2013 at 2:43 AM, Wu, James C. 
<james.c...@myrealm.com<mailto:james.c...@disney.com>> wrote:
Hi,

I came across this page which describes how Kerberos key are derived from the 
passwords of an entry.
http://directory.apache.org/apacheds/kerberos-ug/1.1.3-keys.html

It mentioned that the Kerberos keys are basically a hashed value of the 
passwords with the salt be the realm name. I am wondering how does the kinit 
program know the salt for the Kerberos key? Is it passed from apacheds? I did 
not see
just like you mentioned above, realm name is used as salt and kinit knows the 
realm name
something like that mentioned in the log output.

I guess the kinit has to know both the encryption type and the salt in order to 
reproduce the Kerberos encryption key so that it can decrypt message from 
apacheds. Am I right?

Regards,

James

-----Original Message-----
From: 
dev-return-42835-James.C.Wu=myrealm....@directory.apache.org<mailto:disney....@directory.apache.org>
 
[mailto:dev-return-42835-James.C.Wu<mailto:dev-return-42835-James.C.Wu>=myrealm....@directory.apache.org<mailto:disney....@directory.apache.org>]
 On Behalf Of Wu, James C.
Sent: Tuesday, April 09, 2013 9:49 AM
To: Apache Directory Developers List
Subject: RE: kinit failed on - Integrity check on decrypted field failed

I am very sure of that. I just deleted the hnelson entry and recreate it using 
the ldapadd command. The hnelson.ldif file is as follows:

  dn: uid=hnelson,ou=users,dc=example,dc=com
  objectclass: top
  objectclass: person
  objectclass: inetOrgPerson
  objectclass: krb5Principal
  objectclass: krb5KDCEntry
  cn: Horatio Nelson
  sn: Nelson
  uid: hnelson
  userpassword: secret01
  krb5PrincipalName: hnel...@example.com<mailto:hnel...@example.com>


The ldap command I used to add the entry is

  ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H 
ldap://localhost:10389

When I do a ldapsearch, I saw the hnelson entry as follows

  # hnelson, users, example.com<http://example.com>
  dn: uid=hnelson,ou=users,dc=example,dc=com
  uid: hnelson
  userpassword:: e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
   =
  objectclass: organizationalPerson
  objectclass: krb5Principal
  objectclass: person
  objectclass: krb5KDCEntry
  objectclass: inetOrgPerson
  objectclass: top
  cn: Horatio Nelson
  sn: Nelson
  krb5KeyVersionNumber: 0
  krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
  krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
  krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
  krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
  krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
  krb5PrincipalName: hnel...@example.com<mailto:hnel...@example.com>



-----Original Message-----
From: Emmanuel Lécharny [mailto:elecha...@gmail.com<mailto:elecha...@gmail.com>]
Sent: Tuesday, April 09, 2013 9:34 AM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

Le 4/9/13 6:24 PM, Wu, James C. a écrit :
> I will do it.  The log output are also attached below in this email.  If 
> anyone can take a quick look at it, I would really appreciate.      --  james

Just looked at the logs, so far, it seems that everyting goes find, up to a 
point you get the error.

Are you *sure* that the password is the one stored in the entry ?


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com<http://www.iktek.com>



--
Kiran Ayyagari
http://keydap.com