[
https://issues.apache.org/jira/browse/DIRKRB-88?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James C. Wu resolved DIRKRB-88.
-------------------------------
Resolution: Not A Problem
> kinit failed - Integrity check on decrypted field failed
> --------------------------------------------------------
>
> Key: DIRKRB-88
> URL: https://issues.apache.org/jira/browse/DIRKRB-88
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.0-M11
> Environment: JVM 7.0 from OpenJDK and Oracle.
> Reporter: James C. Wu
> Assignee: Emmanuel Lecharny
>
> The hnelson.ldif file is as follows:
> dn: uid=hnelson,ou=users,dc=example,dc=com
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> cn: Horatio Nelson
> sn: Nelson
> uid: hnelson
> userpassword: secret01
> krb5PrincipalName: [email protected]
> The ldap command I used to add the entry is
> ldapadd -x -W -D "uid=admin,ou=system" -f hnelson.ldif -H
> ldap://localhost:10389
> When I do a ldapsearch, I saw the hnelson entry as follows
> # hnelson, users, example.com
> dn: uid=hnelson,ou=users,dc=example,dc=com
> uid: hnelson
> userpassword::
> e1NTSEF9WlBoT0RueU1sL3FmSVZ1K0tIaHloQU5XN2Z5RWF5cGZSeFMvZ1E9PQ=
> =
> objectclass: organizationalPerson
> objectclass: krb5Principal
> objectclass: person
> objectclass: krb5KDCEntry
> objectclass: inetOrgPerson
> objectclass: top
> cn: Horatio Nelson
> sn: Nelson
> krb5KeyVersionNumber: 0
> krb5Key:: MBmgAwIBEaESBBBEoHCxETKoK5EHlTW1kdUP
> krb5Key:: MBGgAwIBA6EKBAhFVAF2buW19A==
> krb5Key:: MCGgAwIBEKEaBBiDZDj0L9XH7BrCJfJYHBBzJTHHUdaFdSk=
> krb5Key:: MBmgAwIBF6ESBBCIi91Z4Xn3gVQeWmSirA7o
> krb5Key:: MCmgAwIBEqEiBCDY8jXKWlxWMGCcyKRIIVOQgjde+LItumdkwKUy/PXPKw==
> krb5PrincipalName: [email protected]
> Here is the logout at debug level after running kinit hnelson.
> [10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.PaData] -
> PreAuthenticationData encoding : 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02
> 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09
> 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12 [10:44:15] DEBUG
> [org.apache.directory.shared.kerberos.components.PaData] -
> PreAuthenticationData initial value : PreAuthenticationData :
> padata-type: Encryption info.(19)
> padata-value:0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
> [10:44:15] DEBUG [org.apache.directory.shared.kerberos.components.MethodData]
> - METHOD-DATA encoding : 0x30 0x1F
> 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03
> 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01
> 0x12 [10:44:15] DEBUG
> [org.apache.directory.shared.kerberos.components.MethodData] - METHOD-DATA
> initial value : METHOD-DATA : PreAuthenticationData :
> padata-type: Encrypted timestamp.(2) , PreAuthenticationData :
> padata-type: Encryption info.(19)
> padata-value:0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12
> [10:44:15] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> Additional pre-authentication required (25) [10:44:15] WARN
> [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication
> required (25) [10:44:15] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> Responding to request with error:
> explanatory text: Additional pre-authentication required
> error code: Additional pre-authentication required
> clientPrincipal: null@null
> client time: null
> serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
> server time: 20130408174415Z
> [10:44:15] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to
> request with error:
> explanatory text: Additional pre-authentication required
> error code: Additional pre-authentication required
> clientPrincipal: null@null
> client time: null
> serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
> server time: 20130408174415Z
> [10:44:15] DEBUG
> [org.apache.directory.shared.kerberos.components.PrincipalName] -
> PrinipalName encoding : 0x7E 0x81 0xA8 0x30 0x81 0xA5 0xA0 0x03 0x02 0x01
> 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30
> 0x34 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x35 0x5A 0xA5 0x03 0x02 0x01 0x00
> 0xA6 0x03 0x02 0x01 0x19 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59
> 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1
> 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49
> 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 [10:44:15] DEBUG
> [org.apache.directory.shared.kerberos.components.PrincipalName] -
> PrinipalName initial value : { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> } [10:44:15] DEBUG
> [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError encoding
> : 0x7E 0x81 0xA8 0x30 0x81 0xA5 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01
> 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34
> 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x35 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6
> 0x03 0x02 0x01 0x19 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E
> 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1 0x16 0x30
> 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E
> 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAB 0x28 0x1B 0x26 0x41 0x64 0x64 0x69 0x74
> 0x69 0x6F 0x6E 0x61 0x6C 0x20 0x70 0x72 0x65 0x2D 0x61 0x75 0x74 0x68 0x65
> 0x6E 0x74 0x69 0x63 0x61 0x74 0x69 0x6F 0x6E 0x20 0x72 0x65 0x71 0x75 0x69
> 0x72 0x65 0x64 0xAC 0x23 0x04 0x21 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01
> 0x02 0xA2 0x02 0x04 0x00 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04
> 0x09 0x30 0x07 0x30 0x05 0xA0 0x03 0x02 0x01 0x12 [10:44:15] DEBUG
> [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError initial
> value :
> KRB-ERROR : {
> pvno: 5
> msgType: KRB_ERROR
> sTime: 20130408174415Z
> susec: 0
> errorCode: Additional pre-authentication required
> realm: EXAMPLE.COM
> sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> eText: Additional pre-authentication required
> eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00
> 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05
> 0xA0 0x03 0x02 0x01 0x12 }
> [10:44:15] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> /10.42.12.54:55923 SENT:
> KRB-ERROR : {
> pvno: 5
> msgType: KRB_ERROR
> sTime: 20130408174415Z
> susec: 0
> errorCode: Additional pre-authentication required
> realm: EXAMPLE.COM
> sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> eText: Additional pre-authentication required
> eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00
> 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05
> 0xA0 0x03 0x02 0x01 0x12 }
> [10:44:15] DEBUG [org.apache.directory.server.KERBEROS_LOG] -
> /10.42.12.54:55923 SENT:
> KRB-ERROR : {
> pvno: 5
> msgType: KRB_ERROR
> sTime: 20130408174415Z
> susec: 0
> errorCode: Additional pre-authentication required
> realm: EXAMPLE.COM
> sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> eText: Additional pre-authentication required
> eData: 0x30 0x1F 0x30 0x09 0xA1 0x03 0x02 0x01 0x02 0xA2 0x02 0x04 0x00
> 0x30 0x12 0xA1 0x03 0x02 0x01 0x13 0xA2 0x0B 0x04 0x09 0x30 0x07 0x30 0x05
> 0xA0 0x03 0x02 0x01 0x12 }
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> /10.42.12.54:41991 CREATED: datagram [10:44:17] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 CREATED:
> datagram [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> /10.42.12.54:41991 OPENED [10:44:17] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - /10.42.12.54:41991 OPENED
> [10:44:17] DEBUG [org.apache.mina.filter.codec.ProtocolCodecFilter] -
> Processing a MESSAGE_RECEIVED for session 9 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPvno] - pvno
> : 5 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.padata.actions.PaDataInit] -
> PaData created [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.padata.actions.StoreDataType] -
> padata-type : 2 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReq.actions.AddPaData] - Added
> PA-DATA: PreAuthenticationData :
> padata-type: Encrypted timestamp.(2)
> padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38 0xA1
> 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A 0x36
> 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68 0x25
> 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64 0xA2
> 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.padata.actions.PaDataInit] -
> PaData created [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.padata.actions.StoreDataType] -
> padata-type : 149 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReq.actions.AddPaData] - Added
> PA-DATA: PreAuthenticationData :
> padata-type: null(0)
> [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.KdcReqBodyInit]
> - KdcReqBody created [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreKdcOptions]
> - KDCOptions : FORWARDABLE RENEWABLE [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.principalName.actions.PrincipalNameInit]
> - PrincipalName created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 1 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameType]
> - name-type : {}Just the name of the principal as in DCE, or for users(1)
> [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString]
> - PrincipalName String : hnelson [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPrincipalName]
> - PrincipalName : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.actions.AbstractReadRealm] - read
> realm value : EXAMPLE.COM [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.principalName.actions.PrincipalNameInit]
> - PrincipalName created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 2 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameType]
> - name-type : {}Service and other unique instance (krbtgt)(2) [10:44:17]
> DEBUG
> [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString]
> - PrincipalName String : krbtgt [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.principalName.actions.StoreNameString]
> - PrincipalName String : EXAMPLE.COM [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.actions.AbstractReadPrincipalName]
> - PrincipalName : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> } [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreFrom] -
> From : 20130408174415Z [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.StoreTill] -
> Till : 20130409174415Z [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.actions.AbstractReadKerberosTime]
> - decoded kerberos time is : 20130415174415Z [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 1801102745 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] -
> EncryptionType : aes256-cts-hmac-sha1-96 (18) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] -
> EncryptionType : aes128-cts-hmac-sha1-96 (17) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] -
> EncryptionType : des3-cbc-sha1-kd (16) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReqBody.actions.AddEType] -
> EncryptionType : rc4-hmac (23) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.kdcReq.actions.StoreKdcReqBody] -
> KDC-REQ-BODY : KDCOptions : FORWARDABLE RENEWABLE cname : { name-type:
> KRB_NT_PRINCIPAL, name-string : <'hnelson'> } realm : EXAMPLE.COM sname : {
> name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> } from :
> 20130408174415Z till : 20130409174415Z rtime : 20130415174415Z nonce :
> 1801102745 etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17)
> des3-cbc-sha1-kd (16) rc4-hmac (23) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.asReq.actions.StoreKdcReq] -
> AS-REQ :
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
> PreAuthenticationData :
> padata-type: Encrypted timestamp.(2)
> padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38
> 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A
> 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64
> 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
> PreAuthenticationData :
> padata-type: null(0)
> kdc-req-body :
> KDCOptions : FORWARDABLE RENEWABLE
> cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> from : 20130408174415Z
> till : 20130409174415Z
> rtime : 20130415174415Z
> nonce : 1801102745
> etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17)
> des3-cbc-sha1-kd (16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.KerberosMessageGrammar] - Decoded
> KerberosMessage
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
> PreAuthenticationData :
> padata-type: Encrypted timestamp.(2)
> padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38
> 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A
> 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64
> 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
> PreAuthenticationData :
> padata-type: null(0)
> kdc-req-body :
> KDCOptions : FORWARDABLE RENEWABLE
> cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> from : 20130408174415Z
> till : 20130409174415Z
> rtime : 20130415174415Z
> nonce : 1801102745
> etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17)
> des3-cbc-sha1-kd (16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder] -
> Decoded KerberosMessage
> :
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
> PreAuthenticationData :
> padata-type: Encrypted timestamp.(2)
> padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38
> 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A
> 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64
> 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
> PreAuthenticationData :
> padata-type: null(0)
> kdc-req-body :
> KDCOptions : FORWARDABLE RENEWABLE
> cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> from : 20130408174415Z
> till : 20130409174415Z
> rtime : 20130415174415Z
> nonce : 1801102745
> etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17)
> des3-cbc-sha1-kd (16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> /10.42.12.54:41991 RCVD:
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
> PreAuthenticationData :
> padata-type: Encrypted timestamp.(2)
> padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38
> 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A
> 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64
> 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
> PreAuthenticationData :
> padata-type: null(0)
> kdc-req-body :
> KDCOptions : FORWARDABLE RENEWABLE
> cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> from : 20130408174415Z
> till : 20130409174415Z
> rtime : 20130415174415Z
> nonce : 1801102745
> etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17)
> des3-cbc-sha1-kd (16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] -
> /10.42.12.54:41991 RCVD:
> >-----------------------------------------------------------------------
> >--------
> AS-REQ
> pvno : 5
> msg-type : AS_REQ
> padata :
> PreAuthenticationData :
> padata-type: Encrypted timestamp.(2)
> padata-value:0x30 0x41 0xA0 0x03 0x02 0x01 0x12 0xA2 0x3A 0x04 0x38
> 0xA1 0x9A 0x25 0xE5 0x77 0x8A 0x30 0x12 0xE3 0x82 0x97 0xEF 0x8E 0xDF 0x1A
> 0x36 0x39 0xAE 0xF1 0x6C 0x64 0x89 0x9F 0x89 0x31 0xB3 0xFD 0x01 0xB1 0x68
> 0x25 0xAA 0xAE 0xAF 0x05 0xDD 0x33 0xD3 0xFE 0x57 0xD0 0x74 0x6C 0x08 0x64
> 0xA2 0xF3 0x8C 0x23 0x1F 0xAE 0xB6 0xA9 0x24 0xB5 0x38
> padata :
> PreAuthenticationData :
> padata-type: null(0)
> kdc-req-body :
> KDCOptions : FORWARDABLE RENEWABLE
> cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> realm : EXAMPLE.COM
> sname : { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> from : 20130408174415Z
> till : 20130409174415Z
> rtime : 20130415174415Z
> nonce : 1801102745
> etype : aes256-cts-hmac-sha1-96 (18) aes128-cts-hmac-sha1-96 (17)
> des3-cbc-sha1-kd (16) rc4-hmac (23)
> -------------------------------------------------------------------------------<
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Received Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 10.42.12.54
> nonce: 1801102745
> kdcOptions: FORWARDABLE RENEWABLE
> clientPrincipal: { name-type: KRB_NT_PRINCIPAL, name-string :
> <'hnelson'> }
> serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> }
> encryptionType: aes256-cts-hmac-sha1-96 (18),
> aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)
> realm: EXAMPLE.COM
> from time: 20130408174415Z
> till time: 20130409174415Z
> renew-till time: 20130415174415Z
> hostAddresses: null
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Received
> Authentication Service (AS) request:
> messageType: AS_REQ
> protocolVersionNumber: 5
> clientAddress: 10.42.12.54
> nonce: 1801102745
> kdcOptions: FORWARDABLE RENEWABLE
> clientPrincipal: { name-type: KRB_NT_PRINCIPAL, name-string :
> <'hnelson'> }
> serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> }
> encryptionType: aes256-cts-hmac-sha1-96 (18),
> aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)
> realm: EXAMPLE.COM
> from time: 20130408174415Z
> till time: 20130409174415Z
> renew-till time: 20130415174415Z
> hostAddresses: null
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Selecting
> the EncryptionType [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Encryption types requested by client [aes256-cts-hmac-sha1-96 (18),
> aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)].
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Encryption
> types requested by client [aes256-cts-hmac-sha1-96 (18),
> aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23)].
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Session will use encryption type aes256-cts-hmac-sha1-96 (18).
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Session will
> use encryption type aes256-cts-hmac-sha1-96 (18).
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Getting the
> client Entry [10:44:17] DEBUG
> [org.apache.directory.server.core.DefaultOperationManager] - >>
> SearchOperation : SearchContext for Dn 'ou=users,dc=disney,dc=com', filter
> :'([email protected])'
> [10:44:17] DEBUG
> [org.apache.directory.server.core.authn.AuthenticationInterceptor] -
> Operation Context: SearchContext for Dn 'ou=users,dc=disney,dc=com', filter
> :'([email protected])'
> [10:44:17] DEBUG
> [org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine] - Nb
> results : 1 for filter :
> (&:[1]([email protected]:[1])(#{SUBTREE_SCOPE
> (Estimated), 'ou=users,dc=disney,dc=com', DEREF_ALWAYS})) [10:44:17] DEBUG
> [org.apache.directory.server.core.DefaultOperationManager] - <<
> SearchOperation successful [10:44:17] DEBUG
> [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - Found
> entry uid=hnelson,ou=users,dc=disney,dc=com for kerberos principal name
> [email protected] [10:44:17] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Found entry
> uid=hnelson,ou=users,dc=disney,dc=com for kerberos principal name
> [email protected] [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 3 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : des-cbc-md5 (3) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 23 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : rc4-hmac (23) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 17 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : aes128-cts-hmac-sha1-96 (17) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 16 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : des3-cbc-sha1-kd (16) [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.EncryptionKeyInit]
> - EncryptionKey created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 18 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptionKey.actions.StoreKeyType]
> - keytype : aes256-cts-hmac-sha1-96 (18) [10:44:17] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Found entry
> uid=hnelson,ou=users,dc=disney,dc=com for principal [email protected]
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying
> the policy [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Verifying using SAM subsystem.
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying
> using SAM subsystem.
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Verifying using encrypted timestamp.
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying
> using encrypted timestamp.
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService]
> - Entry for client principal [email protected] has no SAM type.
> Proceeding with standard pre-authentication.
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Entry for
> client principal [email protected] has no SAM type. Proceeding with
> standard pre-authentication.
> [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptedData.actions.EncryptedDataInit]
> - EncryptedData created [10:44:17] DEBUG
> [org.apache.directory.api.asn1.actions.AbstractReadInteger] - read integer
> value : 18 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.codec.encryptedData.actions.StoreEType]
> - e-type : aes256-cts-hmac-sha1-96 (18) [10:44:17] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Decrypting data using key
> aes256-cts-hmac-sha1-96 (18) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP padata
> timestamp, encrypted with the client key (1) [10:44:17] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> Integrity check on decrypted field failed (31) [10:44:17] WARN
> [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted
> field failed (31) [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> Responding to request with error:
> explanatory text: Integrity check on decrypted field failed
> error code: Integrity check on decrypted field failed
> clientPrincipal: null@null
> client time: null
> serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
> server time: 20130408174417Z
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to
> request with error:
> explanatory text: Integrity check on decrypted field failed
> error code: Integrity check on decrypted field failed
> clientPrincipal: null@null
> client time: null
> serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> }@EXAMPLE.COM
> server time: 20130408174417Z
> [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.components.PrincipalName] -
> PrinipalName encoding : 0x7E 0x81 0x86 0x30 0x81 0x83 0xA0 0x03 0x02 0x01
> 0x05 0xA1 0x03 0x02 0x01 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30
> 0x34 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x37 0x5A 0xA5 0x03 0x02 0x01 0x00
> 0xA6 0x03 0x02 0x01 0x1F 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59
> 0x2E 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1
> 0x16 0x30 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49
> 0x53 0x4E 0x45 0x59 0x2E 0x43 0x4F 0x4D 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.components.PrincipalName] -
> PrinipalName initial value : { name-type: KRB_NT_SRV_INST, name-string :
> <'krbtgt', 'EXAMPLE.COM'> } [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError encoding
> : 0x7E 0x81 0x86 0x30 0x81 0x83 0xA0 0x03 0x02 0x01 0x05 0xA1 0x03 0x02 0x01
> 0x1E 0xA4 0x11 0x18 0x0F 0x32 0x30 0x31 0x33 0x30 0x34
> 0x30 0x38 0x31 0x37 0x34 0x34 0x31 0x37 0x5A 0xA5 0x03 0x02 0x01 0x00 0xA6
> 0x03 0x02 0x01 0x1F 0xA9 0x0C 0x1B 0x0A 0x44 0x49 0x53 0x4E 0x45 0x59 0x2E
> 0x43 0x4F 0x4D 0xAA 0x1F 0x30 0x1D 0xA0 0x03 0x02 0x01 0x02 0xA1 0x16 0x30
> 0x14 0x1B 0x06 0x6B 0x72 0x62 0x74 0x67 0x74 0x1B 0x0A 0x44 0x49 0x53 0x4E
> 0x45 0x59 0x2E 0x43 0x4F 0x4D 0xAB 0x2B 0x1B 0x29 0x49 0x6E 0x74 0x65 0x67
> 0x72 0x69 0x74 0x79 0x20 0x63 0x68 0x65 0x63 0x6B 0x20 0x6F 0x6E 0x20 0x64
> 0x65 0x63 0x72 0x79 0x70 0x74 0x65 0x64 0x20 0x66 0x69 0x65 0x6C 0x64 0x20
> 0x66 0x61 0x69 0x6C 0x65 0x64 [10:44:17] DEBUG
> [org.apache.directory.shared.kerberos.messages.KrbError] - KrbError initial
> value :
> KRB-ERROR : {
> pvno: 5
> msgType: KRB_ERROR
> sTime: 20130408174417Z
> susec: 0
> errorCode: Integrity check on decrypted field failed
> realm: EXAMPLE.COM
> sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> eText: Integrity check on decrypted field failed }
> [10:44:17] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> /10.42.12.54:41991 SENT:
> KRB-ERROR : {
> pvno: 5
> msgType: KRB_ERROR
> sTime: 20130408174417Z
> susec: 0
> errorCode: Integrity check on decrypted field failed
> realm: EXAMPLE.COM
> sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> eText: Integrity check on decrypted field failed }
> [10:44:17] DEBUG [org.apache.directory.server.KERBEROS_LOG] -
> /10.42.12.54:41991 SENT:
> KRB-ERROR : {
> pvno: 5
> msgType: KRB_ERROR
> sTime: 20130408174417Z
> susec: 0
> errorCode: Integrity check on decrypted field failed
> realm: EXAMPLE.COM
> sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt',
> 'EXAMPLE.COM'> }
> eText: Integrity check on decrypted field failed }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
