[
https://issues.apache.org/jira/browse/DIRKRB-100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13915622#comment-13915622
]
Eirik Bjorsnos commented on DIRKRB-100:
---------------------------------------
Enabling des-cbc-md5 only, it seems I'm able to get a ticket!
However, I get an exception trying to change the user's password with
changePassword:
{code}
Exception in thread "main"
org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException:
Request failed due to a hard error in processing the request.
at
org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:618)
at
no.kantega.demos.webjars.KerbPasswordTest.main(KerbPasswordTest.java:60)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.lang.NullPointerException
at
org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decrypt(CipherTextHandler.java:118)
at
org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:604)
... 6 more
{code}
The NPE is caused by ChiperTextHandler.decrypt being handed a null
EncryptionKey from KdcConnection.changePassword
encApRepPart.getSubkey() return null.
> Active Directory support for KdcConnection
> ------------------------------------------
>
> Key: DIRKRB-100
> URL: https://issues.apache.org/jira/browse/DIRKRB-100
> Project: Directory Kerberos
> Issue Type: Improvement
> Reporter: Eirik Bjorsnos
> Assignee: Emmanuel Lecharny
>
> I'm testing KdcConnection.getTgt() with Microsoft Active Directory.
> My first test failed with AD responding with first saying
> KRB5KRB_ERR_PREAUTH_REQUIRED (expected), then KRB5KRB_ERR_PREAUTH_FAILED (not
> expected).
> Since PREAUTH_FAILED is what you'll also get if your password is wrong, I
> enabled "Do not use pre authentication" for the account being tested and
> verified via kinit on OS X that no pre authentication was sent there.
> When testing getTgt with no preauth, I now get the following exception:
> Exception in thread "main"
> org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException:
> Request failed due to being malformed.
> at
> org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder.decodeEncTgsRepPart(KerberosDecoder.java:684)
> at
> org.apache.directory.kerberos.client.KdcConnection._getTgt(KdcConnection.java:329)
> at
> org.apache.directory.kerberos.client.KdcConnection.getTgt(KdcConnection.java:181)
> at
> org.apache.directory.kerberos.client.KdcConnection.getTgt(KdcConnection.java:145)
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
