[jira] [Commented] (DIRKRB-634) Failed to get service granting ticket from MIT KDC using Kerby client

Fri, 14 Jul 2017 01:20:32 -0700 

    [ 
https://issues.apache.org/jira/browse/DIRKRB-634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16087020#comment-16087020
 ] 

Jiajia Li commented on DIRKRB-634:
----------------------------------

In krb5 source code, client will try both session key and sub key:

{code}
    /* Unfortunately, Heimdal at least up through 1.2  encrypts using
       the session key not the subsession key.  So we try both. */
    retval = krb5int_decode_tgs_rep(context, fast_state, response_data, subkey,
                                    KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY,
                                    &dec_rep);
    if (retval) {
        TRACE_TGS_REPLY_DECODE_SESSION(context, &tkt->keyblock);
        if ((krb5int_decode_tgs_rep(context, fast_state, response_data,
                                    &tkt->keyblock,
                                    KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, 
&dec_rep)) == 0)
            retval = 0;
        else
            goto cleanup;
    }
{code}

> Failed to get service granting ticket from MIT KDC using Kerby client
> ---------------------------------------------------------------------
>
>                 Key: DIRKRB-634
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-634
>             Project: Directory Kerberos
>          Issue Type: Bug
>    Affects Versions: 1.0.0
>            Reporter: Jiajia Li
>            Assignee: Jiajia Li
>             Fix For: 1.0.1
>
>
> When try to get service granting ticket, with following exception:
> Exception in thread "main" org.apache.kerby.kerberos.kerb.KrbException: 
> Integrity check on decrypted field failed
>         at 
> org.apache.kerby.kerberos.kerb.crypto.enc.KeKiEnc.decryptWith(KeKiEnc.java:127)
>         at 
> org.apache.kerby.kerberos.kerb.crypto.enc.AbstractEncTypeHandler.decrypt(AbstractEncTypeHandler.java:150)
>         at 
> org.apache.kerby.kerberos.kerb.crypto.enc.AbstractEncTypeHandler.decrypt(AbstractEncTypeHandler.java:138)
>         at 
> org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler.decrypt(EncryptionHandler.java:228)
>         at 
> org.apache.kerby.kerberos.kerb.common.EncryptionUtil.unseal(EncryptionUtil.java:136)
>         at 
> org.apache.kerby.kerberos.kerb.client.request.TgsRequest.processResponse(TgsRequest.java:82)
>         at 
> org.apache.kerby.kerberos.kerb.client.KrbHandler.onResponseMessage(KrbHandler.java:117)
>         at 
> org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleRequest(DefaultKrbHandler.java:47)
>         at 
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.sendIfPossible(DefaultInternalKrbClient.java:112)
>         at 
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequest(DefaultInternalKrbClient.java:75)
>         at 
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequestSgt(DefaultInternalKrbClient.java:130)
>         at 
> org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.requestSgt(AbstractInternalKrbClient.java:146)
>         at 
> org.apache.kerby.kerberos.kerb.client.KrbClientBase.requestSgt(KrbClientBase.java:200)
>         at 
> org.apache.kerby.kerberos.tool.kinit.KinitTool.requestTicket(KinitTool.java:172)
>         at 
> org.apache.kerby.kerberos.tool.kinit.KinitTool.main(KinitTool.java:250)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to