Just sending a quick update as I am able to move on from this issue now.

I have now moved over to Fedora 17 with the version of FreeIPA currently packaged for Fedora 17 and after getting over the installation hang I can confirm that my Java client is authenticating without issue against the newly installed server.

At this point I don't know what is causing the failure on the previous version but I am suspecting some incompatibility with the messages generated with Java.

Regards,
Darran Lofthouse.


On 05/31/2012 10:28 AM, Darran Lofthouse wrote:
My apologies if this has already been discussed somewhere, I have tried
a number of searches to see if this is either a known issue or common
error on the client side but so far only found references to Java issues
that should have been resolved a long time ago.

I have a Red Hat server running in Amazon EC2 with IPA
ipa-server-2.1.3-9.el6.x86_64 installed - I have an admin user and a
test_user defined.

 From my local machine using kinit works without error.

I have developed a test Java client to make use of the Krb5LoginModule,
I am currently debugging further but thought I would mail this in
parallel in case I am missing something obvious but I keep getting the
failure that is at the bottom of this message.

This failure is reported when using java-1.7.0-openjdk-1.7.0.3.x86_64 -
however I have also tried using various Oracle JDKs, both 6 and 7.

I know the password is correct as verified using kinit, also if I use
jdk1.6.0_30 AND set the system property for Kerberos debugging to true
on the client it works.

The only difference I currently see between the failure scenario and
success scenario is that for success rc4-hmac is selected for the
PA-ENC-TIMESTAMP for the failure scenario here aes256-cts-hmac-sha1-96
is selected instead.

For the work I am currently using IPA for I could just force the use of
rc4-hmac but would really like to get to the bottom of the cause of this.

Looking forward to any ideas.

Regards,
Darran Lofthouse.


Exception in thread "main" javax.security.auth.login.LoginException:
Integrity check on decrypted field failed (31) - PREAUTH_FAILED
     at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)

     at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)

     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

     at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

     at java.lang.reflect.Method.invoke(Method.java:601)
     at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
     at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
     at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
     at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
     at java.security.AccessController.doPrivileged(Native Method)
     at
javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)

     at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
     at
com.darranl.as.sasl.gssapi.KerberosLoginUtil.login(KerberosLoginUtil.java:50)

     at
com.darranl.as.sasl.gssapi.KerberosLoginUtil.main(KerberosLoginUtil.java:136)

Caused by: KrbException: Integrity check on decrypted field failed (31)
- PREAUTH_FAILED
     at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
     at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
     at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
     at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721)

     ... 14 more
Caused by: KrbException: Identifier doesn't match expected value (906)
     at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
     at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
     at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
     at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
     ... 17 more


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to