With above fixup, I hit another issue that Kerby client failed to decrypt the TGS-REP.
I got it work in my setup but I can't commit the codes because there're more cases to be investigated. Ref. the issue https://issues.apache.org/jira/browse/DIRKRB-472 Marc, if you'd just go on with your case, please make the following change and try. In client side TgsRequest.java: processResponse(), use KeyUsage.TGS_REP_ENCPART_SUBKEY. -----Original Message----- From: Zheng, Kai [mailto:[email protected]] Sent: Monday, November 23, 2015 2:21 PM To: [email protected] Subject: RE: KDC is rejecting my TGS Fired and resolved the following issue to track the authenticator issue we're handling. Will setup a box to test: Kerby client -> MIT KDC (in service ticket path) commit df6ba15d4f990b104efcf36ede913f4eeb09a872 Author: Drankye <[email protected]> Date: Tue Nov 24 14:16:32 2015 +0800 DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making authenticator -----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Monday, November 23, 2015 11:30 AM To: [email protected] Subject: RE: KDC is rejecting my TGS ah. That would do it :) sounds like we are getting close! Thanks Marc On Nov 22, 2015 10:27 PM, "Zheng, Kai" <[email protected]> wrote: > OK, forget it. I just checked the codes, and found the checksum isn't > done and filled in authenticator. I will get it fixed ASAP. > > Regards, > Kai > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Monday, November 23, 2015 11:24 AM > To: [email protected] > Subject: RE: KDC is rejecting my TGS > > > > > Cool!! Thanks a lot for getting the hard issue figured out. > > > > My pleasure. I'm glad I'm making progress. > > > I'm looking at the checksum issue, and trying to go into the context. > > Did > you try the usage value of 10 or 6? Could you give me a snapshot of > the stacktrace (or call stack) so I can know sooner about the context? Thanks. > > I haven't yet. I've shutdown for the night but the there really isn't > a stack trace because MIT is returning a kerberos generic error (with > the accompanying log messages I sent over). I wanted to make sure I > was reading the code properly before I started trying things since MIT > isn't giving me the best error messages. I'll give it a go tomorrow. > > Thanks > Marc >
