OK. Did you make the following change as I told in my last email, in addition to checking out the latest commits? ==== if you'd just go on with your case, please make the following change and try. In client side TgsRequest.java: processResponse(), use KeyUsage.TGS_REP_ENCPART_SUBKEY. ====
-----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Monday, November 23, 2015 9:05 PM To: [email protected] Subject: Re: KDC is rejecting my TGS New error: Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 tkt=18 ses=17}, HTTP/[email protected] for krbtgt/[email protected] Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, HTTP/[email protected] for HTTP/[email protected], Decrypt integrity check failed Here's the packet trace : https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_integrity.pcapng On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <[email protected]> wrote: > With above fixup, I hit another issue that Kerby client failed to > decrypt the TGS-REP. > > I got it work in my setup but I can't commit the codes because > there're more cases to be investigated. Ref. the issue > https://issues.apache.org/jira/browse/DIRKRB-472 > > Marc, > if you'd just go on with your case, please make the following change > and try. > In client side TgsRequest.java: processResponse(), use > KeyUsage.TGS_REP_ENCPART_SUBKEY. > > -----Original Message----- > From: Zheng, Kai [mailto:[email protected]] > Sent: Monday, November 23, 2015 2:21 PM > To: [email protected] > Subject: RE: KDC is rejecting my TGS > > Fired and resolved the following issue to track the authenticator > issue we're handling. > Will setup a box to test: Kerby client -> MIT KDC (in service ticket > path) > > commit df6ba15d4f990b104efcf36ede913f4eeb09a872 > Author: Drankye <[email protected]> > Date: Tue Nov 24 14:16:32 2015 +0800 > > DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making > authenticator > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Monday, November 23, 2015 11:30 AM > To: [email protected] > Subject: RE: KDC is rejecting my TGS > > ah. That would do it :) sounds like we are getting close! > > Thanks > Marc > On Nov 22, 2015 10:27 PM, "Zheng, Kai" <[email protected]> wrote: > > > OK, forget it. I just checked the codes, and found the checksum > > isn't done and filled in authenticator. I will get it fixed ASAP. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Marc Boorshtein [mailto:[email protected]] > > Sent: Monday, November 23, 2015 11:24 AM > > To: [email protected] > > Subject: RE: KDC is rejecting my TGS > > > > > > > > Cool!! Thanks a lot for getting the hard issue figured out. > > > > > > > My pleasure. I'm glad I'm making progress. > > > > > I'm looking at the checksum issue, and trying to go into the context. > > > Did > > you try the usage value of 10 or 6? Could you give me a snapshot of > > the stacktrace (or call stack) so I can know sooner about the context? > Thanks. > > > > I haven't yet. I've shutdown for the night but the there really > > isn't a stack trace because MIT is returning a kerberos generic > > error (with the accompanying log messages I sent over). I wanted to > > make sure I was reading the code properly before I started trying > > things since MIT isn't giving me the best error messages. I'll give it a > > go tomorrow. > > > > Thanks > > Marc > > >
