Yes, I did. I also have several minor changes to get it to line up with the way java's libraries are working so i wonder if the merge missed something. i'll try debugging it tonight.
On Mon, Nov 23, 2015 at 8:19 AM, Zheng, Kai <[email protected]> wrote: > OK. Did you make the following change as I told in my last email, in > addition to checking out the latest commits? > ==== > if you'd just go on with your case, please make the following change and > try. > In client side TgsRequest.java: processResponse(), use > KeyUsage.TGS_REP_ENCPART_SUBKEY. > ==== > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Monday, November 23, 2015 9:05 PM > To: [email protected] > Subject: Re: KDC is rejecting my TGS > > New error: > > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes > {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 tkt=18 > ses=17}, HTTP/[email protected] for > krbtgt/[email protected] > > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes > {17}) 192.168.2.129: PROCESS_TGS: authtime 0, > HTTP/[email protected] for HTTP/[email protected], > Decrypt integrity check failed > > Here's the packet trace : > > https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_integrity.pcapng > > On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <[email protected]> wrote: > > > With above fixup, I hit another issue that Kerby client failed to > > decrypt the TGS-REP. > > > > I got it work in my setup but I can't commit the codes because > > there're more cases to be investigated. Ref. the issue > > https://issues.apache.org/jira/browse/DIRKRB-472 > > > > Marc, > > if you'd just go on with your case, please make the following change > > and try. > > In client side TgsRequest.java: processResponse(), use > > KeyUsage.TGS_REP_ENCPART_SUBKEY. > > > > -----Original Message----- > > From: Zheng, Kai [mailto:[email protected]] > > Sent: Monday, November 23, 2015 2:21 PM > > To: [email protected] > > Subject: RE: KDC is rejecting my TGS > > > > Fired and resolved the following issue to track the authenticator > > issue we're handling. > > Will setup a box to test: Kerby client -> MIT KDC (in service ticket > > path) > > > > commit df6ba15d4f990b104efcf36ede913f4eeb09a872 > > Author: Drankye <[email protected]> > > Date: Tue Nov 24 14:16:32 2015 +0800 > > > > DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making > > authenticator > > > > -----Original Message----- > > From: Marc Boorshtein [mailto:[email protected]] > > Sent: Monday, November 23, 2015 11:30 AM > > To: [email protected] > > Subject: RE: KDC is rejecting my TGS > > > > ah. That would do it :) sounds like we are getting close! > > > > Thanks > > Marc > > On Nov 22, 2015 10:27 PM, "Zheng, Kai" <[email protected]> wrote: > > > > > OK, forget it. I just checked the codes, and found the checksum > > > isn't done and filled in authenticator. I will get it fixed ASAP. > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Marc Boorshtein [mailto:[email protected]] > > > Sent: Monday, November 23, 2015 11:24 AM > > > To: [email protected] > > > Subject: RE: KDC is rejecting my TGS > > > > > > > > > > > Cool!! Thanks a lot for getting the hard issue figured out. > > > > > > > > > > My pleasure. I'm glad I'm making progress. > > > > > > > I'm looking at the checksum issue, and trying to go into the context. > > > > Did > > > you try the usage value of 10 or 6? Could you give me a snapshot of > > > the stacktrace (or call stack) so I can know sooner about the context? > > Thanks. > > > > > > I haven't yet. I've shutdown for the night but the there really > > > isn't a stack trace because MIT is returning a kerberos generic > > > error (with the accompanying log messages I sent over). I wanted to > > > make sure I was reading the code properly before I started trying > > > things since MIT isn't giving me the best error messages. I'll give > it a go tomorrow. > > > > > > Thanks > > > Marc > > > > > >
