Solved it by removing:
forwardable = true
proxiable = true
from the krb5.conf file used.
Rob
On 11/03/11 10:44, Rob Hebron wrote:
Hi,
I'm experimenting with GSSAPI authentication against ApacheDS 1.5.7.
Following various guides I have it working such that I am successfully
issued a TGT using kinit (on Debian) - changes mainly involved enabling
crypto protocols in server.xml. However, when I try to authenticate with
a java client I get always get this error:
Kerberos username [rob]: [email protected]
Kerberos password for [email protected]:
default etypes for default_tkt_enctypes: 16.
default etypes for default_tkt_enctypes: 16.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=<kdc address> UDP:60088, timeout=30000, number
of retries =3, #bytes=134
>>> KDCCommunication: kdc=<kdc address> UDP:60088,
timeout=30000,Attempt =1, #bytes=134
>>> KrbKdcReq send: #bytes read=536
>>> KrbKdcReq send: #bytes read=536
>>> KdcAccessibility: remove<kdc address>:60088
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
Authentication failed:
Checksum failed
.. with no error logged on the server. I'm guessing that a checksum
verification has failed. This error is also logged when I try to
authenticate to ApacheDS server in Apache Directory Studio. I'm able to
log on to a production MIT KDC using the same java code with no problem.
A search hasn't turned up much - any ideas of what I could try?
Thanks,
Rob
