I probably should have included this earlier, but here are my logs for running against 2.0.0.M6 [1]. I have gone through a number of krb5.conf files, but this is the one I am using now [2].
Let me know if there is anything else I can provide that will help figure out this issue. Thanks again for your replies. [1] http://pastebin.com/T8yL9XU8 [2] http://pastebin.com/mjXpQhwg ----- Original Message ----- From: Robert Winch <[email protected]> To: "[email protected]" <[email protected]> Cc: Sent: Sunday, April 1, 2012 1:07 PM Subject: Re: Kerberos Thank you for your reply. I have tried with a few versions and all with the same problem 2.0.0-M3, 2.0.0-M6, 1.5.7. I believe I had found a discussion about this issue, but I have not found anything describing that it got fixed or a way to work around it [1]. Any help or guidance would be appreciated. [1] http://mail-archives.apache.org/mod_mbox/directory-dev/201202.mbox/%[email protected]%3E ----- Original Message ----- From: Kiran Ayyagari <[email protected]> To: [email protected]; Robert Winch <[email protected]> Cc: Sent: Sunday, April 1, 2012 2:48 AM Subject: Re: Kerberos which version of ApacheDS you are running? can you try with version2.0.0-M6 (I assume you are running an earlier version cause there was a bug related to the below error you are encountering which I have fixed in January) On Sun, Apr 1, 2012 at 4:42 AM, Robert Winch <[email protected]> wrote: > > > I'm trying to follow the guide for setting up Kerberos [1] and while I am > able to verify the credentials using ApacheDS, I am unable to validate my > credentials with kinit or k5start or kinit. I get the following error log > from ApacheDS when running k5start (kinit does not send the correct > encryption types) with the exact krb5.conf. I am running Ubuntu 11.10 32bit. > Any ideas what I can do to fix this issue? > > [18:00:49] INFO [org.apache.directory.server.Service] - Cannot find any > reference to the HTTP Server in the server.xml file : the server won't be > started > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > /127.0.0.1:57312 CREATED: datagram > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > /127.0.0.1:57312 OPENED > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > /127.0.0.1:57312 RCVD: > org.apache.directory.server.kerberos.shared.messages.KdcRequest@1cee792 > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Received Authentication Service (AS) request: > messageType: AS_REQ > protocolVersionNumber: 5 > clientAddress: 127.0.0.1 > nonce: 288257937 > kdcOptions: FORWARDABLE RENEWABLE_OK > clientPrincipal: [email protected] > serverPrincipal: krbtgt/[email protected] > encryptionType: des3-cbc-sha1-kd (16), des-cbc-crc (1), > des-cbc-md5 (3) > realm: EXAMPLE.COM > from time: 20120331230058Z > till time: 20120401090058Z > renew-till time: null > hostAddresses: null > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Session will use encryption type des-cbc-md5 (3). > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] - > Found entry ServerEntry > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com > objectClass: organizationalPerson > objectClass: person > objectClass: krb5Principal > objectClass: inetOrgPerson > objectClass: krb5KDCEntry > objectClass: top > uid: hnelson > sn: Nelson > krb5PrincipalName: [email protected] > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 ' > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 > 0x8D 0x80 0x14 0x60 ...' > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 > 0xA7 0x13 0x64 0x8A ...' > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 > 0x07 0xCE 0x29 0x52 ...' > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD > 0x21 0x4B 0x38 0xB6 ...' > krb5KeyVersionNumber: 0 > cn: Horatio Nelson > for kerberos principal name [email protected] > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Verifying using SAM subsystem. > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Verifying using encrypted timestamp. > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Entry for client principal [email protected] has no SAM type. > Proceeding with standard pre-authentication. > [18:00:58] WARN > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - KDC > has no support for padata type (16) > org.apache.directory.server.kerberos.shared.exceptions.KerberosException: KDC > has no support for padata type > at > org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.verifyEncryptedTimestamp(AuthenticationService.java:301) > at > org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:107) > at > org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:145) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:713) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793) > at > org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:375) > at > org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:229) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:793) > at > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426) > at > org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:436) > at > org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:407) > at > org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$600(AbstractPollingConnectionlessIoAcceptor.java:56) > at > org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:360) > at > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > Responding to request with error: > explanatory text: KDC has no support for padata type > error code: 16 > clientPrincipal: null > client time: null > serverPrincipal: krbtgt/[email protected] > server time: 20120331230058Z > [18:00:58] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > /127.0.0.1:57312 SENT: > org.apache.directory.server.kerberos.shared.messages.ErrorMessage@12c4768 > [18:01:58] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > /127.0.0.1:57312 CLOSED > > > [1] http://directory.apache.org/apacheds/1.5/543-kerberos-in-apacheds-155.html > > Thanks, -- Kiran Ayyagari
