On Sat, Jul 26, 2014 at 12:00 AM, Brian Laskey <[email protected]> wrote:
> What are the supported encryption types for ApacheDS? > > the default enctypes are aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5 > I've had some issues on the Linux side with kinit, I had configured my > krb.conf file with: > default_tkt_enctypes = aes128-cts-hmac-sha1-96 > default_tgs_enctypes = aes128-cts-hmac-sha1-96 > > And tried checking that off only in the Kerberos settings of Studio. Didn't > seem to solve the password error with kinit. If I tried other enctypes I > what error are you getting? the preauth error? > got other errors like encryption type not supported. Eg.g had problems with > below, not sure if it's the cause of my issues. > #default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 > #default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 > > I can try to install Studio on my red hat linux server, but that only has > IBM JDK 6 on it if that matters. > > I would suggest to first test with kinit(to rule out any non-Studio related issues), and once this succeeds we can try with Studio > Thanks > Brian > > > On Fri, Jul 25, 2014 at 2:23 PM, Kiran Ayyagari <[email protected]> > wrote: > > > On Fri, Jul 25, 2014 at 11:50 PM, Brian Laskey <[email protected]> > > wrote: > > > > > Apologies for the multiple emails, but if I change Directory Studio vm > to > > > > > np, feel free to post > > > > > Sun/Oracle jdk1.6.0_31\jre\bin I get a different exception in logging > in > > > with Kerberos or using the 'Check Authentication' button. > > > > > > can you try with Studio on Linux/Unix? I suspect that RC4 is being > used > > on Windows > > box (RC4 encryption type is not yet supported in ApacheDS) > > > > > I don't seem to see any errors in apacheds.log > > > > > > > > > Error while opening connection > > > - *javax.security.auth.login.LoginException: Checksum failed* > > > org.apache.directory.api.ldap.model.exception.LdapException: > > > javax.security.auth.login.LoginException: Checksum failed > > > at > > > > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535) > > > at > > > > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114) > > > at > > > > > > > > > org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109) > > > at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54) > > > Caused by: javax.security.auth.login.LoginException: Checksum failed > > > at > > > > > > > > > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) > > > at > > > > > > > > > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > at > > > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > > > at > > > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > > > at java.lang.reflect.Method.invoke(Method.java:597) > > > at > > javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) > > > at > > > > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) > > > at > > javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) > > > at java.security.AccessController.doPrivileged(Native Method) > > > at > > > > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) > > > at > > javax.security.auth.login.LoginContext.login(LoginContext.java:579) > > > at > > > > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1522) > > > ... 8 more > > > Caused by: KrbException: Checksum failed > > > at > > > > > > > > > sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:85) > > > at > > > > > > > > > sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:77) > > > at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) > > > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87) > > > at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446) > > > at > sun.security.krb5.Credentials.sendASRequest(Credentials.java:401) > > > at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350) > > > at > > > > > > > > > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662) > > > ... 20 more > > > Caused by: java.security.GeneralSecurityException: Checksum failed > > > at > > > > > > > > > sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431) > > > at > > > > > > > > > sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254) > > > at sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:59) > > > at > > > > > > > > > sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:83) > > > ... 27 more > > > > > > javax.security.auth.login.LoginException: Checksum failed > > > > > > > > > On Fri, Jul 25, 2014 at 2:06 PM, Brian Laskey <[email protected]> > > > wrote: > > > > > > > > > > > I appreciate the help with this. I am new to ApacheDS and Kerberos. > > > > > > > > I have now tried that tutorial (of course I hadn't got that far, I > was > > > > trying the tutorial before it, 4.1 - Authenticate with kinit on > Linux!) > > > > > > > > Adding krbtgt/[email protected] SOLVES the "Server not found > in > > > the > > > > Kerberos database while getting initial credentials" error with > kinit. > > So > > > > that's good. > > > > > > > > However, now in kinit I get a new error for any principal I try > (either > > > > using my generated keytab or by typing in the password). > > > > Verbose output of kinit -V [email protected] > > > > Using default cache: /tmp/krb5cc_13553 > > > > Using principal: [email protected] > > > > Password for [email protected]: > > > > kinit: Password incorrect while getting initial credentials > > > > > > > > I am trying kinit on a linux machine. > > > > > > > > On a separate Windows 7 machine, I have Apache Directory Studio. > > > Following > > > > the tutorial as best I can (Kerberos settings tab seems subtly > > different > > > > than the screens I see on Apache Directory Studio 2.0.0.v20130628 / > > Win7 > > > / > > > > IBM Java 1.7 JRE) > > > > > > > > After I set up krbtgt and ldap principals, when I try to connect as > one > > > of > > > > my principals using Apache directory Studio I get this exception: > > > > > > > > Error while opening connection > > > > - java.lang.IllegalArgumentException > > > > org.apache.directory.api.ldap.model.exception.LdapException: > > > > java.lang.IllegalArgumentException > > > > at > > > > > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535) > > > > at > > > > > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421) > > > > at > > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447) > > > > at > > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175) > > > > at > > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460) > > > > at > > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306) > > > > at > > > > > > > > > > org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114) > > > > at > > > > > > > > > > org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109) > > > > at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54) > > > > Caused by: java.lang.IllegalArgumentException > > > > at > > > > > > > > > > javax.security.auth.login.AppConfigurationEntry.<init>(AppConfigurationEntry.java:84) > > > > at > > > > > > > > > > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$InnerConfiguration.getAppConfigurationEntry(DirectoryApiConnectionWrapper.java:1222) > > > > at > > javax.security.auth.login.LoginContext.init(LoginContext.java:269) > > > > at > > > javax.security.auth.login.LoginContext.<init>(LoginContext.java:427) > > > > at > > > > > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1520) > > > > ... 8 more > > > > > > > > java.lang.IllegalArgumentException > > > > > > > > > > > > Seems like no matter which way I go I am finding all the hurdles. > > > > > > > > Thank you, > > > > Brian > > > > > > > > On Fri, Jul 25, 2014 at 12:12 PM, Emmanuel Lécharny < > > [email protected] > > > > > > > > wrote: > > > > > > > >> Le 25/07/2014 17:19, Brian Laskey a écrit : > > > >> > Actually, I solved the "Additional pre-authentication required" > > error > > > by > > > >> > Opening Configuration on my ApacheDS server with Directory Studio, > > on > > > >> the > > > >> > Kerberos Server tab, uncheck Require Pre-AuthenticationBy > Encrypted > > > >> > TimeStamp check box under Ticket Settings. > > > >> > > > > >> > > > > >> > Now I receive a different error with kinit using the same keytab > and > > > >> conf > > > >> > file: > > > >> > kinit: Server not found in Kerberos database while getting initial > > > >> > credentials > > > >> > > > > >> > > > > >> > Should I create a principal krbtgt manually? > > > >> > > > >> I think so. > > > >> > > > >> Have you followed the tutorial on > > > >> > > > >> > > > > > > http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html > > > >> ? > > > >> > > > >> > > > > > > > > > > > > > > > -- > > Kiran Ayyagari > > http://keydap.com > > > -- Kiran Ayyagari http://keydap.com
