On 01/17/2017 09:13 AM, Yu Wei wrote: > Hi Guys, > > I tried to setup Apache DS with kerberos server enabled. > > After creating entry by following Apache DS document about "Kerberos User > guide", I got following exception when trying to create connection with > Apache Directory Studio. > > javax.security.auth.login.LoginException: Integrity check on decrypted > field failed (31) - Integrity check on decrypted field failed > > Then I tried again with kinit and got another error as below, > > [dcos@mesos-ds apacheds-2.0.0-M23]$ sudo kinit krbtest > Password for [email protected]: > kinit: Password incorrect while getting initial credentials
Sounds like a password problem: Please verify that the password you use for authentication is the same you used when you created the entry. For entry creation the password must be plain text (but password hash interceptor will SSHA hash it by default) Please make sure that the key derivation interceptor is enabled. If it is enabled then the entry you imported has 5 krb5Key attributes that were derived from the password. When you configured ApacheDS via the Studio configuration editor (as described on [1]) the interceptor is enabled by default. You can verify by checking entry [2], ads-enabled must not be "false" (either true or absent). Kind Regards, Stefan [1] https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html [2] ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
