[ https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109107#comment-16109107 ]
Emmanuel Lecharny commented on DIRSERVER-2205: ---------------------------------------------- In any case, ApacheDS will generate the {{KRB_AP_ERR_MODIFIED}} error in the {{verifyChecksum}} method : {noformat} /** * Message stream modified. */ public static final ErrorType KRB_AP_ERR_MODIFIED = new ErrorType( 41, "Message stream modified" ); {noformat} and {noformat} /** * Verify a checksum by providing the raw bytes and an (optional) key for keyed checksums. * * @param checksum * @param bytes * @param key * @param usage * @throws KerberosException */ public void verifyChecksum( Checksum checksum, byte[] bytes, byte[] key, KeyUsage usage ) throws KerberosException { if ( checksum == null ) { throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM ); } if ( !DEFAULT_CHECKSUMS.containsKey( checksum.getChecksumType() ) ) { throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP ); } ChecksumType checksumType = checksum.getChecksumType(); ChecksumEngine digester = getEngine( checksumType ); Checksum newChecksum = new Checksum( checksumType, digester.calculateChecksum( bytes, key, usage ) ); if ( !newChecksum.equals( checksum ) ) { throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED ); } } {noformat} which means the checksum is seen as invalid. Now to know why... > ldap tools don't work with gssapi sasl > --------------------------------------- > > Key: DIRSERVER-2205 > URL: https://issues.apache.org/jira/browse/DIRSERVER-2205 > Project: Directory ApacheDS > Issue Type: Bug > Components: core > Affects Versions: 2.0.0-M24 > Environment: Linux Centos 7 x64 > ApacheDS 2.0.0-M4 > openJDK > krb5-workstation > openlda-clients > Reporter: Alex Duzsardi > > Hi, > I successfully installed ApacheDS , was able to start , configure the service > and set up kerberos authentication. > It work without problem from ApacheDS Studio , i can login with GSSAPI , but > can't say the same from local ldap tools (openldap-clients) > I can't get a tgt from the kerberos with kinit , i've exported the ldap > service principal using ktutil and saved it as /etc/krb5.keytab , configured > krb5.conf , configured ldap.conf . > hostnames are configured statically through /etc/hosts , actually only one > host as the server is also the client (LAN_IP example.com , > ldap/example....@example.com got exported with ktutil) > [root@example ~]# cat /etc/krb5.conf > [libdefaults] > default_realm = EXAMPLE.COM > # rdns = false > [realms] > EXAMPLE.COM = { > kdc = example.com:60088 > default_domain = EXAMPLE.COM > } > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > ------------------------------------------------------------------------ > [root@example ~]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 ldap/example....@example.com > [root@example ~]# > -------------------------------------------------------------------------------- > [root@example ~]# kinit hnelson > Password for hnel...@example.com: > [root@example ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: hnel...@example.com > Valid starting Expires Service principal > 07/31/2017 20:54:48 08/01/2017 20:54:38 krbtgt/example....@example.com > [root@example ~]# > {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 > -b "dc=example,dc=com" "(uid=hnelson)" > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Message stream > modified) > {color} -- This message was sent by Atlassian JIRA (v6.4.14#64029)