[
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109107#comment-16109107
]
Emmanuel Lecharny commented on DIRSERVER-2205:
----------------------------------------------
In any case, ApacheDS will generate the {{KRB_AP_ERR_MODIFIED}} error in the
{{verifyChecksum}} method :
{noformat}
/**
* Message stream modified.
*/
public static final ErrorType KRB_AP_ERR_MODIFIED = new ErrorType( 41,
"Message stream modified" );
{noformat}
and
{noformat}
/**
* Verify a checksum by providing the raw bytes and an (optional) key for
keyed checksums.
*
* @param checksum
* @param bytes
* @param key
* @param usage
* @throws KerberosException
*/
public void verifyChecksum( Checksum checksum, byte[] bytes, byte[] key,
KeyUsage usage ) throws KerberosException
{
if ( checksum == null )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
}
if ( !DEFAULT_CHECKSUMS.containsKey( checksum.getChecksumType() ) )
{
throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
}
ChecksumType checksumType = checksum.getChecksumType();
ChecksumEngine digester = getEngine( checksumType );
Checksum newChecksum = new Checksum( checksumType,
digester.calculateChecksum( bytes, key, usage ) );
if ( !newChecksum.equals( checksum ) )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
}
}
{noformat}
which means the checksum is seen as invalid. Now to know why...
> ldap tools don't work with gssapi sasl
> ---------------------------------------
>
> Key: DIRSERVER-2205
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: core
> Affects Versions: 2.0.0-M24
> Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK
> krb5-workstation
> openlda-clients
> Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap
> service principal using ktutil and saved it as /etc/krb5.keytab , configured
> krb5.conf , configured ldap.conf .
> hostnames are configured statically through /etc/hosts , actually only one
> host as the server is also the client (LAN_IP example.com ,
> ldap/example....@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> # rdns = false
> [realms]
> EXAMPLE.COM = {
> kdc = example.com:60088
> default_domain = EXAMPLE.COM
> }
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> ------------------------------------------------------------------------
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 ldap/example....@example.com
> [root@example ~]#
> --------------------------------------------------------------------------------
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting Expires Service principal
> 07/31/2017 20:54:48 08/01/2017 20:54:38 krbtgt/example....@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Message stream
> modified)
> {color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
