On Thu, 2012-05-31 at 10:28 +0100, Darran Lofthouse wrote: > My apologies if this has already been discussed somewhere, I have tried > a number of searches to see if this is either a known issue or common > error on the client side but so far only found references to Java issues > that should have been resolved a long time ago. > > I have a Red Hat server running in Amazon EC2 with IPA > ipa-server-2.1.3-9.el6.x86_64 installed - I have an admin user and a > test_user defined. > > From my local machine using kinit works without error. > > I have developed a test Java client to make use of the Krb5LoginModule, > I am currently debugging further but thought I would mail this in > parallel in case I am missing something obvious but I keep getting the > failure that is at the bottom of this message. > > This failure is reported when using java-1.7.0-openjdk-1.7.0.3.x86_64 - > however I have also tried using various Oracle JDKs, both 6 and 7. > > I know the password is correct as verified using kinit, also if I use > jdk1.6.0_30 AND set the system property for Kerberos debugging to true > on the client it works. > > The only difference I currently see between the failure scenario and > success scenario is that for success rc4-hmac is selected for the > PA-ENC-TIMESTAMP for the failure scenario here aes256-cts-hmac-sha1-96 > is selected instead. > > For the work I am currently using IPA for I could just force the use of > rc4-hmac but would really like to get to the bottom of the cause of this. > > Looking forward to any ideas. > > Regards, > Darran Lofthouse. > > > Exception in thread "main" javax.security.auth.login.LoginException: > Integrity check on decrypted field failed (31) - PREAUTH_FAILED > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:601) > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) > at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721) > at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718) > at javax.security.auth.login.LoginContext.login(LoginContext.java:590) > at > com.darranl.as.sasl.gssapi.KerberosLoginUtil.login(KerberosLoginUtil.java:50) > at > com.darranl.as.sasl.gssapi.KerberosLoginUtil.main(KerberosLoginUtil.java:136) > Caused by: KrbException: Integrity check on decrypted field failed (31) > - PREAUTH_FAILED > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82) > at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721) > ... 14 more > Caused by: KrbException: Identifier doesn't match expected value (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) > at sun.security.krb5.internal.ASRep.init(ASRep.java:65) > at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) > ... 17 more
Darran, I think you may need to download "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7" See here: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html Apparently AES is not fully supported unless you have the JCE which is not distributed by default due to restrictions on export as far as I can understand. If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab man page on how to explicitly request a set of enctypes on a new keytab. Please remember that running ipa-getkeytab will invalidate your previous keys. HTH. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
