'AW: some windows user fail'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kerberos
Subject:    AW: some windows user fail
From:       Gsandtner Michael <michael.gsandtner () wien ! gv ! at>
Date:       2013-02-14 6:57:34
Message-ID: CDB785DEF421B94BA51F34F0FA19D7BD0833568A () ntex2010a ! host ! magwien ! gv ! at
[Download RAW message or body]

It turned out to be a problem in the Oracle Directory Server documentation about \
configuring GSSAPI (one should use "dsMatching-pattern: ${Principal}" instead of " \
dsMatching-pattern: \${Principal} " in the identityMapping)

Now all users work as expected.

--Michael Gsandtner

-----Ursprüngliche Nachricht-----
Von: Benjamin Kaduk *EXTERN* [mailto:kaduk@MIT.EDU] 
Gesendet: Donnerstag, 24. Jänner 2013 04:29
An: Gsandtner Michael
Cc: 'kerberos@mit.edu'
Betreff: Re: some windows user fail

On Mon, 21 Jan 2013, Gsandtner Michael wrote:

> We want to access a LDAP Directory Server:
> Directory Server: Sun-Directory-Server/11.1.1.5.0 B2011.0517.2353 (64-bit) on Red \
>                 Hat Enterprise Linux Server release 5.8 (Tikanga)
> KDC: Active Directory 2003 on Windows Server 2003 SP2
> Client Jxplorer v3.3.02 on Red Hat Enterprise Linux ES release 4 (Nahant Update 9)
> 
> Most of the domain user work, however some do not, e.g.:

It is a bit hard to tell what the failing behavior is from the verbose log 
without a success case to compare to, but:

> # kinit admadvgsa
> # JXOPTS="-Dsun.security.krb5.debug=true" ./jxplorer.sh console
> starting JXplorer...
> java -Dsun.security.krb5.debug=true -Dfile.encoding=utf-8  -cp \
> .:jars/*:jasper/lib/* com.ca.directory.jxplorer.JXplorer Jan 21, 2013 11:10:31 AM \
> com.ca.directory.jxplorer.JXplorer printTime

> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: 3 1 23 16 17.
> > > > CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> > > > EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> > > > KrbKdcReq send: kdc=master.magwien.gv.at UDP:88, timeout=30000, number of \
> > > >                 retries =3, #bytes=1340
> > > > KDCCommunication: kdc=master.magwien.gv.at UDP:88, timeout=30000,Attempt =1, \
> > > > #bytes=1340 KrbKdcReq send: #bytes read=1322
> > > > KrbKdcReq send: #bytes read=1322
> > > > KdcAccessibility: remove master.magwien.gv.at
> > > > EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> > > > KrbApReq: APOptions are 00000000 00000000 00000000 00000000
> > > > EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

Are these three EType lines different for a successful case?

-Ben Kaduk

> Krb5Context setting mySeqNumber to: 658059415
> Krb5Context setting peerSeqNumber to: 0

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

[prev in list] [next in list] [prev in thread] [next in thread] 