AW: some windows user fail

Gsandtner Michael michael.gsandtner at wien.gv.at
Thu Feb 14 01:57:34 EST 2013 

It turned out to be a problem in the Oracle Directory Server documentation about configuring GSSAPI (one should use "dsMatching-pattern: ${Principal}" instead of " dsMatching-pattern: \${Principal} " in the identityMapping)

Now all users work as expected.

--Michael Gsandtner

-----Ursprüngliche Nachricht-----
Von: Benjamin Kaduk *EXTERN* [mailto:kaduk at MIT.EDU] 
Gesendet: Donnerstag, 24. Jänner 2013 04:29
An: Gsandtner Michael
Cc: 'kerberos at mit.edu'
Betreff: Re: some windows user fail

On Mon, 21 Jan 2013, Gsandtner Michael wrote:

> We want to access a LDAP Directory Server:
> Directory Server: Sun-Directory-Server/11.1.1.5.0 B2011.0517.2353 (64-bit) on Red Hat Enterprise Linux Server release 5.8 (Tikanga)
> KDC: Active Directory 2003 on Windows Server 2003 SP2
> Client Jxplorer v3.3.02 on Red Hat Enterprise Linux ES release 4 (Nahant Update 9)
>
> Most of the domain user work, however some do not, e.g.:

It is a bit hard to tell what the failing behavior is from the verbose log 
without a success case to compare to, but:

> # kinit admadvgsa
> # JXOPTS="-Dsun.security.krb5.debug=true" ./jxplorer.sh console
> starting JXplorer...
> java -Dsun.security.krb5.debug=true -Dfile.encoding=utf-8  -cp .:jars/*:jasper/lib/* com.ca.directory.jxplorer.JXplorer
> Jan 21, 2013 11:10:31 AM com.ca.directory.jxplorer.JXplorer printTime

> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbKdcReq send: kdc=master.magwien.gv.at UDP:88, timeout=30000, number of retries =3, #bytes=1340
>>>> KDCCommunication: kdc=master.magwien.gv.at UDP:88, timeout=30000,Attempt =1, #bytes=1340
>>>> KrbKdcReq send: #bytes read=1322
>>>> KrbKdcReq send: #bytes read=1322
>>>> KdcAccessibility: remove master.magwien.gv.at
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

Are these three EType lines different for a successful case?

-Ben Kaduk

> Krb5Context setting mySeqNumber to: 658059415
> Krb5Context setting peerSeqNumber to: 0

More information about the Kerberos mailing list