On Thu, Apr 24, 2014 at 10:10 PM, Josh Clum <[email protected]> wrote:
> > So just looking at the ticket, I can get the following seemingly relevant > information. I'm requesting a tgt for a principle [email protected] > . krbtgt/[email protected] is my KDC in Ldap. > > TgTicket serverTgt = conn.getTgt(sshPrincipal, PASSWORD); > LOG.debug("Client name: {}", serverTgt.getClientName()); > LOG.debug("Key version: {}", > serverTgt.getEncKdcRepPart().getKey().getKeyVersion()); > LOG.debug("Key type: {}", > serverTgt.getEncKdcRepPart().getKey().getKeyType()); > LOG.debug("Server name: {}", serverTgt.getServerName()); > LOG.debug("Ticket Vno: {}", serverTgt.getTicket().getTktVno()); > LOG.debug("Protocol Vno: {}", > serverTgt.getTicket().getProtocolVersionNumber()); > LOG.debug("Server Name: {}", serverTgt.getTicket().getSName()); > LOG.debug("Server Name Value Type: {}", > serverTgt.getTicket().getSName().getNameType().getValue()); > LOG.debug("Server Name String: {}", > serverTgt.getTicket().getSName().getNameString()); > > Client name: client > Key version: 0 > Key type: des-cbc-md5 (3) > Server name: krbtgt/EXAMPLE.COM > Ticket Vno: 5 > Protocol Vno: 5 > Server Name: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', ' > EXAMPLE.COM'> } > Server Name Value Type: 2 > Server Name String: krbtgt/EXAMPLE.COM > > > For my keytab entry i need: > > new KeytabEntry(String princNam, long PrincType, KerberosTime timeStamp, > byte keyverion, EncryptionKey key); > I have fixed an issue with null starttime in the ticket and also modified the above constructor a bit( mostly changed the type of 'pricipalType' to int) I suggest you use the trunk > I'm guessing that creating a keytab entry for [email protected] would be > done by passing in: > > new KeytabEntry("[email protected]", X, Y, (byte) 0, Z); > > where: > > *X = PrincType? Is there some constant defined somewhere?* > Y = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z" > )); > Z = encryption key from TgTicket.getEncKdcRepPart() > > Does that sound correct? Could i then use that keytab to authenticate > [email protected]? > here is the test code that I used to create a Keytab http://pastebin.com/3AvpSARx for some reason yet unknown to me when I try klist on this keytab it fails with the error (both on Linux and OS X as well) klist: krb5_cc_get_principal: Offset too large I have verified the format of the generated keytab and it is correct > > Josh > > > On Thu, Apr 24, 2014 at 11:45 AM, Kiran Ayyagari <[email protected]>wrote: > >> >> >> >> On Thu, Apr 24, 2014 at 9:06 PM, Josh Clum <[email protected]> wrote: >> >>> What would be the key things I would need to get from the Tgt? >>> >>> all those that are needed to build a keytab ;) >> (let me know if you don't find a particular piece of data in TgTicket) >> >>> >>> On Thu, Apr 24, 2014 at 9:33 AM, Kiran Ayyagari <[email protected]>wrote: >>> >>>> >>>> >>>> >>>> On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <[email protected]> wrote: >>>> >>>>> I was wondering if there was a way to generate my own keytab in java >>>>> without going to the kdc? I found code similar to this in an ApachDS test: >>>>> >>>>> Keytab keytab = Keytab.getInstance(); >>>>> KerberosTime timeStamp = new >>>>> KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z")); >>>>> >>>>> Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory >>>>> .getKerberosKeys(principalName, userPassword); >>>>> >>>>> >>>>> >>>>> KeytabEntry keytabEntry = new KeytabEntry( >>>>> principalName, >>>>> 1L, >>>>> timeStamp, >>>>> (byte) 0, >>>>> keys.get(EncryptionType.DES_CBC_MD5)); >>>>> >>>>> List<KeytabEntry> entry = Arrays.asList(keytabEntry); >>>>> >>>>> keytab.setEntries(entry); >>>>> >>>>> keytab.write(keytabFile); >>>>> >>>>> return keytabFile; >>>>> >>>>> I'm able to a klist on a keytab that i create: >>>>> >>>>> Vno Type Principal Date Aliases >>>>> >>>>> 0 des-cbc-md5 ssh/[email protected] 2007-02-17 >>>>> >>>>> >>>>> Also, if this is not possible, is there a way to programmatically get >>>>> a keytab using ApacheDS or any other java library? >>>>> >>>>> one way to do this is to use KdcConnection to obtain a TgTicket and >>>> create KeyTab from the details of TgTicket >>>> >>>> >>>> >>>> -- >>>> Kiran Ayyagari >>>> http://keydap.com >>>> >>> >>> >> >> >> -- >> Kiran Ayyagari >> http://keydap.com >> > > -- Kiran Ayyagari http://keydap.com
