Re: [Freeipa-devel] Talking json/rpc with java client

Tue, 18 Mar 2014 03:27:45 -0700 

On Tue, 18 Mar 2014, Massimiliano Perrone (tirasa.net) wrote:

On 03/18/2014 10:10 AM, Jan Pazdziora wrote:

On Tue, Mar 18, 2014 at 09:02:13AM +0100, Marco Di Sabatino Di Diodoro wrote:

what are the requirements or packages that a client must have to call JSON/RPC 
with java? We have a 401 error.

What packages / code do you attempt to use when you get that 401?



Hi guys, first of all thanks for your replies.

Summarizing...

1) On FreeIPA server I created a keytab executing following commands:
       *) ipa host-add ebano.example.com
       *) ipa service-add HTTP/ebano.example.com
*) ipa-getkeytab -s olmo.example.com -p HTTP/ebano.example.com -k /tmp/ebano.keytab 
       *) scp /tmp/ebano.keytab root@ebano:/var/tmp
2) On ebano (the client machine) I have a Java client based on HttpClient 3.1 that uses this java.security.auth.login.config file: 
#########################################
un.security.jgss.login {
   com.sun.security.auth.module.Krb5LoginModule required
   client=TRUE
   refreshKrb5Config=true
   useKeyTab=true
   keyTab="/var/tmp/ebano.keytab"
   principal="HTTP/ebano.example.com";
};

com.sun.security.jgss.initiate {
   com.sun.security.auth.module.Krb5LoginModule required
   client=TRUE
   refreshKrb5Config=true
   useKeyTab=true
   keyTab="/var/tmp/ebano.keytab"
   principal="HTTP/ebano.example.com";

};

com.sun.security.jgss.accept {
   com.sun.security.auth.module.Krb5LoginModule required
   client=TRUE
   refreshKrb5Config=true
   useKeyTab=true
   keyTab="/var/tmp/ebano.keytab"
   principal="HTTP/ebano.example.com";
};
#########################################
As you can see in attached log file, I can negotiate authentication on FreeIPA server and final response from it is a 401
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << "{" 10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << "[\n]" 10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "error": {[\n]" 10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "code": 1101, [\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "message": "did not receive Kerberos credentials", [\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "name": {[\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "__base64__": "Q0NhY2hlRXJyb3I="[\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " }[\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " }, [\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "id": null, [\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "principal": "UNKNOWN", [\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "result": null, [\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << " "version": "3.3.4"[\n]" 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG org.apache.http.wire - << "}" 

But...
Reading Kerberos server log I noticed that a right curl based call generates a mar 18 08:20:12 olmo.example.com krb5kdc[1423](info): TGS_REQ (1 etypes {18}) 192.168.0.105: ISSUE: authtime 1395072185, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected] mar 18 08:20:13 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395072185, etypes {rep=18 tkt=18 ses=18}, [email protected] for ldap/[email protected] 

whereas Java client generates a
mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH: HTTP/[email protected] for krbtgt/[email protected], Additional pre-authentication required mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395082101, etypes {rep=18 tkt=18 ses=18}, HTTP/[email protected] for krbtgt/[email protected] mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395082101, etypes {rep=18 tkt=18 ses=18}, HTTP/[email protected] for HTTP/[email protected]
The difference between the two calls is on the last TGS_REQ; because the first one is on ldap/[email protected] and it's OK whereas the second one is on HTTP/[email protected] that returns a 401 (I suppose). 

Where's the error?

Am I correct that you have a user connecting to HTTP/ebano.example.com
and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
using credentials of the user?

FreeIPA uses constraint delegation of the credentials, with the help of
S4U2Proxy extension. You need to allow HTTP/ebano.example.com to delegate
credentials to HTTP/olmo.example.com.

I have written an article how to do that:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to