On 03/24/2014 12:35 PM, Massimiliano Perrone (tirasa.net) wrote:
On 03/21/2014 04:52 PM, Massimiliano Perrone (tirasa.net) wrote:
On 03/20/2014 02:09 PM, Simo Sorce wrote:
On Thu, 2014-03-20 at 14:47 +0200, Alexander Bokovoy wrote:
On Thu, 20 Mar 2014, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 20 Mar 2014, Massimiliano Perrone (example.com) wrote:
On 03/18/2014 05:26 PM, Alexander Bokovoy wrote:
On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote:
The difference between the two calls is on the last TGS_REQ;
because the first one is on
ldap/olmo.example....@example.com and
it's OK whereas the second one is on
HTTP/olmo.example....@example.com that returns a 401 (I
suppose).
Where's the error?
Am I correct that you have a user connecting to
HTTP/ebano.example.com
and then HTTP/ebano.example.com wants to talk to
HTTP/olmo.example.com
using credentials of the user?
FreeIPA uses constraint delegation of the credentials, with the
help of
S4U2Proxy extension. You need to allow HTTP/ebano.example.com to
delegate
credentials to HTTP/olmo.example.com.
I have written an article how to do that:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
Hi Alexander, thanks for your reply.
I read carefully your interesting post and I follow it to
delegate
HTTP/ebano.example.com credentials to HTTP/olmo.example.com.
Now, two questions:
1) How can I check that my configuration, now is ok? Because this
ldapsearch returns result: 0
ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b
"cn=s4u2proxy,cn=etc,dc=example,dc=com"
"cn=ipa-http-delegation-targets" dn
You need to create these delegation entries yourself, like the
article
says. Note that your app talks to IPA server's HTTP service, so
create
dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation
memberPrincipal: HTTP/ebano.example....@example.com
ipaAllowedTarget:
cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
This entry says: "HTTP/ebano.example.com is allowed to delegate
users'
credentials to whatever Kerberos principal is a member of
cn=ebano-http-delegation-targets group"
Now, this is the group:
dn:
cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation-targets
memberPrincipal: HTTP/olomo.example....@example.com
With these two entries we would have HTTP/ebano.example.com
allowed to
delegate users' credentials to HTTP/olomo.example.com
Hi Alexander, thanks for your patience.
I followed your suggestions but the result is always the same.
Trying with curl, of course, it works.
My doubt now is why curl generates this log on kerberos server
mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1
etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes
{rep=18
tkt=18 ses=18}, ad...@example.com for
krbtgt/example....@example.com
mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime
1395301975,
etypes {rep=18 tkt=18 ses=18}, ad...@example.com for
ldap/olmo.example....@example.com
This is effect of S4U extension working correctly.
whereas java generates this other one
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
HTTP/ebano.example....@example.com for
krbtgt/example....@example.com,
Additional pre-authentication required
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes
{rep=18 tkt=18 ses=18}, HTTP/ebano.example....@example.com for
krbtgt/example....@example.com
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime
1395307449,
etypes {rep=18 tkt=18 ses=18},
HTTP/ebano.example....@example.com for
HTTP/olmo.example....@example.com
As you can see, the first one uses admin on ldap service, the
second
one uses HTTP/ebano.example.com on HTTP service.
This means your Java application doesn't use S4U extension or
doesn't
know about that.
Can I do the same call with Java?
At this point we need to set clear what Java are you using.
http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html
tells that S4U extensions (we use S4U2Proxy here) was added in
Java SE 8.
The client doesn't do the S4U2Proxy work though, so this shouldn't
matter, right?
My point is that the client will not do what he expects unless
S4U2Proxy
is used in Java and that requires Java 8 platform, released on March
18th 2014.
I think you can use earlier Java versions but tell them to use the
native GSSAPI library (and perhaps sprinkle a little bit of
GSS-Proxy in
the back for fun.
Here I'm again :)
I wrote a GSSClient [1] obtaining:
###################################################
java.io.IOException: Server returned HTTP response code: 401 for URL:
https://olmo.example.com/ipa/json
###################################################
Other info from kerberos client:
###################################################
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/ebano.example.com
principal is HTTP/ebano.example....@example.com
Will use keytab
Commit Succeeded
Found ticket for HTTP/ebano.example....@example.com to go to
krbtgt/example....@example.com expiring on Sat Mar 22 16:38:37 CET 2014
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
<---------------------------------------------------------------
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=olmo.example.com UDP:88, timeout=30000,
number of retries =3, #bytes=681
>>> KDCCommunication: kdc=olmo.example.com UDP:88,
timeout=30000,Attempt =1, #bytes=681
>>> KrbKdcReq send: #bytes read=642
>>> KdcAccessibility: remove olmo.example.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 1042307601
Created InitSecContextToken:
0000: 01 00 6E 82 02 4E 30 82 02 4A A0 03 02 01 05 A1 ..n..N0..J......
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ......
0020: 52 61 82 01 4E 30 82 01 4A A0 03 02 01 05 A1 0C Ra..N0..J.......
0030: 1B 0A 54 49 52 41 53 41 2E 4E 45 54 A2 22 30 20 ..EXAMPLE.COM."0
0040: A0 03 02 01 01 A1 19 30 17 1B 04 6C 64 61 70 1B .......0...ldap.
0050: 0F 6F 6C 6D 6F 2E 74 69 72 61 73 61 2E 6E 65 74
.olmo.example.com
0060: A3 82 01 0F 30 82 01 0B A0 03 02 01 12 A1 03 02 ....0...........
0070: 01 02 A2 81 FE 04 81 FB F9 8C FE 4F A0 4E 4B 34 ...........O.NK4
0080: BC 3D A7 E4 05 4E AC 91 58 58 9B 7C 18 72 7E 16 .=...N..XX...r..
0090: DA 4B 29 1F 52 D7 30 7A 9E FF 18 4C 68 9A 18 DF .K).R.0z...Lh...
00A0: 66 03 F7 55 75 40 DC 38 AC 21 5B 7F C0 70 DB DD f..Uu@.8.![..p..
00B0: 37 63 7A E2 C4 89 E1 6A B9 29 6D 30 62 1E F1 3E 7cz....j.)m0b..>
00C0: 18 B0 A7 FB 1C 43 F9 33 D6 61 57 D0 26 DA 9E AB .....C.3.aW.&...
00D0: C7 04 3F D0 DC 36 0F 95 B9 AD 5B 1B 64 A8 59 21 ..?..6....[.d.Y!
00E0: E6 32 47 43 49 EA F8 61 38 D6 52 0A 92 A9 78 5F .2GCI..a8.R...x_
00F0: F7 BE B6 AE B9 0A 47 51 31 44 0D 67 74 D6 E5 71 ......GQ1D.gt..q
0100: CA 85 46 09 FE F1 4D 90 E5 7C 7A 26 22 7D 39 41 ..F...M...z&".9A
0110: 03 2D AB 5A E5 48 26 E7 D5 4A 20 0B 67 54 91 15 .-.Z.H&..J .gT..
0120: 37 23 A3 68 4D 67 88 0D 9A 4D 01 FA 8A 30 B0 2F 7#.hMg...M...0./
0130: 57 6A 64 8E A5 7B 2E DB C1 93 07 0B 02 8A FC B7 Wjd.............
0140: BB 6B FD BD 83 DA F7 72 E6 D6 F8 4B BA 06 E4 ED .k.....r...K....
0150: 20 C2 EA 53 F6 6F F8 BB 0F E4 EF B4 51 15 BB 13 ..S.o......Q...
0160: EB 57 A4 10 F2 C1 36 0B B1 45 6C FA 38 36 9C F9 .W....6..El.86..
0170: E2 75 BC A4 81 DE 30 81 DB A0 03 02 01 12 A2 81 .u....0.........
0180: D3 04 81 D0 D6 75 77 89 A0 B7 F9 26 64 04 D4 51 .....uw....&d..Q
0190: DD 27 10 A3 B7 8F 1B 88 8C 20 4D A2 25 BF 3D 11 .'....... M.%.=.
01A0: 36 B1 EA 3B C7 BF FE C4 20 42 12 3C 1D 60 CD DB 6..;.... B.<.`..
01B0: D7 CB 5B 58 25 6D B9 68 6D 32 9F 8C 90 D1 0B 18 ..[X%m.hm2......
01C0: 90 4D B4 90 8B 17 2A F5 C5 B2 17 AD A7 6A 1F 2C .M....*......j.,
01D0: FD BF 2E EA 9C 27 CC 73 68 9B E7 D1 59 99 9D 64 .....'.sh...Y..d
01E0: 08 53 8F 03 88 3B DF 36 5B 24 DC A0 78 F6 DF 6C .S...;.6[$..x..l
01F0: 3C CB FC 84 C9 6B 24 1B DD F0 6F E3 1F 01 CC 94 <....k$...o.....
0200: 2B 40 F7 6C 8D 9A E8 20 05 0A 44 16 64 55 29 B2 +@.l...
..D.dU).
0210: 48 CC 1E C7 B0 99 AE B0 91 87 B1 EB BC 6B F3 8D H............k..
0220: A9 1B 3C A1 65 97 91 8A B1 9A 25 CB 7B D8 11 99 ..<.e.....%.....
0230: 91 E6 F0 2A AB 5D 21 DA C7 A5 CC AD FA 79 76 33 ...*.]!......yv3
0240: B8 7E ED 1C FE C0 3B 2E C5 9E 71 51 42 9C 0B 47 ......;...qQB..G
0250: 5A 4F 05 DE ZO..
###################################################
As you can see in the row indicated by the arrow there's:
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
<---------------------------------------------------------------
Is this right?
Hi guys, sorry for the noise...
Maybe this informations can help us to understand the root cause of
our problem.
httpd access_log
192.168.0.176 - HTTP/ebano.tirasa....@tirasa.net [24/Mar/2014:12:21:57
+0100] "POST /ipa/json HTTP/1.1" 500 272
httpd error_log
[Mon Mar 24 12:21:57.971182 2014] [:error] [pid 24462] ipa: ERROR: 500
Internal Server Error: jsonserver_kerb.__call__: KRB5CCNAME not
defined in HTTP request environment
Other question/information...
I don't know if I'm saying something wrong but......
Reading [1] at line 980 I noticed that kinit method sets KRB5CCNAME variable
def kinit
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver.login_password-class.html#kinit>(self,
user, realm, password, ccache_name):
981 # Format the user as a kerberos principal 982 principal =
krb5_format_principal_name
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(user
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>,
realm) 983 984 (stdout, stderr, returncode) = ipautil.run
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(['/usr/bin/kinit',
principal], 985 env
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>={'KRB5CCNAME':ccache_name},
986 stdin=password, raiseonerr=False) 987 self.debug('kinit:
principal=%s returncode=%s, stderr="%s"', 988 principal, returncode,
stderr) 989 990 if returncode != 0: 991 raise InvalidSessionPassword
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(principal=principal,
message=unicode
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(stderr))
Is possible that LoginContext method of Java Kerberos libraries doesn't
do the same thing?
[1] http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html
PS: next step is JAVA_8 installation to follow Alexander suggestions.
[1]
https://github.com/massx1/KerberosExample/blob/master/src/main/java/net/tirasa/kerberosexample/GSSClient.java
That is, if there is a user talking to the Java client and
then Java client turning to IPA LDAP or web server with constraint
delegation.
This is something I tried to get clarification for in the original
discussion.
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~massi/
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
