On 27/10/15 15:43, Marc Boorshtein wrote:
Looking at KrbKdcRep.java:73 it looks like the failure is happening
because java is setting the forwardable flag to true on the request
but the response has no options in it. Should the forwardable option
be false in the request?
That's a fair guess.
the whole point of constrained delegation (including protocol impersonation)
is that you do not want to forward tickets, so you shouldn't ask for
forwardable tickets methinks.
Simo.
Thanks Simio. I tried running kinit with forwarding disabled:
$ kinit HTTP/unison-freeipa.rhelent....@rhelent.lan -k -t
./unison-freeipa.keytab -F
$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: HTTP/unison-freeipa.rhelent....@rhelent.lan
Valid starting Expires Service principal
10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent....@rhelent.lan
Flags: IA
But when I try again Java refuses to generate the ticket:
tremoloadmin@unison-freeipa ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: HTTP/unison-freeipa.rhelent....@rhelent.lan
Valid starting Expires Service principal
10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent....@rhelent.lan
Flags: IA
Hello World!
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
KinitOptions cache name is /tmp/krb5cc_500
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
DEBUG <CCacheInputStream> server principal is krbtgt/rhelent....@rhelent.lan
DEBUG <CCacheInputStream> key type: 18
DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
DEBUG <CCacheInputStream> renew_till time: null
CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
Java config name: /home/tremoloadmin/krb5.conf
Loaded from Java config
DEBUG <CCacheInputStream> server principal is
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN
DEBUG <CCacheInputStream> key type: 0
DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> start time: null
DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> renew_till time: null
CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to
krbtgt/rhelent....@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
2015
Search Subject for SPNEGO INIT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
No Subject
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
KinitOptions cache name is /tmp/krb5cc_500
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
DEBUG <CCacheInputStream> server principal is krbtgt/rhelent....@rhelent.lan
DEBUG <CCacheInputStream> key type: 18
DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
DEBUG <CCacheInputStream> renew_till time: null
CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
DEBUG <CCacheInputStream> server principal is
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN
DEBUG <CCacheInputStream> key type: 0
DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> start time: null
DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> renew_till time: null
CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to
krbtgt/rhelent....@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
2015
CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Exception in thread "main" GSSException: Failure unspecified at
GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
failed!)
at
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at
sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
at io.tremolo.App.main(App.java:27)
Caused by: KrbException: Invalid option setting in ticket request. (101)
at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:165)
at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:100)
at
sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 3 more
Looking at KrbTgsReq line 165:
if (options.get(KDCOptions.FORWARDABLE) &&
(!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {
throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
}
If I read this correctly it has to be forwardable? If thats the case
is Java wrong for requiring the options to be there or is ipa wrong
for not sending the options with the response ticket?
I think the best answer would be to look at what the MIT test program
does and make sure Java does the same.
This stuff works with the native libraries and is interoperable with
Windows AD KDCs where the specification was born.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
