On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
> I'm putting together a java kerberos client and am having an issue
> getting a SGT form IPA.  I get a TGT without issue, but when I submit
> the TGS-REQ I get the following errors in the ipa log:
> 
> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
> tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for
> krbtgt/rhelent....@rhelent.lan
> 
> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0,  <unknown client>
> for HTTP/ipa.rhelent....@rhelent.lan, ASN.1 structure is missing a
> required field
> 
> Here's the TGS request:
> 
> Kerberos
>     tgs-req
>         pvno: 5
>         msg-type: krb-tgs-req (12)
>         padata: 1 item
>             PA-DATA PA-TGS-REQ
>                 padata-type: kRB5-PADATA-TGS-REQ (1)
>                     padata-value:
> 6e8201f8308201f4a003020105a10302010ea20703050000...
>                         ap-req
>                             pvno: 5
>                             msg-type: krb-ap-req (14)
>                             Padding: 0
>                             ap-options: 00000000
>                                 0... .... = reserved: False
>                                 .0.. .... = use-session-key: False
>                                 ..0. .... = mutual-required: False
>                             ticket
>                                 tkt-vno: 5
>                                 realm: RHELENT.LAN
>                                 sname
>                                     name-type: kRB5-NT-PRINCIPAL (1)
>                                     name-string: 2 items
>                                         KerberosString: krbtgt
>                                         KerberosString: RHELENT.LAN
>                                 enc-part
>                                     etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>                                     kvno: 1
>                                     cipher:
> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
>                             authenticator
>                                 etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>                                 kvno: 255
>                                 cipher:
> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
>         req-body
>             Padding: 0
>             kdc-options: 00000000
>                 0... .... = reserved: False
>                 .0.. .... = forwardable: False
>                 ..0. .... = forwarded: False
>                 ...0 .... = proxiable: False
>                 .... 0... = proxy: False
>                 .... .0.. = allow-postdate: False
>                 .... ..0. = postdated: False
>                 .... ...0 = unused7: False
>                 0... .... = renewable: False
>                 .0.. .... = unused9: False
>                 ..0. .... = unused10: False
>                 ...0 .... = opt-hardware-auth: False
>                 .... ..0. = request-anonymous: False
>                 .... ...0 = canonicalize: False
>                 0... .... = constrained-delegation: False
>                 ..0. .... = disable-transited-check: False
>                 ...0 .... = renewable-ok: False
>                 .... 0... = enc-tkt-in-skey: False
>                 .... ..0. = renew: False
>                 .... ...0 = validate: False
>             cname
>                 name-type: kRB5-NT-PRINCIPAL (1)
>                 name-string: 2 items
>                     KerberosString: HTTP
>                     KerberosString: s4u.rhelent.lan
>             realm: RHELENT.LAN
>             sname
>                 name-type: kRB5-NT-PRINCIPAL (1)
>                 name-string: 2 items
>                     KerberosString: HTTP
>                     KerberosString: ipa.rhelent.lan
>             from: 2015-11-18 02:17:44 (UTC)
>             till: 2015-11-18 10:17:44 (UTC)
>             nonce: 604310537
>             etype: 1 item
>                 ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> 
> 
> Is there a field missing?

CCing Andreas as this one sounds like a bug we recently discovered in
the ASN.1 parser in samba.

Andreas,
does this ring a bell ?

Marc,
what version of IPA/OS are you seeing this on ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to