We actually tracked it down.  The problem was the Authenticator was
missing the authenticatorkvno field per the RFC.  Once we set that to
5 we got past this issue.

IPA 4.1 on CentOS7

Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com



On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce <s...@redhat.com> wrote:
> On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
>> I'm putting together a java kerberos client and am having an issue
>> getting a SGT form IPA.  I get a TGT without issue, but when I submit
>> the TGS-REQ I get the following errors in the ipa log:
>>
>> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
>> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
>> tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for
>> krbtgt/rhelent....@rhelent.lan
>>
>> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
>> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0,  <unknown client>
>> for HTTP/ipa.rhelent....@rhelent.lan, ASN.1 structure is missing a
>> required field
>>
>> Here's the TGS request:
>>
>> Kerberos
>>     tgs-req
>>         pvno: 5
>>         msg-type: krb-tgs-req (12)
>>         padata: 1 item
>>             PA-DATA PA-TGS-REQ
>>                 padata-type: kRB5-PADATA-TGS-REQ (1)
>>                     padata-value:
>> 6e8201f8308201f4a003020105a10302010ea20703050000...
>>                         ap-req
>>                             pvno: 5
>>                             msg-type: krb-ap-req (14)
>>                             Padding: 0
>>                             ap-options: 00000000
>>                                 0... .... = reserved: False
>>                                 .0.. .... = use-session-key: False
>>                                 ..0. .... = mutual-required: False
>>                             ticket
>>                                 tkt-vno: 5
>>                                 realm: RHELENT.LAN
>>                                 sname
>>                                     name-type: kRB5-NT-PRINCIPAL (1)
>>                                     name-string: 2 items
>>                                         KerberosString: krbtgt
>>                                         KerberosString: RHELENT.LAN
>>                                 enc-part
>>                                     etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>>                                     kvno: 1
>>                                     cipher:
>> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
>>                             authenticator
>>                                 etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>>                                 kvno: 255
>>                                 cipher:
>> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
>>         req-body
>>             Padding: 0
>>             kdc-options: 00000000
>>                 0... .... = reserved: False
>>                 .0.. .... = forwardable: False
>>                 ..0. .... = forwarded: False
>>                 ...0 .... = proxiable: False
>>                 .... 0... = proxy: False
>>                 .... .0.. = allow-postdate: False
>>                 .... ..0. = postdated: False
>>                 .... ...0 = unused7: False
>>                 0... .... = renewable: False
>>                 .0.. .... = unused9: False
>>                 ..0. .... = unused10: False
>>                 ...0 .... = opt-hardware-auth: False
>>                 .... ..0. = request-anonymous: False
>>                 .... ...0 = canonicalize: False
>>                 0... .... = constrained-delegation: False
>>                 ..0. .... = disable-transited-check: False
>>                 ...0 .... = renewable-ok: False
>>                 .... 0... = enc-tkt-in-skey: False
>>                 .... ..0. = renew: False
>>                 .... ...0 = validate: False
>>             cname
>>                 name-type: kRB5-NT-PRINCIPAL (1)
>>                 name-string: 2 items
>>                     KerberosString: HTTP
>>                     KerberosString: s4u.rhelent.lan
>>             realm: RHELENT.LAN
>>             sname
>>                 name-type: kRB5-NT-PRINCIPAL (1)
>>                 name-string: 2 items
>>                     KerberosString: HTTP
>>                     KerberosString: ipa.rhelent.lan
>>             from: 2015-11-18 02:17:44 (UTC)
>>             till: 2015-11-18 10:17:44 (UTC)
>>             nonce: 604310537
>>             etype: 1 item
>>                 ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>>
>>
>> Is there a field missing?
>
> CCing Andreas as this one sounds like a bug we recently discovered in
> the ASN.1 parser in samba.
>
> Andreas,
> does this ring a bell ?
>
> Marc,
> what version of IPA/OS are you seeing this on ?
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to