On Mon, 2015-11-23 at 10:41 -0500, Marc Boorshtein wrote:
> We actually tracked it down.  The problem was the Authenticator was
> missing the authenticatorkvno field per the RFC.  Once we set that to
> 5 we got past this issue.

Ok, then we'll considered this solved, thanks for following up.

Simo.

> IPA 4.1 on CentOS7
> 
> Thanks
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorsht...@tremolosecurity.com
> 
> 
> 
> On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce <s...@redhat.com> wrote:
> > On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
> >> I'm putting together a java kerberos client and am having an issue
> >> getting a SGT form IPA.  I get a TGT without issue, but when I submit
> >> the TGS-REQ I get the following errors in the ipa log:
> >>
> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
> >> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
> >> tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for
> >> krbtgt/rhelent....@rhelent.lan
> >>
> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
> >> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0,  <unknown client>
> >> for HTTP/ipa.rhelent....@rhelent.lan, ASN.1 structure is missing a
> >> required field
> >>
> >> Here's the TGS request:
> >>
> >> Kerberos
> >>     tgs-req
> >>         pvno: 5
> >>         msg-type: krb-tgs-req (12)
> >>         padata: 1 item
> >>             PA-DATA PA-TGS-REQ
> >>                 padata-type: kRB5-PADATA-TGS-REQ (1)
> >>                     padata-value:
> >> 6e8201f8308201f4a003020105a10302010ea20703050000...
> >>                         ap-req
> >>                             pvno: 5
> >>                             msg-type: krb-ap-req (14)
> >>                             Padding: 0
> >>                             ap-options: 00000000
> >>                                 0... .... = reserved: False
> >>                                 .0.. .... = use-session-key: False
> >>                                 ..0. .... = mutual-required: False
> >>                             ticket
> >>                                 tkt-vno: 5
> >>                                 realm: RHELENT.LAN
> >>                                 sname
> >>                                     name-type: kRB5-NT-PRINCIPAL (1)
> >>                                     name-string: 2 items
> >>                                         KerberosString: krbtgt
> >>                                         KerberosString: RHELENT.LAN
> >>                                 enc-part
> >>                                     etype: eTYPE-AES256-CTS-HMAC-SHA1-96 
> >> (18)
> >>                                     kvno: 1
> >>                                     cipher:
> >> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
> >>                             authenticator
> >>                                 etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> >>                                 kvno: 255
> >>                                 cipher:
> >> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
> >>         req-body
> >>             Padding: 0
> >>             kdc-options: 00000000
> >>                 0... .... = reserved: False
> >>                 .0.. .... = forwardable: False
> >>                 ..0. .... = forwarded: False
> >>                 ...0 .... = proxiable: False
> >>                 .... 0... = proxy: False
> >>                 .... .0.. = allow-postdate: False
> >>                 .... ..0. = postdated: False
> >>                 .... ...0 = unused7: False
> >>                 0... .... = renewable: False
> >>                 .0.. .... = unused9: False
> >>                 ..0. .... = unused10: False
> >>                 ...0 .... = opt-hardware-auth: False
> >>                 .... ..0. = request-anonymous: False
> >>                 .... ...0 = canonicalize: False
> >>                 0... .... = constrained-delegation: False
> >>                 ..0. .... = disable-transited-check: False
> >>                 ...0 .... = renewable-ok: False
> >>                 .... 0... = enc-tkt-in-skey: False
> >>                 .... ..0. = renew: False
> >>                 .... ...0 = validate: False
> >>             cname
> >>                 name-type: kRB5-NT-PRINCIPAL (1)
> >>                 name-string: 2 items
> >>                     KerberosString: HTTP
> >>                     KerberosString: s4u.rhelent.lan
> >>             realm: RHELENT.LAN
> >>             sname
> >>                 name-type: kRB5-NT-PRINCIPAL (1)
> >>                 name-string: 2 items
> >>                     KerberosString: HTTP
> >>                     KerberosString: ipa.rhelent.lan
> >>             from: 2015-11-18 02:17:44 (UTC)
> >>             till: 2015-11-18 10:17:44 (UTC)
> >>             nonce: 604310537
> >>             etype: 1 item
> >>                 ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> >>
> >>
> >> Is there a field missing?
> >
> > CCing Andreas as this one sounds like a bug we recently discovered in
> > the ASN.1 parser in samba.
> >
> > Andreas,
> > does this ring a bell ?
> >
> > Marc,
> > what version of IPA/OS are you seeing this on ?
> >
> > Simo.
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to