On Tue, 2015-12-01 at 11:34 -0500, Marc Boorshtein wrote:
> Simo & Team,
> 
> After talking to the OpenJDK security list it turned out there is a
> bug in JDK8.  The issue is fixed in JDK9 and after testing I'm running
> into a new issue.  Same scenario described earlier in this email
> chain, but now it looks like the TGS-REP is not being marked as
> forwardable which is required for an s4u2self ticket is used in
> s4u2proxy (https://msdn.microsoft.com/en-us/library/cc246079.aspx) :
> "The S4U2proxy extension requires that the service ticket to the first
> service has the forwardable flag set (see Service 1 in the figure
> specifying Kerberos delegation with forwarded TGT, section 1.3.3).
> This ticket can be obtained through an S4U2self protocol exchange.".
> The TGS-REQ is asking for a forwardable ticket, but it doesn't look
> like the response is setting it as forwardable.  Here's the exception:
> 
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Attempt to obtain S4U2self credentials failed!)
> at 
> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
> at 
> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92)
> at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153)
> at test24u2.KerberosDemo$1.run(KerberosDemo.java:128)
> at test24u2.KerberosDemo$1.run(KerberosDemo.java:1)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121)
> at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
> at test24u2.KerberosDemo.main(KerberosDemo.java:215)
> Caused by: KrbException: S4U2self ticket must be FORWARDABLE
> at 
> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75)
> at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
> at 
> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
> ... 9 more
> 
> Here's the entire debug output:
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 83; type: 18
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 67; type: 17
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 75; type: 16
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 67; type: 23
> Looking for keys for: HTTP/s4u.rhelent....@rhelent.lan
> Java config name: null
> Native config name: /etc/krb5.conf
> Loading krb5 profile at /etc/krb5.conf
> Loaded from native config
> Added key: 23version: 1
> Added key: 16version: 1
> Added key: 17version: 1
> Found unsupported keytype (18) for HTTP/s4u.rhelent....@rhelent.lan
> >>> KdcAccessibility: reset
> Looking for keys for: HTTP/s4u.rhelent....@rhelent.lan
> Added key: 23version: 1
> Added key: 16version: 1
> Added key: 17version: 1
> Found unsupported keytype (18) for HTTP/s4u.rhelent....@rhelent.lan
> default etypes for default_tkt_enctypes: 17 23 16.
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of 
> >>> retries =3, #bytes=175
> >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt 
> >>> =1, #bytes=175
> >>> KrbKdcReq send: #bytes read=327
> >>>Pre-Authentication Data:
> PA-DATA type = 136
> 
> >>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null
> PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB<CQ#Vq,Ls&, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9)&A{.`Y;1k, s2kparams = null
> 
> >>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:
> PA-DATA type = 133
> 
> >>> KdcAccessibility: remove freeipa.rhelent.lan
> >>> KDCRep: init() encoding tag is 126 req type is 11
> >>>KRBError:
> cTime is Sat Jan 20 19:00:57 EST 1996 822182457000
> sTime is Mon Nov 30 21:35:51 EST 2015 1448937351000
> suSec is 558140
> error code is 25
> error Message is Additional pre-authentication required
> cname is HTTP/s4u.rhelent....@rhelent.lan
> sname is krbtgt/rhelent....@rhelent.lan
> eData provided.
> msgType is 30
> >>>Pre-Authentication Data:
> PA-DATA type = 136
> 
> >>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null
> PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB<CQ#Vq,Ls&, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9)&A{.`Y;1k, s2kparams = null
> 
> >>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:
> PA-DATA type = 133
> 
> KRBError received: NEEDED_PREAUTH
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 17 23 16.
> Looking for keys for: HTTP/s4u.rhelent....@rhelent.lan
> Added key: 23version: 1
> Added key: 16version: 1
> Added key: 17version: 1
> Found unsupported keytype (18) for HTTP/s4u.rhelent....@rhelent.lan
> Looking for keys for: HTTP/s4u.rhelent....@rhelent.lan
> Added key: 23version: 1
> Added key: 16version: 1
> Added key: 17version: 1
> Found unsupported keytype (18) for HTTP/s4u.rhelent....@rhelent.lan
> default etypes for default_tkt_enctypes: 17 23 16.
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of 
> >>> retries =3, #bytes=264
> >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt 
> >>> =1, #bytes=264
> >>> KrbKdcReq send: #bytes read=691
> >>> KdcAccessibility: remove freeipa.rhelent.lan
> Looking for keys for: HTTP/s4u.rhelent....@rhelent.lan
> Added key: 23version: 1
> Added key: 16version: 1
> Added key: 17version: 1
> Found unsupported keytype (18) for HTTP/s4u.rhelent....@rhelent.lan
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsRep cons in KrbAsReq.getReply HTTP/s4u.rhelent.lan
> Service subject: Subject:
> Principal: HTTP/s4u.rhelent....@rhelent.lan
> Private Credential: Ticket (hex) =
> 0000: 61 82 01 51 30 82 01 4D   A0 03 02 01 05 A1 0D 1B  a..Q0..M........
> 0010: 0B 52 48 45 4C 45 4E 54   2E 4C 41 4E A2 20 30 1E  .RHELENT.LAN. 0.
> 0020: A0 03 02 01 02 A1 17 30   15 1B 06 6B 72 62 74 67  .......0...krbtg
> 0030: 74 1B 0B 52 48 45 4C 45   4E 54 2E 4C 41 4E A3 82  t..RHELENT.LAN..
> 0040: 01 13 30 82 01 0F A0 03   02 01 12 A1 03 02 01 01  ..0.............
> 0050: A2 82 01 01 04 81 FE 04   0B 24 5B A6 36 2A 4B C7  .........$[.6*K.
> 0060: 0D 58 1A EB 79 20 62 BE   16 44 28 93 5D 87 5B FD  .X..y b..D(.].[.
> 0070: DE 20 7D CF 79 4C 0E CC   77 90 40 06 10 11 9F 70  . ..yL..w.@....p
> 0080: 9E B4 7E B5 CA 14 27 23   DD CD D6 6E 31 1F FC CA  ......'#...n1...
> 0090: 65 CB 98 47 2B F0 C8 3B   96 C3 D6 AF EB DB 91 2F  e..G+..;......./
> 00A0: 1D 88 66 53 4F 03 7B 47   3C 32 E8 F2 CE 3E B1 E7  ..fSO..G<2...>..
> 00B0: 78 80 B3 37 6F 5E 18 76   68 F4 AE C6 C7 C2 B8 99  x..7o^.vh.......
> 00C0: 61 A3 42 A1 5D 32 69 BB   0D 42 C5 98 46 B8 8A C6  a.B.]2i..B..F...
> 00D0: 4A 68 88 E3 79 D0 E2 F7   DD 62 0F DD E6 6A 97 7B  Jh..y....b...j..
> 00E0: 4B A1 A0 1C 45 17 97 E4   CC 71 D2 86 61 52 40 34  K...E....q..aR@4
> 00F0: DE EF 45 5E 21 94 AB 5C   76 91 CE 68 DB A1 94 5F  ..E^!..\v..h..._
> 0100: 14 CC 54 BB 35 85 EB 56   F0 FC 83 B5 CB 41 48 A1  ..T.5..V.....AH.
> 0110: AE C8 2F 22 C6 48 B9 14   CD 5F 9B B5 14 2B CC D5  ../".H..._...+..
> 0120: B7 DC C3 74 4C 98 19 10   72 83 5D F6 BC A0 A1 9F  ...tL...r.].....
> 0130: 19 1F 63 07 AF C1 35 EE   1A 82 FE A5 88 CE 7A DF  ..c...5.......z.
> 0140: 0F 43 E4 55 EC CC 0C 34   47 B4 B8 E1 C2 90 AC 63  .C.U...4G......c
> 0150: 19 01 A1 87 A5                                     .....
> 
> Client Principal = HTTP/s4u.rhelent....@rhelent.lan
> Server Principal = krbtgt/rhelent....@rhelent.lan
> Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
> 0000: D9 D2 7F 9D 3F 5F 32 1A   41 10 4D 9F 0C 7D C5 D8  ....?_2.A.M.....
> 
> 
> Forwardable Ticket true
> Forwarded Ticket false
> Proxiable Ticket false
> Proxy Ticket false
> Postdated Ticket false
> Renewable Ticket true
> Initial Ticket true
> Auth Time = Mon Nov 30 21:35:51 EST 2015
> Start Time = Mon Nov 30 21:35:51 EST 2015
> End Time = Tue Dec 01 21:35:51 EST 2015
> Renew Till = Mon Dec 07 21:35:51 EST 2015
> Client Addresses  Null
> Private Credential: /Users/mlb/Documents/localdev.keytab for
> HTTP/s4u.rhelent....@rhelent.lan
> 
> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5InitCredential)
> Found ticket for HTTP/s4u.rhelent....@rhelent.lan to go to
> krbtgt/rhelent....@rhelent.lan expiring on Tue Dec 01 21:35:51 EST
> 2015
> Search Subject for SPNEGO INIT cred (<<DEF>>,
> sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5InitCredential)
> Found ticket for HTTP/s4u.rhelent....@rhelent.lan to go to
> krbtgt/rhelent....@rhelent.lan expiring on Tue Dec 01 21:35:51 EST
> 2015
> >>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
> default etypes for default_tgs_enctypes: 17 23 16.
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of 
> >>> retries =3, #bytes=772
> >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt 
> >>> =1, #bytes=772
> >>> KrbKdcReq send: #bytes read=582
> >>> KdcAccessibility: remove freeipa.rhelent.lan
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Attempt to obtain S4U2self credentials failed!)
> at 
> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
> at 
> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92)
> at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153)
> at test24u2.KerberosDemo$1.run(KerberosDemo.java:128)
> at test24u2.KerberosDemo$1.run(KerberosDemo.java:1)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121)
> at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
> at test24u2.KerberosDemo.main(KerberosDemo.java:215)
> Caused by: KrbException: S4U2self ticket must be FORWARDABLE
> at 
> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75)
> at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
> at 
> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
> ... 9 more
> 
> Here's the wireshark capture of the entire transaction:
> https://s3.amazonaws.com/ts-public-downloads/captures/java9-s4u2self.pcapng
> 
> Is there something I need to configure in ipa?  I've shown the steps I
> took to make s4u.rhelent.lan setup for delegation in the beginning of
> this chain.

How do you acquire the user ticket ?

Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
server has been requested and what it released ?

Simo.

> Thanks
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorsht...@tremolosecurity.com
> (703) 828-4902
> 
> 
> On Tue, Oct 27, 2015 at 8:27 PM, Marc Boorshtein
> <marc.boorsht...@tremolosecurity.com> wrote:
> > Thanks Simo.  It wouldn't surprise me that java's implementation is
> > wrong.  The comments in the source even ask if its necessary to check.
> >
> > Thanks
> > Marc
> > Marc Boorshtein
> > CTO Tremolo Security
> > marc.boorsht...@tremolosecurity.com
> > (703) 828-4902
> >
> >
> > On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce <s...@redhat.com> wrote:
> >> On 27/10/15 15:43, Marc Boorshtein wrote:
> >>>>>
> >>>>>
> >>>>> Looking at KrbKdcRep.java:73 it looks like the failure is happening
> >>>>> because java is setting the forwardable flag to true on the request
> >>>>> but the response has no options in it.  Should the forwardable option
> >>>>> be false in the request?
> >>>>
> >>>>
> >>>>
> >>>> That's a fair guess.
> >>>> the whole point of constrained delegation (including protocol
> >>>> impersonation)
> >>>> is that you do not want to forward tickets, so you shouldn't ask for
> >>>> forwardable tickets methinks.
> >>>>
> >>>> Simo.
> >>>>
> >>>
> >>> Thanks Simio.  I tried running kinit with forwarding disabled:
> >>>
> >>> $ kinit HTTP/unison-freeipa.rhelent....@rhelent.lan -k -t
> >>> ./unison-freeipa.keytab -F
> >>>
> >>> $ klist -f
> >>>
> >>> Ticket cache: FILE:/tmp/krb5cc_500
> >>>
> >>> Default principal: HTTP/unison-freeipa.rhelent....@rhelent.lan
> >>>
> >>>
> >>> Valid starting     Expires            Service principal
> >>>
> >>> 10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent....@rhelent.lan
> >>>
> >>> Flags: IA
> >>>
> >>> But when I try again Java refuses to generate the ticket:
> >>>
> >>> tremoloadmin@unison-freeipa ~]$ klist -f
> >>> Ticket cache: FILE:/tmp/krb5cc_500
> >>> Default principal: HTTP/unison-freeipa.rhelent....@rhelent.lan
> >>>
> >>> Valid starting     Expires            Service principal
> >>> 10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent....@rhelent.lan
> >>> Flags: IA
> >>>
> >>> Hello World!
> >>> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
> >>> sun.security.jgss.krb5.Krb5InitCredential)
> >>> No Subject
> >>>>>>
> >>>>>> KinitOptions cache name is /tmp/krb5cc_500
> >>>>>> DEBUG <CCacheInputStream>  client principal is
> >>>>>> HTTP/unison-freeipa.rhelent....@rhelent.lan
> >>>>>> DEBUG <CCacheInputStream> server principal is
> >>>>>> krbtgt/rhelent....@rhelent.lan
> >>>>>> DEBUG <CCacheInputStream> key type: 18
> >>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
> >>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
> >>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
> >>>>>> DEBUG <CCacheInputStream> renew_till time: null
> >>>>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
> >>>>>> DEBUG <CCacheInputStream>  client principal is
> >>>>>> HTTP/unison-freeipa.rhelent....@rhelent.lan
> >>>
> >>> Java config name: /home/tremoloadmin/krb5.conf
> >>> Loaded from Java config
> >>>>>>
> >>>>>> DEBUG <CCacheInputStream> server principal is
> >>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN
> >>>>>> DEBUG <CCacheInputStream> key type: 0
> >>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
> >>>>>> DEBUG <CCacheInputStream> start time: null
> >>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
> >>>>>> DEBUG <CCacheInputStream> renew_till time: null
> >>>>>> CCacheInputStream: readFlags()
> >>>
> >>> Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to
> >>> krbtgt/rhelent....@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
> >>> 2015
> >>> Search Subject for SPNEGO INIT cred (<<DEF>>,
> >>> sun.security.jgss.spnego.SpNegoCredElement)
> >>> No Subject
> >>> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
> >>> sun.security.jgss.krb5.Krb5InitCredential)
> >>> No Subject
> >>>>>>
> >>>>>> KinitOptions cache name is /tmp/krb5cc_500
> >>>>>> DEBUG <CCacheInputStream>  client principal is
> >>>>>> HTTP/unison-freeipa.rhelent....@rhelent.lan
> >>>>>> DEBUG <CCacheInputStream> server principal is
> >>>>>> krbtgt/rhelent....@rhelent.lan
> >>>>>> DEBUG <CCacheInputStream> key type: 18
> >>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
> >>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
> >>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
> >>>>>> DEBUG <CCacheInputStream> renew_till time: null
> >>>>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
> >>>>>> DEBUG <CCacheInputStream>  client principal is
> >>>>>> HTTP/unison-freeipa.rhelent....@rhelent.lan
> >>>>>> DEBUG <CCacheInputStream> server principal is
> >>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN
> >>>>>> DEBUG <CCacheInputStream> key type: 0
> >>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
> >>>>>> DEBUG <CCacheInputStream> start time: null
> >>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
> >>>>>> DEBUG <CCacheInputStream> renew_till time: null
> >>>>>> CCacheInputStream: readFlags()
> >>>
> >>> Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to
> >>> krbtgt/rhelent....@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
> >>> 2015
> >>>>>>
> >>>>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
> >>>
> >>> Exception in thread "main" GSSException: Failure unspecified at
> >>> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
> >>> failed!)
> >>> at
> >>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
> >>> at
> >>> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
> >>> at
> >>> sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
> >>> at io.tremolo.App.main(App.java:27)
> >>> Caused by: KrbException: Invalid option setting in ticket request. (101)
> >>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:165)
> >>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:100)
> >>> at
> >>> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66)
> >>> at
> >>> sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
> >>> at
> >>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
> >>> ... 3 more
> >>>
> >>> Looking at KrbTgsReq line 165:
> >>>
> >>> if (options.get(KDCOptions.FORWARDABLE) &&
> >>>                  (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {
> >>>              throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
> >>>          }
> >>>
> >>> If I read this correctly it has to be forwardable?  If thats the case
> >>> is Java wrong for requiring the options to be there or is ipa wrong
> >>> for not sending the options with the response ticket?
> >>
> >>
> >> I think the best answer would be to look at what the MIT test program does
> >> and make sure Java does the same.
> >> This stuff works with the native libraries and is interoperable with 
> >> Windows
> >> AD KDCs where the specification was born.
> >>
> >> Simo.
> >>
> >>
> >> --
> >> Simo Sorce * Red Hat, Inc * New York


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to