On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: > > > > How do you acquire the user ticket ? > > > > Using a keytab. Here's a link to the example code I'm using: > https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to > use IPA as the DNS server and I'm passing in mmosley as the user to > impersonate and HTTP/freeipa.rhelent.lan as the service that will > consume the impersonated user's ticket. > > > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the > > server has been requested and what it released ? > > > > Sure: > > Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: > HTTP/s4u.rhelent....@rhelent.lan for krbtgt/rhelent....@rhelent.lan, > Additional pre-authentication required > Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for > krbtgt/rhelent....@rhelent.lan > Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 > etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for > HTTP/s4u.rhelent....@rhelent.lan > Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... > PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan > > Thanks
I think for s4u2self you may have missed a conf step (we primarily use s4u2proxy in the product *without* any s4u2self step). Can you check that you followed the procedure described here: https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 I think they key part is setting the +ok_to_auth_as_delegate flag which we do not provide an official higher level interface for yet. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project