Marc, As Steve noted, the MIT kinit program sets FORWARDABLE, PROXIABLE and RENEWABLE_OK by default. We can and should do that. So if what you need is to request a forwardable ticket, please do it over there as a quick work way for you. The default flags can be set in the KdcRequest constructor where kdcOptions is just created. I will go to sleep now :).
Regards, Kai -----Original Message----- From: Zheng, Kai [mailto:[email protected]] Sent: Wednesday, November 18, 2015 9:38 PM To: [email protected]; Steve Moyer <[email protected]> Subject: RE: How to request a forwardable ticket? Hi Steve, Thanks for your digging! >> Here's the snippet of code I created to copy the KrbOptions to KdcOptions >> ... I think this was the designed intention ... I'm wondering if it could be better if we check explicitly the KdcOption related options contained in KrbOptions passed from above layer. For example, If (requestOptions.contain(KrbOption. FORWARDABLE) { asRequest.getKdcOptions().setFlag(KdcOption. FORWARDABLE); } >> Is a pull request on GitHub the easiest way to send you code changes or >> would you prefer patches attached to the issues in Jira? If you're convenient to generate a patch and upload it to the JIRA, it would be great, but GH PR should also work for us as well! Regards, Kai -----Original Message----- From: Steve Moyer [mailto:[email protected]] Sent: Wednesday, November 18, 2015 9:18 PM To: [email protected] Subject: Re: How to request a forwardable ticket? I've got working code for FORWARDABLE AND PROXIABLE ... I've been looking at the changes needed for RENEWABLE_OK (and maybe other flags). Right now the code feels a bit strange. I set a flag in KrbOptions and I'm converting the appropriate flags to KdcOptions, then generating the bitmap. Should this really be happening just by matching the enum name() from KrbOption to KdcOption? DIRKRB-449 (https://issues.apache.org/jira/browse/DIRKRB-449) is resolved as of commit 9e504bd785d894491bd8f4fbe2359f346d951299 (https://github.com/apache/directory-kerby/commit/c3c778f3af0fe2a187c10447682bf12b9bed7c6d), so the flags in the AsRequest are set properly. Here's the snippet of code I created to copy the KrbOptions to KdcOptions ... I think this was the designed intention: KdcOptions kdcOptions = new KdcOptions(); for (KOption koption: requestOptions.getOptions()) { try { KdcOption kdcOption = KdcOption.valueOf(koption.getOptionName()); kdcOptions.setFlag(kdcOption, requestOptions.getBooleanOption(koption, false)); } catch (IllegalArgumentException | NullPointerException e) { // It's completely acceptable that a request option is NOT a KdcOption // but PMD doesn't like empty finally or catch blocks - here's a message // just for you! e.getMessage(); } } asRequest.setKdcOptions(kdcOptions); DIRKRB-450 (https://issues.apache.org/jira/browse/DIRKRB-450) was assigned to me and I'll try to get a pull request for this code issued today. As noted below, DIRKRB-452 (https://issues.apache.org/jira/browse/DIRKRB-452) is also required for those using the KinitTool (at the moment, I'm requesting TGTs programmatically). Kai and Jia: Is a pull request on GitHub the easiest way to send you code changes or would you prefer patches attached to the issues in Jira? Steve -- “The mark of the immature man is that he wants to die nobly for a cause, while the mark of the mature man is that he wants to live humbly for one.” - Wilhelm Stekel ----- Original Message ----- From: "Zheng, Kai" <[email protected]> To: [email protected] Sent: Tuesday, November 17, 2015 10:18:09 PM Subject: RE: How to request a forwardable ticket? Looks like we're hitting this issue, which isn't resolved yet. I got some mistaken. https://issues.apache.org/jira/browse/DIRKRB-452 -----Original Message----- From: Zheng, Kai [mailto:[email protected]] Sent: Wednesday, November 18, 2015 11:10 AM To: [email protected] Subject: RE: How to request a forwardable ticket? Ok, see. Looks like KrbOption.FORWARDABLE in request options isn't passed down to KdcOptions for the final AsReq. Will take a look and possible fix it soon. -----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Wednesday, November 18, 2015 10:43 AM To: [email protected] Subject: Re: How to request a forwardable ticket? Thanks Kai, I'm having the same issue with the latest code. Here's the pull log: emote: Counting objects: 467, done. remote: Compressing objects: 100% (70/70), done. remote: Total 143 (delta 47), reused 0 (delta 0) Receiving objects: 100% (143/143), 12.23 KiB | 0 bytes/s, done. Resolving deltas: 100% (47/47), completed with 35 local objects. From https://git1-us-west.apache.org/repos/asf/directory-kerby 955a845..d18ad29 master -> origin/master Updating 955a845..d18ad29 Fast-forward .../zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java | 8 +-- kerby-config/src/main/java/org/apache/kerby/config/Conf.java | 48 +++++++++--------- kerby-config/src/main/java/org/apache/kerby/config/Config.java | 35 +++++++------ kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java | 71 +++++++++++++++----------- kerby-config/src/test/java/org/apache/kerby/config/ConfTest.java | 11 ++-- kerby-dist/kdc-dist/assembly.xml | 2 + kerby-dist/tool-dist/assembly.xml | 2 + kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java | 43 ++++++++++------ kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java | 2 +- kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java | 8 +++ kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java | 10 ++-- .../kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoadWithDefaultRealm.java | 45 +++++++++++++++++ kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf | 19 +++++++ kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java | 17 ++++--- kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestAsReqCodec.java | 3 +- kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestTgsReqCodec.java | 5 +- kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java | 28 ++++++----- kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlagsTest.java | 155 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java | 44 +++++++++------- kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcUtil.java | 2 +- 20 files changed, 420 insertions(+), 138 deletions(-) create mode 100644 kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoadWithDefaultRealm.java create mode 100644 kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf create mode 100644 kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlagsTest.java On Tue, Nov 17, 2015 at 9:32 PM, Zheng, Kai <[email protected]> wrote: > Hi Marc, > > There're recent contribution fixes related to this from Steve. Would > you checkout and update to the latest codes? > > commit c3c778f3af0fe2a187c10447682bf12b9bed7c6d > Author: plusplusjiajia <[email protected]> > Date: Tue Nov 17 15:08:59 2015 +0800 > > DIRKRB-449 Fix the bit manipulation functions in KrbFlags. > Contributed by Steve. > > Regards, > Kai > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Wednesday, November 18, 2015 10:27 AM > To: [email protected] > Subject: How to request a forwardable ticket? > > I can't seem to workout how to specify any options for a ticket. For > s4u the TGT and SGTs need to be forwardable. Here's my code so far: > > KOptions requestOptions = new KOptions(); > > requestOptions.add(KrbOption.CLIENT_PRINCIPAL, > "HTTP/[email protected]"); > > requestOptions.add(KrbOption.USE_KEYTAB, true); > > requestOptions.add(KrbOption.KEYTAB_FILE, new File( > "/Users/mlb/Documents/localdev.keytab")); > > requestOptions.add(KrbOption.FORWARDABLE,true); > > TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions); > > Looking at the code it doesn't look like the options are ever picked up. > Any thoughts on how to set the forwardable flag? > > Thanks > > Marc >
