Kai & Steve, Thanks for tackling this so quickly! For TGT the request IS being sent as forward-able, but for SGT it still isn't. Also, which of the KrbOptions lines up with RENEWABLE_OK? I only see RENEW and RENEW_TIME.
Thanks! On Wed, Nov 18, 2015 at 8:56 AM, Zheng, Kai <[email protected]> wrote: > Marc, > > As Steve noted, the MIT kinit program sets FORWARDABLE, PROXIABLE and > RENEWABLE_OK by default. We can and should do that. So if what you need is > to request a forwardable ticket, please do it over there as a quick work > way for you. The default flags can be set in the KdcRequest constructor > where kdcOptions is just created. I will go to sleep now :). > > Regards, > Kai > > -----Original Message----- > From: Zheng, Kai [mailto:[email protected]] > Sent: Wednesday, November 18, 2015 9:38 PM > To: [email protected]; Steve Moyer <[email protected]> > Subject: RE: How to request a forwardable ticket? > > Hi Steve, > > Thanks for your digging! > > >> Here's the snippet of code I created to copy the KrbOptions to > KdcOptions ... I think this was the designed intention ... > I'm wondering if it could be better if we check explicitly the KdcOption > related options contained in KrbOptions passed from above layer. For > example, If (requestOptions.contain(KrbOption. FORWARDABLE) { > asRequest.getKdcOptions().setFlag(KdcOption. FORWARDABLE); } > > >> Is a pull request on GitHub the easiest way to send you code changes or > would you prefer patches attached to the issues in Jira? > If you're convenient to generate a patch and upload it to the JIRA, it > would be great, but GH PR should also work for us as well! > > Regards, > Kai > > -----Original Message----- > From: Steve Moyer [mailto:[email protected]] > Sent: Wednesday, November 18, 2015 9:18 PM > To: [email protected] > Subject: Re: How to request a forwardable ticket? > > I've got working code for FORWARDABLE AND PROXIABLE ... I've been looking > at the changes needed for RENEWABLE_OK (and maybe other flags). > > Right now the code feels a bit strange. I set a flag in KrbOptions and > I'm converting the appropriate flags to KdcOptions, then generating the > bitmap. Should this really be happening just by matching the enum name() > from KrbOption to KdcOption? DIRKRB-449 ( > https://issues.apache.org/jira/browse/DIRKRB-449) is resolved as of > commit 9e504bd785d894491bd8f4fbe2359f346d951299 ( > https://github.com/apache/directory-kerby/commit/c3c778f3af0fe2a187c10447682bf12b9bed7c6d), > so the flags in the AsRequest are set properly. > > Here's the snippet of code I created to copy the KrbOptions to KdcOptions > ... I think this was the designed intention: > > KdcOptions kdcOptions = new KdcOptions(); > for (KOption koption: requestOptions.getOptions()) { > try { > KdcOption kdcOption = > KdcOption.valueOf(koption.getOptionName()); > kdcOptions.setFlag(kdcOption, > requestOptions.getBooleanOption(koption, false)); > } catch (IllegalArgumentException | NullPointerException e) { > // It's completely acceptable that a request option is NOT a > KdcOption > // but PMD doesn't like empty finally or catch blocks - > here's a message > // just for you! > e.getMessage(); > } > } > > asRequest.setKdcOptions(kdcOptions); > > DIRKRB-450 (https://issues.apache.org/jira/browse/DIRKRB-450) was > assigned to me and I'll try to get a pull request for this code issued > today. As noted below, DIRKRB-452 ( > https://issues.apache.org/jira/browse/DIRKRB-452) is also required for > those using the KinitTool (at the moment, I'm requesting TGTs > programmatically). > > Kai and Jia: > > Is a pull request on GitHub the easiest way to send you code changes or > would you prefer patches attached to the issues in Jira? > > Steve > > -- > > “The mark of the immature man is that he wants to die nobly for a cause, > while the mark of the mature man is that he wants to live humbly for one.” > - Wilhelm Stekel > > ----- Original Message ----- > From: "Zheng, Kai" <[email protected]> > To: [email protected] > Sent: Tuesday, November 17, 2015 10:18:09 PM > Subject: RE: How to request a forwardable ticket? > > Looks like we're hitting this issue, which isn't resolved yet. I got some > mistaken. > https://issues.apache.org/jira/browse/DIRKRB-452 > > > -----Original Message----- > From: Zheng, Kai [mailto:[email protected]] > Sent: Wednesday, November 18, 2015 11:10 AM > To: [email protected] > Subject: RE: How to request a forwardable ticket? > > Ok, see. Looks like KrbOption.FORWARDABLE in request options isn't passed > down to KdcOptions for the final AsReq. > Will take a look and possible fix it soon. > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Wednesday, November 18, 2015 10:43 AM > To: [email protected] > Subject: Re: How to request a forwardable ticket? > > Thanks Kai, I'm having the same issue with the latest code. Here's the > pull log: > > emote: Counting objects: 467, done. > remote: Compressing objects: 100% (70/70), done. > remote: Total 143 (delta 47), reused 0 (delta 0) Receiving objects: 100% > (143/143), 12.23 KiB | 0 bytes/s, done. > Resolving deltas: 100% (47/47), completed with 35 local objects. > From https://git1-us-west.apache.org/repos/asf/directory-kerby > 955a845..d18ad29 master -> origin/master > Updating 955a845..d18ad29 > Fast-forward > > > .../zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java > | 8 +-- > kerby-config/src/main/java/org/apache/kerby/config/Conf.java > | 48 +++++++++--------- > kerby-config/src/main/java/org/apache/kerby/config/Config.java > | 35 +++++++------ > kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java > | 71 +++++++++++++++----------- > kerby-config/src/test/java/org/apache/kerby/config/ConfTest.java > | 11 ++-- > kerby-dist/kdc-dist/assembly.xml > | 2 + > kerby-dist/tool-dist/assembly.xml > | 2 + > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java > | 43 ++++++++++------ > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java > | 2 +- > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java > | 8 +++ > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java > | 10 ++-- > > > .../kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoadWithDefaultRealm.java > | 45 +++++++++++++++++ > kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf > | 19 +++++++ > kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java > | 17 ++++--- > > > kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestAsReqCodec.java > | 3 +- > > > kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestTgsReqCodec.java > | 5 +- > > > kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java > | 28 ++++++----- > > > kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlagsTest.java > | 155 > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java > | 44 +++++++++------- > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcUtil.java > | 2 +- > 20 files changed, 420 insertions(+), 138 deletions(-) create mode 100644 > kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoadWithDefaultRealm.java > create mode 100644 > kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf > create mode 100644 > > kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlagsTest.java > > > On Tue, Nov 17, 2015 at 9:32 PM, Zheng, Kai <[email protected]> wrote: > > > Hi Marc, > > > > There're recent contribution fixes related to this from Steve. Would > > you checkout and update to the latest codes? > > > > commit c3c778f3af0fe2a187c10447682bf12b9bed7c6d > > Author: plusplusjiajia <[email protected]> > > Date: Tue Nov 17 15:08:59 2015 +0800 > > > > DIRKRB-449 Fix the bit manipulation functions in KrbFlags. > > Contributed by Steve. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Marc Boorshtein [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 10:27 AM > > To: [email protected] > > Subject: How to request a forwardable ticket? > > > > I can't seem to workout how to specify any options for a ticket. For > > s4u the TGT and SGTs need to be forwardable. Here's my code so far: > > > > KOptions requestOptions = new KOptions(); > > > > requestOptions.add(KrbOption.CLIENT_PRINCIPAL, > > "HTTP/[email protected]"); > > > > requestOptions.add(KrbOption.USE_KEYTAB, true); > > > > requestOptions.add(KrbOption.KEYTAB_FILE, new File( > > "/Users/mlb/Documents/localdev.keytab")); > > > > requestOptions.add(KrbOption.FORWARDABLE,true); > > > > TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions); > > > > Looking at the code it doesn't look like the options are ever picked up. > > Any thoughts on how to set the forwardable flag? > > > > Thanks > > > > Marc > > >
