Sounds like a good exercise to me. I'll take a crack at it tomorrow. Thanks
On Wed, Nov 18, 2015 at 9:33 PM, Zheng, Kai <[email protected]> wrote: > Hi Marc, > > If it's missed there, how about adding it similarly? Thanks. > > Regards, > Kai > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Thursday, November 19, 2015 10:29 AM > To: [email protected] > Subject: Re: How to request a forwardable ticket? > > Kai & Steve, > > Thanks for tackling this so quickly! For TGT the request IS being sent as > forward-able, but for SGT it still isn't. Also, which of the KrbOptions > lines up with RENEWABLE_OK? I only see RENEW and RENEW_TIME. > > Thanks! > > On Wed, Nov 18, 2015 at 8:56 AM, Zheng, Kai <[email protected]> wrote: > > > Marc, > > > > As Steve noted, the MIT kinit program sets FORWARDABLE, PROXIABLE and > > RENEWABLE_OK by default. We can and should do that. So if what you > > need is to request a forwardable ticket, please do it over there as a > > quick work way for you. The default flags can be set in the KdcRequest > > constructor where kdcOptions is just created. I will go to sleep now :). > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Zheng, Kai [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 9:38 PM > > To: [email protected]; Steve Moyer <[email protected]> > > Subject: RE: How to request a forwardable ticket? > > > > Hi Steve, > > > > Thanks for your digging! > > > > >> Here's the snippet of code I created to copy the KrbOptions to > > KdcOptions ... I think this was the designed intention ... > > I'm wondering if it could be better if we check explicitly the > > KdcOption related options contained in KrbOptions passed from above > > layer. For example, If (requestOptions.contain(KrbOption. FORWARDABLE) { > > asRequest.getKdcOptions().setFlag(KdcOption. FORWARDABLE); } > > > > >> Is a pull request on GitHub the easiest way to send you code > > >> changes or > > would you prefer patches attached to the issues in Jira? > > If you're convenient to generate a patch and upload it to the JIRA, it > > would be great, but GH PR should also work for us as well! > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Steve Moyer [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 9:18 PM > > To: [email protected] > > Subject: Re: How to request a forwardable ticket? > > > > I've got working code for FORWARDABLE AND PROXIABLE ... I've been > > looking at the changes needed for RENEWABLE_OK (and maybe other flags). > > > > Right now the code feels a bit strange. I set a flag in KrbOptions > > and I'm converting the appropriate flags to KdcOptions, then > > generating the bitmap. Should this really be happening just by > > matching the enum name() from KrbOption to KdcOption? DIRKRB-449 ( > > https://issues.apache.org/jira/browse/DIRKRB-449) is resolved as of > > commit 9e504bd785d894491bd8f4fbe2359f346d951299 ( > > https://github.com/apache/directory-kerby/commit/c3c778f3af0fe2a187c10 > > 447682bf12b9bed7c6d), so the flags in the AsRequest are set properly. > > > > Here's the snippet of code I created to copy the KrbOptions to > > KdcOptions ... I think this was the designed intention: > > > > KdcOptions kdcOptions = new KdcOptions(); > > for (KOption koption: requestOptions.getOptions()) { > > try { > > KdcOption kdcOption = > > KdcOption.valueOf(koption.getOptionName()); > > kdcOptions.setFlag(kdcOption, > > requestOptions.getBooleanOption(koption, false)); > > } catch (IllegalArgumentException | NullPointerException e) { > > // It's completely acceptable that a request option is > > NOT a KdcOption > > // but PMD doesn't like empty finally or catch blocks - > > here's a message > > // just for you! > > e.getMessage(); > > } > > } > > > > asRequest.setKdcOptions(kdcOptions); > > > > DIRKRB-450 (https://issues.apache.org/jira/browse/DIRKRB-450) was > > assigned to me and I'll try to get a pull request for this code issued > > today. As noted below, DIRKRB-452 ( > > https://issues.apache.org/jira/browse/DIRKRB-452) is also required for > > those using the KinitTool (at the moment, I'm requesting TGTs > > programmatically). > > > > Kai and Jia: > > > > Is a pull request on GitHub the easiest way to send you code changes > > or would you prefer patches attached to the issues in Jira? > > > > Steve > > > > -- > > > > “The mark of the immature man is that he wants to die nobly for a > > cause, while the mark of the mature man is that he wants to live humbly > for one.” > > - Wilhelm Stekel > > > > ----- Original Message ----- > > From: "Zheng, Kai" <[email protected]> > > To: [email protected] > > Sent: Tuesday, November 17, 2015 10:18:09 PM > > Subject: RE: How to request a forwardable ticket? > > > > Looks like we're hitting this issue, which isn't resolved yet. I got > > some mistaken. > > https://issues.apache.org/jira/browse/DIRKRB-452 > > > > > > -----Original Message----- > > From: Zheng, Kai [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 11:10 AM > > To: [email protected] > > Subject: RE: How to request a forwardable ticket? > > > > Ok, see. Looks like KrbOption.FORWARDABLE in request options isn't > > passed down to KdcOptions for the final AsReq. > > Will take a look and possible fix it soon. > > > > -----Original Message----- > > From: Marc Boorshtein [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 10:43 AM > > To: [email protected] > > Subject: Re: How to request a forwardable ticket? > > > > Thanks Kai, I'm having the same issue with the latest code. Here's > > the pull log: > > > > emote: Counting objects: 467, done. > > remote: Compressing objects: 100% (70/70), done. > > remote: Total 143 (delta 47), reused 0 (delta 0) Receiving objects: > > 100% (143/143), 12.23 KiB | 0 bytes/s, done. > > Resolving deltas: 100% (47/47), completed with 35 local objects. > > From https://git1-us-west.apache.org/repos/asf/directory-kerby > > 955a845..d18ad29 master -> origin/master > > Updating 955a845..d18ad29 > > Fast-forward > > > > > > .../zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/iden > > titybackend/ZookeeperIdentityBackend.java > > | 8 +-- > > kerby-config/src/main/java/org/apache/kerby/config/Conf.java > > | 48 +++++++++--------- > > kerby-config/src/main/java/org/apache/kerby/config/Config.java > > | 35 +++++++------ > > kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java > > | 71 +++++++++++++++----------- > > kerby-config/src/test/java/org/apache/kerby/config/ConfTest.java > > | 11 ++-- > > kerby-dist/kdc-dist/assembly.xml > > | 2 + > > kerby-dist/tool-dist/assembly.xml > > | 2 + > > > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java > > | 43 ++++++++++------ > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java > > | 2 +- > > > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java > > | 8 +++ > > > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java > > | 10 ++-- > > > > > .../kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoadWithDefaultRealm.java > > | 45 +++++++++++++++++ > > kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf > > | 19 +++++++ > > > kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java > > | 17 ++++--- > > > > > kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestAsReqCodec.java > > | 3 +- > > > > > kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestTgsReqCodec.java > > | 5 +- > > > > > kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java > > | 28 ++++++----- > > > > > kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlagsTest.java > > | 155 > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > > > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java > > | 44 +++++++++------- > > > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcUtil.java > > | 2 +- > > 20 files changed, 420 insertions(+), 138 deletions(-) create mode > > 100644 > > kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/cl > > ient/TestKrbConfigLoadWithDefaultRealm.java > > create mode 100644 > > kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf > > create mode 100644 > > > > kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec > > /base/KrbFlagsTest.java > > > > > > On Tue, Nov 17, 2015 at 9:32 PM, Zheng, Kai <[email protected]> wrote: > > > > > Hi Marc, > > > > > > There're recent contribution fixes related to this from Steve. Would > > > you checkout and update to the latest codes? > > > > > > commit c3c778f3af0fe2a187c10447682bf12b9bed7c6d > > > Author: plusplusjiajia <[email protected]> > > > Date: Tue Nov 17 15:08:59 2015 +0800 > > > > > > DIRKRB-449 Fix the bit manipulation functions in KrbFlags. > > > Contributed by Steve. > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Marc Boorshtein [mailto:[email protected]] > > > Sent: Wednesday, November 18, 2015 10:27 AM > > > To: [email protected] > > > Subject: How to request a forwardable ticket? > > > > > > I can't seem to workout how to specify any options for a ticket. > > > For s4u the TGT and SGTs need to be forwardable. Here's my code so > far: > > > > > > KOptions requestOptions = new KOptions(); > > > > > > requestOptions.add(KrbOption.CLIENT_PRINCIPAL, > > > "HTTP/[email protected]"); > > > > > > requestOptions.add(KrbOption.USE_KEYTAB, true); > > > > > > requestOptions.add(KrbOption.KEYTAB_FILE, new File( > > > "/Users/mlb/Documents/localdev.keytab")); > > > > > > requestOptions.add(KrbOption.FORWARDABLE,true); > > > > > > TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions); > > > > > > Looking at the code it doesn't look like the options are ever picked > up. > > > Any thoughts on how to set the forwardable flag? > > > > > > Thanks > > > > > > Marc > > > > > >
