I apparently didn't push that file to GitHub along with the others ... sorry for the confusion. I can do that tomorrow if Marc doesn't. I had simply added RENEWABLE_OK above RENEW in the KrbOption enum (https://github.com/apache/directory-kerby/blob/master/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java).
Steve -- “The mark of the immature man is that he wants to die nobly for a cause, while the mark of the mature man is that he wants to live humbly for one.” - Wilhelm Stekel ----- Original Message ----- From: "Zheng, Kai" <[email protected]> To: [email protected] Sent: Wednesday, November 18, 2015 9:40:29 PM Subject: RE: How to request a forwardable ticket? Great. I thought we need it. Note Steve is also looking at the changes needed for RENEWABLE_OK (and maybe other flags) (from his email), so let's keep synced. Thanks. -----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Thursday, November 19, 2015 10:35 AM To: [email protected] Subject: Re: How to request a forwardable ticket? Sounds like a good exercise to me. I'll take a crack at it tomorrow. Thanks On Wed, Nov 18, 2015 at 9:33 PM, Zheng, Kai <[email protected]> wrote: > Hi Marc, > > If it's missed there, how about adding it similarly? Thanks. > > Regards, > Kai > > -----Original Message----- > From: Marc Boorshtein [mailto:[email protected]] > Sent: Thursday, November 19, 2015 10:29 AM > To: [email protected] > Subject: Re: How to request a forwardable ticket? > > Kai & Steve, > > Thanks for tackling this so quickly! For TGT the request IS being > sent as forward-able, but for SGT it still isn't. Also, which of the > KrbOptions lines up with RENEWABLE_OK? I only see RENEW and RENEW_TIME. > > Thanks! > > On Wed, Nov 18, 2015 at 8:56 AM, Zheng, Kai <[email protected]> wrote: > > > Marc, > > > > As Steve noted, the MIT kinit program sets FORWARDABLE, PROXIABLE > > and RENEWABLE_OK by default. We can and should do that. So if what > > you need is to request a forwardable ticket, please do it over there > > as a quick work way for you. The default flags can be set in the > > KdcRequest constructor where kdcOptions is just created. I will go to sleep > > now :). > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Zheng, Kai [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 9:38 PM > > To: [email protected]; Steve Moyer <[email protected]> > > Subject: RE: How to request a forwardable ticket? > > > > Hi Steve, > > > > Thanks for your digging! > > > > >> Here's the snippet of code I created to copy the KrbOptions to > > KdcOptions ... I think this was the designed intention ... > > I'm wondering if it could be better if we check explicitly the > > KdcOption related options contained in KrbOptions passed from above > > layer. For example, If (requestOptions.contain(KrbOption. FORWARDABLE) { > > asRequest.getKdcOptions().setFlag(KdcOption. FORWARDABLE); } > > > > >> Is a pull request on GitHub the easiest way to send you code > > >> changes or > > would you prefer patches attached to the issues in Jira? > > If you're convenient to generate a patch and upload it to the JIRA, > > it would be great, but GH PR should also work for us as well! > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Steve Moyer [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 9:18 PM > > To: [email protected] > > Subject: Re: How to request a forwardable ticket? > > > > I've got working code for FORWARDABLE AND PROXIABLE ... I've been > > looking at the changes needed for RENEWABLE_OK (and maybe other flags). > > > > Right now the code feels a bit strange. I set a flag in KrbOptions > > and I'm converting the appropriate flags to KdcOptions, then > > generating the bitmap. Should this really be happening just by > > matching the enum name() from KrbOption to KdcOption? DIRKRB-449 ( > > https://issues.apache.org/jira/browse/DIRKRB-449) is resolved as of > > commit 9e504bd785d894491bd8f4fbe2359f346d951299 ( > > https://github.com/apache/directory-kerby/commit/c3c778f3af0fe2a187c > > 10 447682bf12b9bed7c6d), so the flags in the AsRequest are set > > properly. > > > > Here's the snippet of code I created to copy the KrbOptions to > > KdcOptions ... I think this was the designed intention: > > > > KdcOptions kdcOptions = new KdcOptions(); > > for (KOption koption: requestOptions.getOptions()) { > > try { > > KdcOption kdcOption = > > KdcOption.valueOf(koption.getOptionName()); > > kdcOptions.setFlag(kdcOption, > > requestOptions.getBooleanOption(koption, false)); > > } catch (IllegalArgumentException | NullPointerException e) { > > // It's completely acceptable that a request option is > > NOT a KdcOption > > // but PMD doesn't like empty finally or catch blocks > > - here's a message > > // just for you! > > e.getMessage(); > > } > > } > > > > asRequest.setKdcOptions(kdcOptions); > > > > DIRKRB-450 (https://issues.apache.org/jira/browse/DIRKRB-450) was > > assigned to me and I'll try to get a pull request for this code > > issued today. As noted below, DIRKRB-452 ( > > https://issues.apache.org/jira/browse/DIRKRB-452) is also required > > for those using the KinitTool (at the moment, I'm requesting TGTs > > programmatically). > > > > Kai and Jia: > > > > Is a pull request on GitHub the easiest way to send you code changes > > or would you prefer patches attached to the issues in Jira? > > > > Steve > > > > -- > > > > “The mark of the immature man is that he wants to die nobly for a > > cause, while the mark of the mature man is that he wants to live > > humbly > for one.” > > - Wilhelm Stekel > > > > ----- Original Message ----- > > From: "Zheng, Kai" <[email protected]> > > To: [email protected] > > Sent: Tuesday, November 17, 2015 10:18:09 PM > > Subject: RE: How to request a forwardable ticket? > > > > Looks like we're hitting this issue, which isn't resolved yet. I got > > some mistaken. > > https://issues.apache.org/jira/browse/DIRKRB-452 > > > > > > -----Original Message----- > > From: Zheng, Kai [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 11:10 AM > > To: [email protected] > > Subject: RE: How to request a forwardable ticket? > > > > Ok, see. Looks like KrbOption.FORWARDABLE in request options isn't > > passed down to KdcOptions for the final AsReq. > > Will take a look and possible fix it soon. > > > > -----Original Message----- > > From: Marc Boorshtein [mailto:[email protected]] > > Sent: Wednesday, November 18, 2015 10:43 AM > > To: [email protected] > > Subject: Re: How to request a forwardable ticket? > > > > Thanks Kai, I'm having the same issue with the latest code. Here's > > the pull log: > > > > emote: Counting objects: 467, done. > > remote: Compressing objects: 100% (70/70), done. > > remote: Total 143 (delta 47), reused 0 (delta 0) Receiving objects: > > 100% (143/143), 12.23 KiB | 0 bytes/s, done. > > Resolving deltas: 100% (47/47), completed with 35 local objects. > > From https://git1-us-west.apache.org/repos/asf/directory-kerby > > 955a845..d18ad29 master -> origin/master > > Updating 955a845..d18ad29 > > Fast-forward > > > > > > .../zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/id > > en titybackend/ZookeeperIdentityBackend.java > > | 8 +-- > > kerby-config/src/main/java/org/apache/kerby/config/Conf.java > > | 48 +++++++++--------- > > kerby-config/src/main/java/org/apache/kerby/config/Config.java > > | 35 +++++++------ > > kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java > > | 71 > > +++++++++++++++----------- > > kerby-config/src/test/java/org/apache/kerby/config/ConfTest.java > > | 11 ++-- > > kerby-dist/kdc-dist/assembly.xml > > | 2 + > > kerby-dist/tool-dist/assembly.xml > > | 2 + > > > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl > ient/KrbConfig.java > > | 43 ++++++++++------ > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl > ient/KrbConfigKey.java > > | 2 +- > > > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl > ient/impl/AbstractInternalKrbClient.java > > | 8 +++ > > > > > kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl > ient/request/AsRequest.java > > | 10 ++-- > > > > > .../kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/Te > stKrbConfigLoadWithDefaultRealm.java > > | 45 +++++++++++++++++ > > kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf > > | 19 +++++++ > > > kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/co > mmon/KrbConfHelper.java > > | 17 ++++--- > > > > > kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb > /codec/TestAsReqCodec.java > > | 3 +- > > > > > kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb > /codec/TestTgsReqCodec.java > > | 5 +- > > > > > kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec > /base/KrbFlags.java > > | 28 ++++++----- > > > > > kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec > /base/KrbFlagsTest.java > > | 155 > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > > > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/se > rver/KdcConfig.java > > | 44 +++++++++------- > > > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/se > rver/KdcUtil.java > > | 2 +- > > 20 files changed, 420 insertions(+), 138 deletions(-) create mode > > 100644 > > kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/ > > cl ient/TestKrbConfigLoadWithDefaultRealm.java > > create mode 100644 > > kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf > > create mode 100644 > > > > kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/sp > > ec > > /base/KrbFlagsTest.java > > > > > > On Tue, Nov 17, 2015 at 9:32 PM, Zheng, Kai <[email protected]> wrote: > > > > > Hi Marc, > > > > > > There're recent contribution fixes related to this from Steve. > > > Would you checkout and update to the latest codes? > > > > > > commit c3c778f3af0fe2a187c10447682bf12b9bed7c6d > > > Author: plusplusjiajia <[email protected]> > > > Date: Tue Nov 17 15:08:59 2015 +0800 > > > > > > DIRKRB-449 Fix the bit manipulation functions in KrbFlags. > > > Contributed by Steve. > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Marc Boorshtein [mailto:[email protected]] > > > Sent: Wednesday, November 18, 2015 10:27 AM > > > To: [email protected] > > > Subject: How to request a forwardable ticket? > > > > > > I can't seem to workout how to specify any options for a ticket. > > > For s4u the TGT and SGTs need to be forwardable. Here's my code > > > so > far: > > > > > > KOptions requestOptions = new KOptions(); > > > > > > requestOptions.add(KrbOption.CLIENT_PRINCIPAL, > > > "HTTP/[email protected]"); > > > > > > requestOptions.add(KrbOption.USE_KEYTAB, true); > > > > > > requestOptions.add(KrbOption.KEYTAB_FILE, new File( > > > "/Users/mlb/Documents/localdev.keytab")); > > > > > > requestOptions.add(KrbOption.FORWARDABLE,true); > > > > > > TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions); > > > > > > Looking at the code it doesn't look like the options are ever > > > picked > up. > > > Any thoughts on how to set the forwardable flag? > > > > > > Thanks > > > > > > Marc > > > > > >
