I've merged in all the new changes from Kai and Steve. I get a TGT without
issue, but now I'm getting the following error from freeipa (built on MIT
kerberos):
Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes
{17}) 10.8.0.2: ISSUE: authtime 1448030320, etypes {rep=17 tkt=18 ses=17},
HTTP/[email protected] for krbtgt/[email protected]
Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
{17}) 10.8.0.2: PROCESS_TGS: authtime 0, <unknown client> for
HTTP/[email protected], ASN.1 structure is missing a required
field
Now unfortunately its not say WHAT the missing field is. I've got a
control setup to make the same request in java using the same keytab for
the same resources. Here's the TGS request that works using the standard
java kerberos libraries:
No. Time Source Destination Protocol
Length Info
84 4.103473000 10.8.0.2 192.168.2.166 KRB5
693 TGS-REQ
Frame 84: 693 bytes on wire (5544 bits), 693 bytes captured (5544 bits) on
interface 3
Interface id: 3 (utun0)
Encapsulation type: NULL (15)
Arrival Time: Nov 20, 2015 11:47:55.953694000 EST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1448038075.953694000 seconds
[Time delta from previous captured frame: 0.019420000 seconds]
[Time delta from previous displayed frame: 0.019361000 seconds]
[Time since reference or first frame: 4.103473000 seconds]
Frame Number: 84
Frame Length: 693 bytes (5544 bits)
Capture Length: 693 bytes (5544 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: null:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Null/Loopback
Family: IP (2)
Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166
(192.168.2.166)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
Total Length: 689
Identification: 0x175e (5982)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x9386 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.8.0.2 (10.8.0.2)
Destination: 192.168.2.166 (192.168.2.166)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 49177 (49177), Dst Port: 88 (88)
Source Port: 49177 (49177)
Destination Port: 88 (88)
Length: 669
Checksum: 0x8f4e [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 8]
Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 1 item
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
padata-value:
6e8201fa308201f6a003020105a10302010ea20703050000...
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 00000000
0... .... = reserved: False
.0.. .... = use-session-key: False
..0. .... = mutual-required: False
ticket
tkt-vno: 5
realm: RHELENT.LAN
sname
name-type: kRB5-NT-SRV-INST (2)
name-string: 2 items
KerberosString: krbtgt
KerberosString: RHELENT.LAN
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96
(18)
kvno: 1
cipher:
28198273460862c515248752f713987ea6857b206fe8fe86...
authenticator
etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
cipher:
9101cb1fb3694bbc9cfb972c73711cb8e33d59e1de7fdb1a...
req-body
Padding: 0
kdc-options: 40000000 (forwardable)
0... .... = reserved: False
.1.. .... = forwardable: True
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
0... .... = renewable: False
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... ..0. = request-anonymous: False
.... ...0 = canonicalize: False
0... .... = constrained-delegation: False
..0. .... = disable-transited-check: False
...0 .... = renewable-ok: False
.... 0... = enc-tkt-in-skey: False
.... ..0. = renew: False
.... ...0 = validate: False
realm: RHELENT.LAN
sname
name-type: kRB5-NT-UNKNOWN (0)
name-string: 2 items
KerberosString: HTTP
KerberosString: freeipa.rhelent.lan
till: 1970-01-01 00:00:00 (UTC)
nonce: 1040086776
etype: 3 items
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)
and from kerby:
No. Time Source Destination Protocol
Length Info
2888 255.037980000 10.8.0.2 192.168.2.166 KRB5
742 TGS-REQ
Frame 2888: 742 bytes on wire (5936 bits), 742 bytes captured (5936 bits)
on interface 3
Interface id: 3 (utun0)
Encapsulation type: NULL (15)
Arrival Time: Nov 20, 2015 11:52:06.888201000 EST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1448038326.888201000 seconds
[Time delta from previous captured frame: -0.000117000 seconds]
[Time delta from previous displayed frame: 0.010323000 seconds]
[Time since reference or first frame: 255.037980000 seconds]
Frame Number: 2888
Frame Length: 742 bytes (5936 bits)
Capture Length: 742 bytes (5936 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: null:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Null/Loopback
Family: IP (2)
Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166
(192.168.2.166)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
Total Length: 738
Identification: 0x226e (8814)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x8845 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.8.0.2 (10.8.0.2)
Destination: 192.168.2.166 (192.168.2.166)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 56122 (56122), Dst Port: 88 (88)
Source Port: 56122 (56122)
Destination Port: 88 (88)
Length: 718
Checksum: 0x461a [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 30]
Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 1 item
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
padata-value:
6e8201f8308201f4a003020105a10302010ea20703050000...
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 00000000
0... .... = reserved: False
.0.. .... = use-session-key: False
..0. .... = mutual-required: False
ticket
tkt-vno: 5
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: krbtgt
KerberosString: RHELENT.LAN
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96
(18)
kvno: 1
cipher:
1bea5e1ce7205e55dd088dc647222d5a20d62c41a172c0b4...
authenticator
etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
kvno: 255
cipher:
dd243f0d6aaa9c03a6e6737b18ca8510d4bfac33296a07d2...
req-body
Padding: 0
kdc-options: 40000000 (forwardable)
0... .... = reserved: False
.1.. .... = forwardable: True
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
0... .... = renewable: False
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... ..0. = request-anonymous: False
.... ...0 = canonicalize: False
0... .... = constrained-delegation: False
..0. .... = disable-transited-check: False
...0 .... = renewable-ok: False
.... 0... = enc-tkt-in-skey: False
.... ..0. = renew: False
.... ...0 = validate: False
cname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: s4u.rhelent.lan
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: freeipa.rhelent.lan
from: 2015-11-20 16:52:06 (UTC)
till: 2015-11-21 00:52:06 (UTC)
nonce: 984126497
etype: 1 item
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
The differences I see are:
1. The authenticator from kerby PS-TGS-REQ has a kvno=255, java doesn't
have that attribute
2. Kerby has a cname section with the name of the client, java's
implementation does not
3. Kerby's SNAME has a name-type of KRB5-NT-Principal where as java's is
KRB5-NT-Unknown
4. Kerby has a "from", java does not
5. Kerby's from and till are real dates, Java's is expired
My guess is the issue is #3? I'm thinking I can set that in the options.
I already added a method that lets me get an SGT with options (like the
tgtWithOptions method). I'll see if there's a way to specify the principal
type from there. Anything else stand out?
Thanks
Marc
