I have fixed the two mentioned issues and please check it out. The JIRAs are linked here https://issues.apache.org/jira/browse/DIRKRB-234
Will check other left things. -----Original Message----- From: Zheng, Kai Sent: Saturday, November 21, 2015 6:28 AM To: [email protected] Subject: RE: KDC is rejecting my TGS Marc, You detail looks pretty good. Thanks! From your observation I copied below, I thought all the differences should be checked. The kvno (255 too large, bet 1) and principal name types for client and server may be the causes that block you, but I'm not very sure. For now, please set principal type manually, and would be good to provide the similar comparing for the AS-REQ because that's the starting. I'm looking into this. Thanks. The differences I see are: 1. The authenticator from kerby PS-TGS-REQ has a kvno=255, java doesn't have that attribute 2. Kerby has a cname section with the name of the client, java's implementation does not 3. Kerby's SNAME has a name-type of KRB5-NT-Principal where as java's is KRB5-NT-Unknown 4. Kerby has a "from", java does not 5. Kerby's from and till are real dates, Java's is expired -----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Saturday, November 21, 2015 1:00 AM To: [email protected] Subject: KDC is rejecting my TGS I've merged in all the new changes from Kai and Steve. I get a TGT without issue, but now I'm getting the following error from freeipa (built on MIT kerberos): Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes {17}) 10.8.0.2: ISSUE: authtime 1448030320, etypes {rep=17 tkt=18 ses=17}, HTTP/[email protected] for krbtgt/[email protected] Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes {17}) 10.8.0.2: PROCESS_TGS: authtime 0, <unknown client> for HTTP/[email protected], ASN.1 structure is missing a required field Now unfortunately its not say WHAT the missing field is. I've got a control setup to make the same request in java using the same keytab for the same resources. Here's the TGS request that works using the standard java kerberos libraries: No. Time Source Destination Protocol Length Info 84 4.103473000 10.8.0.2 192.168.2.166 KRB5 693 TGS-REQ Frame 84: 693 bytes on wire (5544 bits), 693 bytes captured (5544 bits) on interface 3 Interface id: 3 (utun0) Encapsulation type: NULL (15) Arrival Time: Nov 20, 2015 11:47:55.953694000 EST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1448038075.953694000 seconds [Time delta from previous captured frame: 0.019420000 seconds] [Time delta from previous displayed frame: 0.019361000 seconds] [Time since reference or first frame: 4.103473000 seconds] Frame Number: 84 Frame Length: 693 bytes (5544 bits) Capture Length: 693 bytes (5544 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: null:ip:udp:kerberos] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Null/Loopback Family: IP (2) Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166 (192.168.2.166) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 689 Identification: 0x175e (5982) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (17) Header checksum: 0x9386 [validation disabled] [Good: False] [Bad: False] Source: 10.8.0.2 (10.8.0.2) Destination: 192.168.2.166 (192.168.2.166) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] User Datagram Protocol, Src Port: 49177 (49177), Dst Port: 88 (88) Source Port: 49177 (49177) Destination Port: 88 (88) Length: 669 Checksum: 0x8f4e [validation disabled] [Good Checksum: False] [Bad Checksum: False] [Stream index: 8] Kerberos tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 1 item PA-DATA PA-TGS-REQ padata-type: kRB5-PADATA-TGS-REQ (1) padata-value: 6e8201fa308201f6a003020105a10302010ea20703050000... ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 00000000 0... .... = reserved: False .0.. .... = use-session-key: False ..0. .... = mutual-required: False ticket tkt-vno: 5 realm: RHELENT.LAN sname name-type: kRB5-NT-SRV-INST (2) name-string: 2 items KerberosString: krbtgt KerberosString: RHELENT.LAN enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 1 cipher: 28198273460862c515248752f713987ea6857b206fe8fe86... authenticator etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) cipher: 9101cb1fb3694bbc9cfb972c73711cb8e33d59e1de7fdb1a... req-body Padding: 0 kdc-options: 40000000 (forwardable) 0... .... = reserved: False .1.. .... = forwardable: True ..0. .... = forwarded: False ...0 .... = proxiable: False .... 0... = proxy: False .... .0.. = allow-postdate: False .... ..0. = postdated: False .... ...0 = unused7: False 0... .... = renewable: False .0.. .... = unused9: False ..0. .... = unused10: False ...0 .... = opt-hardware-auth: False .... ..0. = request-anonymous: False .... ...0 = canonicalize: False 0... .... = constrained-delegation: False ..0. .... = disable-transited-check: False ...0 .... = renewable-ok: False .... 0... = enc-tkt-in-skey: False .... ..0. = renew: False .... ...0 = validate: False realm: RHELENT.LAN sname name-type: kRB5-NT-UNKNOWN (0) name-string: 2 items KerberosString: HTTP KerberosString: freeipa.rhelent.lan till: 1970-01-01 00:00:00 (UTC) nonce: 1040086776 etype: 3 items ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23) ENCTYPE: eTYPE-DES3-CBC-SHA1 (16) and from kerby: No. Time Source Destination Protocol Length Info 2888 255.037980000 10.8.0.2 192.168.2.166 KRB5 742 TGS-REQ Frame 2888: 742 bytes on wire (5936 bits), 742 bytes captured (5936 bits) on interface 3 Interface id: 3 (utun0) Encapsulation type: NULL (15) Arrival Time: Nov 20, 2015 11:52:06.888201000 EST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1448038326.888201000 seconds [Time delta from previous captured frame: -0.000117000 seconds] [Time delta from previous displayed frame: 0.010323000 seconds] [Time since reference or first frame: 255.037980000 seconds] Frame Number: 2888 Frame Length: 742 bytes (5936 bits) Capture Length: 742 bytes (5936 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: null:ip:udp:kerberos] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Null/Loopback Family: IP (2) Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166 (192.168.2.166) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 738 Identification: 0x226e (8814) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (17) Header checksum: 0x8845 [validation disabled] [Good: False] [Bad: False] Source: 10.8.0.2 (10.8.0.2) Destination: 192.168.2.166 (192.168.2.166) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] User Datagram Protocol, Src Port: 56122 (56122), Dst Port: 88 (88) Source Port: 56122 (56122) Destination Port: 88 (88) Length: 718 Checksum: 0x461a [validation disabled] [Good Checksum: False] [Bad Checksum: False] [Stream index: 30] Kerberos tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 1 item PA-DATA PA-TGS-REQ padata-type: kRB5-PADATA-TGS-REQ (1) padata-value: 6e8201f8308201f4a003020105a10302010ea20703050000... ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 00000000 0... .... = reserved: False .0.. .... = use-session-key: False ..0. .... = mutual-required: False ticket tkt-vno: 5 realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: krbtgt KerberosString: RHELENT.LAN enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 1 cipher: 1bea5e1ce7205e55dd088dc647222d5a20d62c41a172c0b4... authenticator etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) kvno: 255 cipher: dd243f0d6aaa9c03a6e6737b18ca8510d4bfac33296a07d2... req-body Padding: 0 kdc-options: 40000000 (forwardable) 0... .... = reserved: False .1.. .... = forwardable: True ..0. .... = forwarded: False ...0 .... = proxiable: False .... 0... = proxy: False .... .0.. = allow-postdate: False .... ..0. = postdated: False .... ...0 = unused7: False 0... .... = renewable: False .0.. .... = unused9: False ..0. .... = unused10: False ...0 .... = opt-hardware-auth: False .... ..0. = request-anonymous: False .... ...0 = canonicalize: False 0... .... = constrained-delegation: False ..0. .... = disable-transited-check: False ...0 .... = renewable-ok: False .... 0... = enc-tkt-in-skey: False .... ..0. = renew: False .... ...0 = validate: False cname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: s4u.rhelent.lan realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: freeipa.rhelent.lan from: 2015-11-20 16:52:06 (UTC) till: 2015-11-21 00:52:06 (UTC) nonce: 984126497 etype: 1 item ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) The differences I see are: 1. The authenticator from kerby PS-TGS-REQ has a kvno=255, java doesn't have that attribute 2. Kerby has a cname section with the name of the client, java's implementation does not 3. Kerby's SNAME has a name-type of KRB5-NT-Principal where as java's is KRB5-NT-Unknown 4. Kerby has a "from", java does not 5. Kerby's from and till are real dates, Java's is expired My guess is the issue is #3? I'm thinking I can set that in the options. I already added a method that lets me get an SGT with options (like the tgtWithOptions method). I'll see if there's a way to specify the principal type from there. Anything else stand out? Thanks Marc
