OK, I will install the pcap stuff. What I've fixed is the TGS principal type, not the server principal type. As I said in the JIRA, it may be not the cause for the problem here. Another fix is the kvno. Still not the exact cause.
I thought we need to figure out what field is missing in the ASN1 structure. Would you dig into MIT KDC logs? Verbose? -----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Saturday, November 21, 2015 11:36 AM To: [email protected] Subject: Re: KDC is rejecting my TGS I think I'll make this easier and just provide links to a pcap. I pulled your updates Kai but am getting the same error. Here's the control: https://s3.amazonaws.com/ts-public-downloads/captures/kerberos-control.pcap.pcapng Here's the kerby capture: https://s3.amazonaws.com/ts-public-downloads/captures/kerby-capture.pcapng The sname type is still NT-Principal. I added some code that let me specify the server principal as a PrincipalName instead of just a string. When I do this though I get same error out of freeipa. Anything else standout? Thanks On Fri, Nov 20, 2015 at 8:12 PM, Zheng, Kai <[email protected]> wrote: > The hex format may does the good letting us find the exact missing or > different field, though. It's concise and exact. > > -----Original Message----- > From: Zheng, Kai [mailto:[email protected]] > Sent: Saturday, November 21, 2015 9:06 AM > To: [email protected] > Subject: RE: KDC is rejecting my TGS > > The text format might save us some time when just want to take a look > from having a tool dump out from hex. > I guess the text could be ok if it's made more compact? > > -----Original Message----- > From: Emmanuel Lécharny [mailto:[email protected]] > Sent: Saturday, November 21, 2015 7:04 AM > To: [email protected] > Subject: Re: KDC is rejecting my TGS > > Le 20/11/15 23:27, Zheng, Kai a écrit : > > Marc, > > > > You detail looks pretty good. Thanks! > > > > From your observation I copied below, I thought all the differences > should be checked. The kvno (255 too large, bet 1) and principal name > types for client and server may be the causes that block you, but I'm > not very sure. > > For now, please set principal type manually, and would be good to > provide the similar comparing for the AS-REQ because that's the starting. > I'm looking into this. Thanks. > > > > The differences I see are: > > 1. The authenticator from kerby PS-TGS-REQ has a kvno=255, java > > doesn't have that attribute 2. Kerby has a cname section with the > > name of the client, java's implementation does not 3. Kerby's SNAME > > has a name-type of KRB5-NT-Principal where as java's is > > KRB5-NT-Unknown 4. Kerby has a "from", java does not 5. Kerby's > > from and till are real dates, Java's is expired > > What would be good is to provide the PDU as it's being transmitted, in > Hex format. I must say it's easier for me to read such things than any > other output. > >
