Maybe we can be back to this issue some time later after I fix the
sessionkey/subkey issue.
For now, we can try and also should the approach used by Steve (actually
aligned with MIT kinit -S behavior): request the service ticket directly using
the AS-REQ. So your codes may be as follows.
KrbClient kerb = new KrbClient(new File("/Users/mlb/Documents/testkerb"));
kerb.init();
kerb.setKdcRealm("RHELENT.LAN");
KOptions requestOptions = new KOptions();
requestOptions.add(KrbOption.CLIENT_PRINCIPAL,
"HTTP/[email protected]");
requestOptions.add(KrbOption.SERVER_PRINCIPAL, new
PrincipalName("HTTP/[email protected]",NameType.NT_UNKNOWN));
requestOptions.add(KrbOption.USE_KEYTAB, true);
requestOptions.add(KrbOption.KEYTAB_FILE, new
File("/Users/mlb/Documents/localdev.keytab"));
requestOptions.add(KrbOption.FORWARDABLE,true);
requestOptions.add(KrbOption.PROXIABLE,false);
requestOptions.add(KrbOption.RENEWABLE_OK,false);
TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions);
Then the tgt should be actually the service ticket you desired.
-----Original Message-----
From: Marc Boorshtein [mailto:[email protected]]
Sent: Monday, November 23, 2015 9:53 PM
To: [email protected]
Subject: Re: KDC is rejecting my TGS
Yes, I did. I also have several minor changes to get it to line up with the
way java's libraries are working so i wonder if the merge missed something.
i'll try debugging it tonight.
On Mon, Nov 23, 2015 at 8:19 AM, Zheng, Kai <[email protected]> wrote:
> OK. Did you make the following change as I told in my last email, in
> addition to checking out the latest commits?
> ====
> if you'd just go on with your case, please make the following change
> and try.
> In client side TgsRequest.java: processResponse(), use
> KeyUsage.TGS_REP_ENCPART_SUBKEY.
> ====
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:[email protected]]
> Sent: Monday, November 23, 2015 9:05 PM
> To: [email protected]
> Subject: Re: KDC is rejecting my TGS
>
> New error:
>
> Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
> etypes
> {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 tkt=18
> ses=17}, HTTP/[email protected] for
> krbtgt/[email protected]
>
> Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
> etypes
> {17}) 192.168.2.129: PROCESS_TGS: authtime 0,
> HTTP/[email protected] for
> HTTP/[email protected],
> Decrypt integrity check failed
>
> Here's the packet trace :
>
> https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_integri
> ty.pcapng
>
> On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <[email protected]> wrote:
>
> > With above fixup, I hit another issue that Kerby client failed to
> > decrypt the TGS-REP.
> >
> > I got it work in my setup but I can't commit the codes because
> > there're more cases to be investigated. Ref. the issue
> > https://issues.apache.org/jira/browse/DIRKRB-472
> >
> > Marc,
> > if you'd just go on with your case, please make the following change
> > and try.
> > In client side TgsRequest.java: processResponse(), use
> > KeyUsage.TGS_REP_ENCPART_SUBKEY.
> >
> > -----Original Message-----
> > From: Zheng, Kai [mailto:[email protected]]
> > Sent: Monday, November 23, 2015 2:21 PM
> > To: [email protected]
> > Subject: RE: KDC is rejecting my TGS
> >
> > Fired and resolved the following issue to track the authenticator
> > issue we're handling.
> > Will setup a box to test: Kerby client -> MIT KDC (in service ticket
> > path)
> >
> > commit df6ba15d4f990b104efcf36ede913f4eeb09a872
> > Author: Drankye <[email protected]>
> > Date: Tue Nov 24 14:16:32 2015 +0800
> >
> > DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making
> > authenticator
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:[email protected]]
> > Sent: Monday, November 23, 2015 11:30 AM
> > To: [email protected]
> > Subject: RE: KDC is rejecting my TGS
> >
> > ah. That would do it :) sounds like we are getting close!
> >
> > Thanks
> > Marc
> > On Nov 22, 2015 10:27 PM, "Zheng, Kai" <[email protected]> wrote:
> >
> > > OK, forget it. I just checked the codes, and found the checksum
> > > isn't done and filled in authenticator. I will get it fixed ASAP.
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Marc Boorshtein [mailto:[email protected]]
> > > Sent: Monday, November 23, 2015 11:24 AM
> > > To: [email protected]
> > > Subject: RE: KDC is rejecting my TGS
> > >
> > > >
> > > > Cool!! Thanks a lot for getting the hard issue figured out.
> > > >
> > >
> > > My pleasure. I'm glad I'm making progress.
> > >
> > > > I'm looking at the checksum issue, and trying to go into the context.
> > > > Did
> > > you try the usage value of 10 or 6? Could you give me a snapshot
> > > of the stacktrace (or call stack) so I can know sooner about the context?
> > Thanks.
> > >
> > > I haven't yet. I've shutdown for the night but the there really
> > > isn't a stack trace because MIT is returning a kerberos generic
> > > error (with the accompanying log messages I sent over). I wanted
> > > to make sure I was reading the code properly before I started
> > > trying things since MIT isn't giving me the best error messages.
> > > I'll give
> it a go tomorrow.
> > >
> > > Thanks
> > > Marc
> > >
> >
>
