OK, so that DOES get me an SGT! now I just need to figure out how to convert that into a SPNEGO negotiate header. Any thoughts?
On Mon, Nov 23, 2015 at 9:16 AM, Marc Boorshtein <[email protected]> wrote: > Interesting. I'll give that a try > On Nov 23, 2015 9:02 AM, "Zheng, Kai" <[email protected]> wrote: > >> Maybe we can be back to this issue some time later after I fix the >> sessionkey/subkey issue. >> For now, we can try and also should the approach used by Steve (actually >> aligned with MIT kinit -S behavior): request the service ticket directly >> using the AS-REQ. So your codes may be as follows. >> >> KrbClient kerb = new KrbClient(new File("/Users/mlb/Documents/testkerb")); >> kerb.init(); >> kerb.setKdcRealm("RHELENT.LAN"); >> KOptions requestOptions = new KOptions(); >> requestOptions.add(KrbOption.CLIENT_PRINCIPAL, >> "HTTP/[email protected]"); >> requestOptions.add(KrbOption.SERVER_PRINCIPAL, new >> PrincipalName("HTTP/[email protected] >> ",NameType.NT_UNKNOWN)); >> requestOptions.add(KrbOption.USE_KEYTAB, true); >> requestOptions.add(KrbOption.KEYTAB_FILE, new >> File("/Users/mlb/Documents/localdev.keytab")); >> requestOptions.add(KrbOption.FORWARDABLE,true); >> requestOptions.add(KrbOption.PROXIABLE,false); >> requestOptions.add(KrbOption.RENEWABLE_OK,false); >> >> TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions); >> Then the tgt should be actually the service ticket you desired. >> >> -----Original Message----- >> From: Marc Boorshtein [mailto:[email protected]] >> Sent: Monday, November 23, 2015 9:53 PM >> To: [email protected] >> Subject: Re: KDC is rejecting my TGS >> >> Yes, I did. I also have several minor changes to get it to line up with >> the way java's libraries are working so i wonder if the merge missed >> something. i'll try debugging it tonight. >> >> On Mon, Nov 23, 2015 at 8:19 AM, Zheng, Kai <[email protected]> wrote: >> >> > OK. Did you make the following change as I told in my last email, in >> > addition to checking out the latest commits? >> > ==== >> > if you'd just go on with your case, please make the following change >> > and try. >> > In client side TgsRequest.java: processResponse(), use >> > KeyUsage.TGS_REP_ENCPART_SUBKEY. >> > ==== >> > >> > -----Original Message----- >> > From: Marc Boorshtein [mailto:[email protected]] >> > Sent: Monday, November 23, 2015 9:05 PM >> > To: [email protected] >> > Subject: Re: KDC is rejecting my TGS >> > >> > New error: >> > >> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 >> > etypes >> > {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 tkt=18 >> > ses=17}, HTTP/[email protected] for >> > krbtgt/[email protected] >> > >> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 >> > etypes >> > {17}) 192.168.2.129: PROCESS_TGS: authtime 0, >> > HTTP/[email protected] for >> > HTTP/[email protected], >> > Decrypt integrity check failed >> > >> > Here's the packet trace : >> > >> > https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_integri >> > ty.pcapng >> > >> > On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <[email protected]> >> wrote: >> > >> > > With above fixup, I hit another issue that Kerby client failed to >> > > decrypt the TGS-REP. >> > > >> > > I got it work in my setup but I can't commit the codes because >> > > there're more cases to be investigated. Ref. the issue >> > > https://issues.apache.org/jira/browse/DIRKRB-472 >> > > >> > > Marc, >> > > if you'd just go on with your case, please make the following change >> > > and try. >> > > In client side TgsRequest.java: processResponse(), use >> > > KeyUsage.TGS_REP_ENCPART_SUBKEY. >> > > >> > > -----Original Message----- >> > > From: Zheng, Kai [mailto:[email protected]] >> > > Sent: Monday, November 23, 2015 2:21 PM >> > > To: [email protected] >> > > Subject: RE: KDC is rejecting my TGS >> > > >> > > Fired and resolved the following issue to track the authenticator >> > > issue we're handling. >> > > Will setup a box to test: Kerby client -> MIT KDC (in service ticket >> > > path) >> > > >> > > commit df6ba15d4f990b104efcf36ede913f4eeb09a872 >> > > Author: Drankye <[email protected]> >> > > Date: Tue Nov 24 14:16:32 2015 +0800 >> > > >> > > DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making >> > > authenticator >> > > >> > > -----Original Message----- >> > > From: Marc Boorshtein [mailto:[email protected]] >> > > Sent: Monday, November 23, 2015 11:30 AM >> > > To: [email protected] >> > > Subject: RE: KDC is rejecting my TGS >> > > >> > > ah. That would do it :) sounds like we are getting close! >> > > >> > > Thanks >> > > Marc >> > > On Nov 22, 2015 10:27 PM, "Zheng, Kai" <[email protected]> wrote: >> > > >> > > > OK, forget it. I just checked the codes, and found the checksum >> > > > isn't done and filled in authenticator. I will get it fixed ASAP. >> > > > >> > > > Regards, >> > > > Kai >> > > > >> > > > -----Original Message----- >> > > > From: Marc Boorshtein [mailto:[email protected]] >> > > > Sent: Monday, November 23, 2015 11:24 AM >> > > > To: [email protected] >> > > > Subject: RE: KDC is rejecting my TGS >> > > > >> > > > > >> > > > > Cool!! Thanks a lot for getting the hard issue figured out. >> > > > > >> > > > >> > > > My pleasure. I'm glad I'm making progress. >> > > > >> > > > > I'm looking at the checksum issue, and trying to go into the >> context. >> > > > > Did >> > > > you try the usage value of 10 or 6? Could you give me a snapshot >> > > > of the stacktrace (or call stack) so I can know sooner about the >> context? >> > > Thanks. >> > > > >> > > > I haven't yet. I've shutdown for the night but the there really >> > > > isn't a stack trace because MIT is returning a kerberos generic >> > > > error (with the accompanying log messages I sent over). I wanted >> > > > to make sure I was reading the code properly before I started >> > > > trying things since MIT isn't giving me the best error messages. >> > > > I'll give >> > it a go tomorrow. >> > > > >> > > > Thanks >> > > > Marc >> > > > >> > > >> > >> >
