Yes Marc the fix is still pending there thinking you have a work around. It needs to take some time to sort it out. I'm currently focusing on ASN1/X509/CMS stuffs. Hopefully I could be back to it soon.
Regards, Kai -----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Sunday, November 29, 2015 9:55 AM To: [email protected] Subject: Re: KDC is rejecting my TGS Just a heads up, I've pulled in the latest commits and I'm still able to get a Tgt, and I I can get a server principal back with a Tgt but the Sgt request still gets an error back of "bad integrity" with the following in the logs: Nov 28 20:45:57 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, HTTP/[email protected] for HTTP/[email protected], Decrypt integrity check failed Thanks On Mon, Nov 23, 2015 at 3:50 PM, Marc Boorshtein <[email protected]> wrote: > OK, so that DOES get me an SGT! now I just need to figure out how to > convert that into a SPNEGO negotiate header. Any thoughts? > > On Mon, Nov 23, 2015 at 9:16 AM, Marc Boorshtein > <[email protected]> > wrote: > >> Interesting. I'll give that a try >> On Nov 23, 2015 9:02 AM, "Zheng, Kai" <[email protected]> wrote: >> >>> Maybe we can be back to this issue some time later after I fix the >>> sessionkey/subkey issue. >>> For now, we can try and also should the approach used by Steve >>> (actually aligned with MIT kinit -S behavior): request the service >>> ticket directly using the AS-REQ. So your codes may be as follows. >>> >>> KrbClient kerb = new KrbClient(new >>> File("/Users/mlb/Documents/testkerb")); >>> kerb.init(); >>> kerb.setKdcRealm("RHELENT.LAN"); >>> KOptions requestOptions = new KOptions(); >>> requestOptions.add(KrbOption.CLIENT_PRINCIPAL, >>> "HTTP/[email protected]"); >>> requestOptions.add(KrbOption.SERVER_PRINCIPAL, new >>> PrincipalName("HTTP/[email protected] >>> ",NameType.NT_UNKNOWN)); >>> requestOptions.add(KrbOption.USE_KEYTAB, true); >>> requestOptions.add(KrbOption.KEYTAB_FILE, new >>> File("/Users/mlb/Documents/localdev.keytab")); >>> requestOptions.add(KrbOption.FORWARDABLE,true); >>> requestOptions.add(KrbOption.PROXIABLE,false); >>> requestOptions.add(KrbOption.RENEWABLE_OK,false); >>> >>> TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions); >>> Then the tgt should be actually the service ticket you desired. >>> >>> -----Original Message----- >>> From: Marc Boorshtein [mailto:[email protected]] >>> Sent: Monday, November 23, 2015 9:53 PM >>> To: [email protected] >>> Subject: Re: KDC is rejecting my TGS >>> >>> Yes, I did. I also have several minor changes to get it to line up >>> with the way java's libraries are working so i wonder if the merge >>> missed something. i'll try debugging it tonight. >>> >>> On Mon, Nov 23, 2015 at 8:19 AM, Zheng, Kai <[email protected]> wrote: >>> >>> > OK. Did you make the following change as I told in my last email, >>> > in addition to checking out the latest commits? >>> > ==== >>> > if you'd just go on with your case, please make the following >>> > change and try. >>> > In client side TgsRequest.java: processResponse(), use >>> > KeyUsage.TGS_REP_ENCPART_SUBKEY. >>> > ==== >>> > >>> > -----Original Message----- >>> > From: Marc Boorshtein [mailto:[email protected]] >>> > Sent: Monday, November 23, 2015 9:05 PM >>> > To: [email protected] >>> > Subject: Re: KDC is rejecting my TGS >>> > >>> > New error: >>> > >>> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 >>> > etypes >>> > {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 >>> > tkt=18 ses=17}, HTTP/[email protected] for >>> > krbtgt/[email protected] >>> > >>> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ >>> > (1 etypes >>> > {17}) 192.168.2.129: PROCESS_TGS: authtime 0, >>> > HTTP/[email protected] for >>> > HTTP/[email protected], >>> > Decrypt integrity check failed >>> > >>> > Here's the packet trace : >>> > >>> > https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_int >>> > egri >>> > ty.pcapng >>> > >>> > On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <[email protected]> >>> wrote: >>> > >>> > > With above fixup, I hit another issue that Kerby client failed >>> > > to decrypt the TGS-REP. >>> > > >>> > > I got it work in my setup but I can't commit the codes because >>> > > there're more cases to be investigated. Ref. the issue >>> > > https://issues.apache.org/jira/browse/DIRKRB-472 >>> > > >>> > > Marc, >>> > > if you'd just go on with your case, please make the following >>> > > change and try. >>> > > In client side TgsRequest.java: processResponse(), use >>> > > KeyUsage.TGS_REP_ENCPART_SUBKEY. >>> > > >>> > > -----Original Message----- >>> > > From: Zheng, Kai [mailto:[email protected]] >>> > > Sent: Monday, November 23, 2015 2:21 PM >>> > > To: [email protected] >>> > > Subject: RE: KDC is rejecting my TGS >>> > > >>> > > Fired and resolved the following issue to track the >>> > > authenticator issue we're handling. >>> > > Will setup a box to test: Kerby client -> MIT KDC (in service >>> > > ticket >>> > > path) >>> > > >>> > > commit df6ba15d4f990b104efcf36ede913f4eeb09a872 >>> > > Author: Drankye <[email protected]> >>> > > Date: Tue Nov 24 14:16:32 2015 +0800 >>> > > >>> > > DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when >>> > > making authenticator >>> > > >>> > > -----Original Message----- >>> > > From: Marc Boorshtein [mailto:[email protected]] >>> > > Sent: Monday, November 23, 2015 11:30 AM >>> > > To: [email protected] >>> > > Subject: RE: KDC is rejecting my TGS >>> > > >>> > > ah. That would do it :) sounds like we are getting close! >>> > > >>> > > Thanks >>> > > Marc >>> > > On Nov 22, 2015 10:27 PM, "Zheng, Kai" <[email protected]> wrote: >>> > > >>> > > > OK, forget it. I just checked the codes, and found the >>> > > > checksum isn't done and filled in authenticator. I will get it fixed >>> > > > ASAP. >>> > > > >>> > > > Regards, >>> > > > Kai >>> > > > >>> > > > -----Original Message----- >>> > > > From: Marc Boorshtein [mailto:[email protected]] >>> > > > Sent: Monday, November 23, 2015 11:24 AM >>> > > > To: [email protected] >>> > > > Subject: RE: KDC is rejecting my TGS >>> > > > >>> > > > > >>> > > > > Cool!! Thanks a lot for getting the hard issue figured out. >>> > > > > >>> > > > >>> > > > My pleasure. I'm glad I'm making progress. >>> > > > >>> > > > > I'm looking at the checksum issue, and trying to go into the >>> context. >>> > > > > Did >>> > > > you try the usage value of 10 or 6? Could you give me a >>> > > > snapshot of the stacktrace (or call stack) so I can know >>> > > > sooner about the >>> context? >>> > > Thanks. >>> > > > >>> > > > I haven't yet. I've shutdown for the night but the there >>> > > > really isn't a stack trace because MIT is returning a kerberos >>> > > > generic error (with the accompanying log messages I sent >>> > > > over). I wanted to make sure I was reading the code properly >>> > > > before I started trying things since MIT isn't giving me the best >>> > > > error messages. >>> > > > I'll give >>> > it a go tomorrow. >>> > > > >>> > > > Thanks >>> > > > Marc >>> > > > >>> > > >>> > >>> >> >
