[Freeipa-users] U2F and ipa for ssh
Has anyone looked into using U2F with freeipa? My guess is you would need a customized ssh client to interact with the device but in theory you could just transform the users U2F public key into an ssh key. Marc Boorshtein CTO, Tremolo Security, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] different apis for adding "local" users to groups vs adding users from cft?
As of yet I haven't tried using the json rpc with a cft. freeipa is on its own. i'll give it a try and if it doesn't work this will point me in the right direction. Thanks On Sat, Mar 18, 2017 at 2:27 AM Alexander Bokovoy <aboko...@redhat.com> wrote: > On pe, 17 maalis 2017, Marc Boorshtein wrote: > >I've got the api integrated for all local users and am looking at if > >there are any differences between that and if my ipa domain is in a > >CFT with an AD domain. Right now I'm using "group_add_member", should > >that work for users coming from a trusted forest as well? > EPARSE, but I'll try to understand what are you trying to achieve. > > If you were using >ipa group-add-member external_group --external user@AD.DOMAIN > to add AD users as external members of a group, you continue using the > same command on API level: > >api.Command.group_add_member(u'external_group', > external=u'user@AD.DOMAIN'}) > > Same with JSON-RPC. > > > -- > / Alexander Bokovoy > -- Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] different apis for adding "local" users to groups vs adding users from cft?
I've got the api integrated for all local users and am looking at if there are any differences between that and if my ipa domain is in a CFT with an AD domain. Right now I'm using "group_add_member", should that work for users coming from a trusted forest as well? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authentication Pop-up appearing for IPA WebUI
Not in chrome. If you don't want kerberos at all for the console you could try disabling it in Apache but that will break with every update to ipa On Fri, Dec 30, 2016, 11:49 AM Abhinay Reddy Peddireddy <apedd...@redhat.com> wrote: > Hi, > > Yes. It is fine with Firefox. But not with chrome. > > However customer is expecting the same on Chrome also. > > Ant modifications can be done to avoid the pop-up ? > > On Fri, Dec 30, 2016 at 10:05 PM, Marc Boorshtein < > marc.boorsht...@tremolosecurity.com> wrote: > > it looks like you are using chrome? we have a customer with a similar > issue. Chrome doesn't follow the specs around kerberos, if it receives a > 401 it will generally prompt you even if you are not a member of a domain. > My guess is if you try it with Firefox or IE you should be fine and not get > the prompt. > > On Fri, Dec 30, 2016 at 10:52 AM Abhinay Reddy Peddireddy < > apedd...@redhat.com> wrote: > > Hello Team, > > I have a customer testing IPA on RHEL 7. > > When he tries to access the WebUI, it prompts for the username and > password as a pop-up as shown in the below attached image. > > This happens with Google Chrome and Internet Explorer only. But it appears > normal in Firefox. > > Customer is expecting a normal authentication prompt. Is this something to > be checked from IPA end. I hope this has to be corrected or modified from > browser end. > > Any suggestions ? > > Thanks and Regards, > Abhinay Reddy. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Marc Boorshtein > CTO Tremolo Security > marc.boorsht...@tremolosecurity.com > (703) 828-4902 > Twitter - @mlbiam / @tremolosecurity > > > -- Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authentication Pop-up appearing for IPA WebUI
it looks like you are using chrome? we have a customer with a similar issue. Chrome doesn't follow the specs around kerberos, if it receives a 401 it will generally prompt you even if you are not a member of a domain. My guess is if you try it with Firefox or IE you should be fine and not get the prompt. On Fri, Dec 30, 2016 at 10:52 AM Abhinay Reddy Peddireddy < apedd...@redhat.com> wrote: > Hello Team, > > I have a customer testing IPA on RHEL 7. > > When he tries to access the WebUI, it prompts for the username and > password as a pop-up as shown in the below attached image. > > This happens with Google Chrome and Internet Explorer only. But it appears > normal in Firefox. > > Customer is expecting a normal authentication prompt. Is this something to > be checked from IPA end. I hope this has to be corrected or modified from > browser end. > > Any suggestions ? > > Thanks and Regards, > Abhinay Reddy. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Open Source self service portal for FreeIPA
FreeIPAers, We wanted to make it easy to add self service capabilities to FreeIPA: * Self service password resets * User self registration * Workflow based access requests (and approvals) * Reporting We'd appreciate any thoughts or feedback: https://www.tremolosecurity.com/open-source-identity-manager-for-red-hat-identity-management-and-freeipa/ Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Declarative configuration options?
> Something declarative which can be version controlled and considered a > "source of truth" and driven from configuration management (chef, > puppet, ansible - whatever your flavor) > This is generally not done with a configuration management system because it tends to be more dynamic. Usually you'll use an identity management system that maintains your "authoritative source" that can be audited against. Depending on your needs it can have workflows for user approvals, etc. There are several open source identity management solutions including OpenUnison (our -Tremolo Security- own project - http://openunison.io) or ForgeRock's OpenIDM or OpenIAM. > A scheme to reconcile account properties, group memberships, > permissions, etc... I could see how this would be a slippery slope > because of the depth of groupings/permissions/etc... but a > version-controlled declarative user config gives a nice record for > auditors (When did mike get an account, who granted access to him, > when did he get access, what other access has he had over the last > year... etc..) > This is the use case for an identity management system. Something that will let you identify who created an account, who approved it, etc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNS Forwarding stops working
I've got a freeipa server using an AD server as a DNS forwarder. It was working great until about an hour ago and now FreeIPA won't forward any requests to the DNS server. using nslookup from the server against ad works perfectly. Restarting services has not worked. How can I debug this issue? Details: CentOS 7 - CentOS Linux release 7.2.1511 (Core) IPA - ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How RBAC defined.
> I would like to know more about RBAC. like what is RBAC and what can be > achieved with RBAC. > > anyone please share some good topics about this as i am getting so many and > the information's mentioned on those are different. I can imagine. RBAC (Role Based Access Control) was created on the idea that what systems, applications and entitlements you need should be based on your job function. Its a way of mapping business policies to to technical authorizations. An example would be that someone in accounts payable shouldn't have access to the same systems as someone from accounts receivable. So in RBAC terms you would have a "Role" called "Accounts Payable" that might map to groups in a directory for "access to check system" and "access to vendor system" but another "Role" called Accounts Receivable that has access to other groups. Then you have something to audit against "Why does someone with Role X have groups that aren't tied to that role?". In practice, this rarely works. Few enterprises do that good of a job defining the roles and responsibilities for their employees at an HR level that trying to enforce those roles in technology is hopeless. Also, RBAC models are very rigid and hard to change so if you need to grant someone access to a system thats "one off" to get something done it breaks the entire model (unless your technology can handle it). What often happens is you get into a situation where every user could have their own role, completely breaking the RBAC model. In my decade plus of identity management implementations across pretty much every vendor and several industries I can't think of any RBAC based models that were successful, but several that were complete failures. I was told going into a meeting at one large customer "Don't even mention RBAC or the meeting will be ended and we'll be out." Hope that helps Thanks Marc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?
Thanks Alexander. I wasn't looking to get anything developed, just curious if it would work or even if it there was something I could try on my end like a change to a directory setting to see if it would even work. Understood that there's more in the connection between the ipaclient and the DC then just LDAP. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity On Fri, May 13, 2016 at 5:46 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 11 May 2016, Marc Boorshtein wrote: >> >> I've got a potential use case where I want to authenticate users using >> their AD credentials, store accounts and permissions in FreeIPA but >> not have a cross forest trust. One way to do this is to have SSSD >> talk LDAP to a virtual directory which would route the bind to AD but >> all other operations to the 389 backing IPA. Kerberos wouldn't work, >> but if you're interested in password or ssh key based auth it should >> work, right? Then you'd still get the HBAC benefits? > > There is more than just look up in LDAP when talking to AD DCs. Trust > ensures we have enough correctly set security descriptors on the objects > we use to represent our identity to access AD DCs. If that part is > missing, you get all kinds of problems. > > Replacing trust by something that is effectively attempting to simulate > trust but not being a trust scenario is, of course, possible. However, I > don't see this as something we'd like to put any reasonable time to > develop because it is a corner case with disproportional amount of > development time investment. You may disagree and that's fine, but this > doesn't change the fact that somebody needs to invest time into it. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?
I've got a potential use case where I want to authenticate users using their AD credentials, store accounts and permissions in FreeIPA but not have a cross forest trust. One way to do this is to have SSSD talk LDAP to a virtual directory which would route the bind to AD but all other operations to the 389 backing IPA. Kerberos wouldn't work, but if you're interested in password or ssh key based auth it should work, right? Then you'd still get the HBAC benefits? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH remote host disconnecting
> I'd also take a look at HBAC. Was the allow_all rule recently disabled? > winner winner chicken dinner! I must have deleted it while trying something. Thanks Marc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSH remote host disconnecting
I have FreeIPA client and server both running on CentOS 7, latest patches. Whats odd is that everything was working great until I added a new user and now none of my FreeIPA users can login via SSH. After authenticating they get "Connection closed by IP". This happens regardless of if its the ipa client or server. Login to the console with ipa users fails as well. Local root works fine though. I don't see anything in messages or sssd.log. Any thoughts as to where to look? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Request for Feedback - Managing FreeIPA accounts with OpenUnison
FreeIPAers, We've built an open source integration "provisioning target" that works with the JSON web service to provision users and roles inside of FreeIPA/RH IdM. We also have a prototype of SSO into the IPAWeb console using constrained delegation (both thanks to the help received on this list). We put together a demo of the capability by deploying FreeIPA to manage RHEL servers running on Azure. We also integrated Cockpit and Graylog into the POC as well. I'd really appreciate feedback on the integration. Especially on the use cases and other features you think would add value to the integration (and of course any place you think we went terribly wrong!). Here's a link to the demo: https://vimeo.com/160002916 The white-paper that details how we deployed everything: https://www.tremolosecurity.com/wiki/#!azure.md and of course the source code: OpenUnison - https://github.com/TremoloSecurity/OpenUnison FreeIPA Provisioning Target - https://github.com/TremoloSecurity/Unison-FreeIPA S4U2Self LastMile - https://github.com/TremoloSecurity/Unison-LastMile-Kerberos Again, any feedback on the integration would be greatly appreciated! Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] S4U2Self not working for multiple allowed targets
sTime is Mon Mar 14 16:37:55 UTC 2016 1457973475000 suSec is 144678 error code is 14 error Message is KDC has no support for encryption type cname is HTTP/openunison.azure.cloud@AZURE.CLOUD sname is HTTP/ipaclient-rhel72.azure.cloud@AZURE.CLOUD msgType is 30 and here's whats in the kerberos logs: 14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.0.6: ISSUE: authtime 1457971519, etypes {rep=18 tkt=18 ses=18}, HTTP/openunison.azure.cloud@AZURE.CLOUD for HTTP/openunison.azure.cloud@AZURE.CLOUD Mar 14 16:37:55 ipa krb5kdc[11351](info): ... PROTOCOL-TRANSITION s4u-client=mmosley@AZURE.CLOUD Mar 14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.0.6: BAD_ENCRYPTION_TYPE: authtime 0, HTTP/openunison.azure.cloud@AZURE.CLOUD for HTTP/ipaclient-rhel72.azure.cloud@AZURE.CLOUD, KDC has no support for encryption type Mar 14 16:37:55 ipa krb5kdc[11351](info): ... CONSTRAINED-DELEGATION s4u-client= Any thoughts? Nothing really stands out to me. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and project Atomic
I'm moving an environment from one that uses all separate VMs to one using project Atomic and Docker images. A couple of questions: 1. Are there any known issues joining an atomic host to a FreeIPA domain? (Or has anyone tried it?) 2. Is there any reason I couldn't run FreeIPA in a container in this setup? It seems odd to run FreeIPA on a container for a server in its own domain. My first thought is to have the FreeIPA servers running on their own VMs. Any insight would be appreciated. Thanks Marc -- Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com <marc.boorsht...@tremolosecurity.com>( <https://www.google.com/voice?utm_source=en-ha-na-us-bk_medium=ha_term=google+voice_campaign=en=1#phones>703) 828-4902 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Service Accounts via IPA
I do the same thing on most deployments. I usually just assign a large random password to the service account. Marc Boorshtein CTO, Tremolo Security, Inc. On Dec 11, 2015 12:15 PM, "Redmond, Stacy" <stacy.redm...@blueshieldca.com> wrote: > No, that does not even allow su – unless you add the –s /bin/bash or some > valid shell. I did try a few of these, generally I just put a ! I front of > the password locally, but since these exist in ldap now instead, not sure > that is an option. > > > > *From:* Nicola Canepa [mailto:canep...@mmfg.it] > *Sent:* Thursday, December 10, 2015 11:55 PM > *To:* Redmond, Stacy; freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] Service Accounts via IPA > > > > ** BSCA security warning: Do not click links or trust the content unless > you expected this email and trust the sender – This email originated > outside of Blue Shield. ** > > Maybe you can use /usr/sbin/nologin as the shell? > > Nicola > > Il 10/12/15 19:24, Redmond, Stacy ha scritto: > > Generally I will lock a service account on linux so that the account > cannot login, but users can sudo su – to that user. As I don’t have access > to the password field in free ipa, what are my options to set this up as a > default for service accounts, or how can I modify individual accounts that > need access to a system, but should not be able to login to the system. > Any help is appreciated. > > > > > > -- > > > > Nicola Canepa > > Tel: +39-0522-399-3474 > > canep...@mmfg.it > > --- > > Il contenuto della presente comunicazione è riservato e destinato > esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da > persona diversa dal destinatario sono proibite la diffusione, la > distribuzione e la copia. Nel caso riceveste la presente per errore, Vi > preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro > computer, senza utilizzare i dati contenuti. La presente comunicazione > (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale > e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o > riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora > non sia sottoscritto successivo accordo da chi può validamente obbligarci. > Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la > presente non sia seguita da contratto sottoscritto dalle parti. > > > > The content of the above communication is strictly confidential and reserved > solely for the referred addressees. In the event of receipt by persons > different from the addressee, copying, alteration and distribution are > forbidden. If received by mistake we ask you to inform us and to destroy > and/or delete from your computer without using the data herein contained. The > present message (eventual annexes inclusive) shall not be considered a > contractual proposal and/or acceptance of offer from the addressee, nor > waiver recognizance of rights, debts and/or credits, nor shall it be binding > when not executed as a subsequent agreement by persons who could lawfully > represent us. No pre-contractual liability shall apply to us when the present > communication is not followed by any binding agreement between the parties. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Generation of /etc/krb5.conf file
> > Do you know if these options are generated by the installer or are those > the ones included with the sssd generated file ? > I do not. I didn't setup any kerberos configurations other then running the ipa client install to join the domain. > Would you mind filing a ticket? I think this should be fixed. Done - https://fedorahosted.org/freeipa/ticket/5518 > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Generation of /etc/krb5.conf file
> > Looking into krb5/src/util/profile/prof_get.c, the code that supports > 'yes'/'no' (y,yes,1,true,t,on and n,no,nil,off,false) was added in 2000 > with the commit 97971c69b9389be08b7e9ffb742ca35f3706b3af (it was CVS at > the time but the commit is traceable via git after import from SVN). > > So I would say this is documentation issue on MIT krb5 side rather than > exception. Given that the code is supported for 15 years already, > perhaps making JDK aware of it is a better idea? > While yes its clearly a documentation issue I'd say its probably worth changing on the IPA side as it doesn't affect how IPA functions and makes it easier for integrating applications that are built to those docs. I know I spent a couple of hours trying to figure out why I wasn't generating forwardable TGTs on a box that is part of the domain from an ipa client install vs a manually configured krb5.conf file. Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Generation of /etc/krb5.conf file
FreeIPA team, In doing some work with Java I came across an issue with = the krb5.conf file generated by the IPA client install process. Options in the krb5.conf file that are boolean are being set as yes/no instead of true/false. MIT Kerberos accepts it but per the docs it should be true/false. Here's a link to the issue in OpenJDK: https://bugs.openjdk.java.net/browse/JDK-8029995 Easy enough fix on my end, just changed the options in the krb5.conf file. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
I did an upgrade yesterday and was still at 7.1 so i don't think 7.2 has been officially released. Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Wed, Dec 2, 2015 at 1:57 PM, Oliver Dörr <oli...@doerr-privat.de> wrote: > Hmm, > > I've made a few tests against JSON API and the API browser was available. > I've used RHEL 7.2 and so I expect CentOS 7.2 contaning the API browser. > > Oliver > > > Am 01.12.2015 um 19:41 schrieb Marc Boorshtein: >>> >>> IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API >>> browser. >>> >> has 4.2 made it into centos 7 yet? or only in fedora? >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
Rob & Martin, Thanks. This is a great resource. Is there a way to generate sample JSONs for each command? For instance, when I make a call to user_search, I use the following: String lookupjson = "{\"method\":\"batch\",\"params\":[[{\"method\":\"user_show\",\"params\":[[\"" + userID + "\"],{\"all\":true,\"rights\":true}]},{\"method\":\"pwpolicy_show\",\"params\":[[],{\"user\":\"" + userID + "\",\"all\":true,\"rights\":true}]},{\"method\":\"krbtpolicy_show\",\"params\":[[\"" + userID + "\"],{\"all\":true,\"rights\":true}]}],{\"version\":\"2.112\"}]}"; This was figured out by reverse engineering the calls from the browser to IPA Web. Looking at the API browser its clear that using batch here is probably overkill. Based on the api browser I think I can do: { "method":"user_show", "params":[ ["myuser"], { "all":true, "rights":true } ] } Is that accurate? For the result object, is there something documented? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Wed, Dec 2, 2015 at 2:53 AM, Martin Babinsky <mbabi...@redhat.com> wrote: > On 12/01/2015 07:56 PM, Marc Boorshtein wrote: >> >> Great. Doesn't look like its made it into CentOS yet (still at 7.1). >> OK, going to go ahead and get it running on Fedora 23. >> >> Thanks >> Marc Boorshtein >> CTO Tremolo Security >> marc.boorsht...@tremolosecurity.com >> (703) 828-4902 >> >> >> On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com> >> wrote: >>> >>> Marc Boorshtein wrote: >>>>> >>>>> >>>>> IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API >>>>> browser. >>>>> >>>> >>>> has 4.2 made it into centos 7 yet? or only in fedora? >>>> >>> >>> It is in RHEL 7.2 and Fedora 23. >>> >>> rob >> >> > > Hi Marc, > > the FreeIPA public demo also features an API browser for you to inspect. See > http://www.freeipa.org/page/Demo and then go to > https://ipa.demo1.freeipa.org/ipa/ui/#/p/apibrowser/type=command > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
> > just use 'ipa -vv user-show ...' to see formatted JSON. > excellent > Did you read my article? > https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ > > I hadn't, but this is exactly what I'm looking for. Perfect, this will help me clean up my implementation nicely. Thanks Marc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
> > How do you acquire the user ticket ? > Using a keytab. Here's a link to the example code I'm using: https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to use IPA as the DNS server and I'm passing in mmosley as the user to impersonate and HTTP/freeipa.rhelent.lan as the service that will consume the impersonated user's ticket. > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the > server has been requested and what it released ? > Sure: Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, Additional pre-authentication required Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for HTTP/s4u.rhelent@rhelent.lan Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Documentation on the JSON format for ipa-web?
FreeIPA Team, I've created a plugin for working with freeipa, but right now its using reverse engineered JSON that I then turned into Java POJOs. It works but I'd like to have something a bit better managed. Is there any documentation or a place in the code base I can look for a more formal definition of the JSON so I can build a better mapping? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
I can now get a ticket! This is how I originally created the user: $ kinit admin $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true Here's the object in the directory: dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts, dc=rhelent,dc=lan ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top krbTicketFlags: 1048704 managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa krbLastPwdChange: 20151112021359Z krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A krbLastSuccessfulAuth: 20151201165518Z Just now, I ran: [root@freeipa ~]# kadmin.local Authenticating as principal admin/ad...@rhelent.lan with password. kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan Principal "HTTP/s4u.rhelent@rhelent.lan" modified. and now the directory object is dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts, dc=rhelent,dc=lan ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top krbTicketFlags: 3145856 managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa krbLastPwdChange: 20151112021359Z krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A krbLastSuccessfulAuth: 20151201175200Z Ticket flags clearly changed. Now to see if this works with ipa-web. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <s...@redhat.com> wrote: > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: >> > >> > How do you acquire the user ticket ? >> > >> >> Using a keytab. Here's a link to the example code I'm using: >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to >> use IPA as the DNS server and I'm passing in mmosley as the user to >> impersonate and HTTP/freeipa.rhelent.lan as the service that will >> consume the impersonated user's ticket. >> >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the >> > server has been requested and what it released ? >> > >> >> Sure: >> >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, >> Additional pre-authentication required >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for >> krbtgt/rhelent@rhelent.lan >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for >> HTTP/s4u.rhelent@rhelent.lan >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... >> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan >> >> Thanks > > I think for s4u2self you may have missed a conf step (we primarily use > s4u2proxy in the product *without* any s4u2self step). > > Can you check that you followed the procedure described here: > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 > > I think they key part is setting the +ok_to_auth_as_delegate flag which > we do not provide an official higher level interface for yet. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help! Marc Boorshtein CTO, Tremolo Security, Inc. On Dec 1, 2015 1:14 PM, "Simo Sorce" <s...@redhat.com> wrote: > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: > > I can now get a ticket! This is how I originally created the user: > > > > $ kinit admin > > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true > > ok-as-delegate != ok_to_auth_as_delegate ... > > I know, it is a little confusing :-/ but these are the upstream flag > names, and they both exist and do different things. > > Simo. > > > Here's the object in the directory: > > > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan > ,cn=services,cn=accounts, > > dc=rhelent,dc=lan > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan > > objectClass: ipaobject > > objectClass: ipaservice > > objectClass: krbticketpolicyaux > > objectClass: ipakrbprincipal > > objectClass: krbprincipal > > objectClass: krbprincipalaux > > objectClass: pkiuser > > objectClass: top > > krbTicketFlags: 1048704 > > managedBy: > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa > > krbLastPwdChange: 20151112021359Z > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A > > krbLastSuccessfulAuth: 20151201165518Z > > > > Just now, I ran: > > [root@freeipa ~]# kadmin.local > > Authenticating as principal admin/ad...@rhelent.lan with password. > > kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan > > Principal "HTTP/s4u.rhelent@rhelent.lan" modified. > > > > and now the directory object is > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan > ,cn=services,cn=accounts, > > dc=rhelent,dc=lan > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan > > objectClass: ipaobject > > objectClass: ipaservice > > objectClass: krbticketpolicyaux > > objectClass: ipakrbprincipal > > objectClass: krbprincipal > > objectClass: krbprincipalaux > > objectClass: pkiuser > > objectClass: top > > krbTicketFlags: 3145856 > > managedBy: > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa > > krbLastPwdChange: 20151112021359Z > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A > > krbLastSuccessfulAuth: 20151201175200Z > > > > Ticket flags clearly changed. Now to see if this works with ipa-web. > > > > > Thanks > > > > Marc Boorshtein > > CTO Tremolo Security > > marc.boorsht...@tremolosecurity.com > > (703) 828-4902 > > > > > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <s...@redhat.com> wrote: > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: > > >> > > > >> > How do you acquire the user ticket ? > > >> > > > >> > > >> Using a keytab. Here's a link to the example code I'm using: > > >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set > to > > >> use IPA as the DNS server and I'm passing in mmosley as the user to > > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will > > >> consume the impersonated user's ticket. > > >> > > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the > > >> > server has been requested and what it released ? > > >> > > > >> > > >> Sure: > > >> > > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: > > >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, > > >> Additional pre-authentication required > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > > >> krbtgt/rhelent@rhelent.lan > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > > >> HTTP/s4u.rhelent@rhelent.lan > >
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
What projects (including my own) doesn't need better docs? :-) Once I publish the work I'm doing part of that will have a step-by-step on getting this setup. It was pretty easy really if you are comfortable with LDAP. Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 1:46 PM, Simo Sorce <s...@redhat.com> wrote: > On Tue, 2015-12-01 at 13:28 -0500, Marc Boorshtein wrote: >> Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help! > > Glad it works, and sorry it took so long to figure out. > > We definitely need some better docs around this point. > > Simo. > >> Marc Boorshtein >> CTO, Tremolo Security, Inc. >> On Dec 1, 2015 1:14 PM, "Simo Sorce" <s...@redhat.com> wrote: >> >> > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: >> > > I can now get a ticket! This is how I originally created the user: >> > > >> > > $ kinit admin >> > > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true >> > >> > ok-as-delegate != ok_to_auth_as_delegate ... >> > >> > I know, it is a little confusing :-/ but these are the upstream flag >> > names, and they both exist and do different things. >> > >> > Simo. >> > >> > > Here's the object in the directory: >> > > >> > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan >> > ,cn=services,cn=accounts, >> > > dc=rhelent,dc=lan >> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan >> > > objectClass: ipaobject >> > > objectClass: ipaservice >> > > objectClass: krbticketpolicyaux >> > > objectClass: ipakrbprincipal >> > > objectClass: krbprincipal >> > > objectClass: krbprincipalaux >> > > objectClass: pkiuser >> > > objectClass: top >> > > krbTicketFlags: 1048704 >> > > managedBy: >> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan >> > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan >> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa >> > > krbLastPwdChange: 20151112021359Z >> > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A >> > > krbLastSuccessfulAuth: 20151201165518Z >> > > >> > > Just now, I ran: >> > > [root@freeipa ~]# kadmin.local >> > > Authenticating as principal admin/ad...@rhelent.lan with password. >> > > kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan >> > > Principal "HTTP/s4u.rhelent@rhelent.lan" modified. >> > > >> > > and now the directory object is >> > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan >> > ,cn=services,cn=accounts, >> > > dc=rhelent,dc=lan >> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan >> > > objectClass: ipaobject >> > > objectClass: ipaservice >> > > objectClass: krbticketpolicyaux >> > > objectClass: ipakrbprincipal >> > > objectClass: krbprincipal >> > > objectClass: krbprincipalaux >> > > objectClass: pkiuser >> > > objectClass: top >> > > krbTicketFlags: 3145856 >> > > managedBy: >> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan >> > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan >> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa >> > > krbLastPwdChange: 20151112021359Z >> > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A >> > > krbLastSuccessfulAuth: 20151201175200Z >> > > >> > > Ticket flags clearly changed. Now to see if this works with ipa-web. >> > >> > >> > >> > > Thanks >> > > >> > > Marc Boorshtein >> > > CTO Tremolo Security >> > > marc.boorsht...@tremolosecurity.com >> > > (703) 828-4902 >> > > >> > > >> > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <s...@redhat.com> wrote: >> > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: >> > > >> > >> > > >> > How do you acquire the user ticket ? >> > > >> > >> > > >> >> > > >> Using a keytab. Here's a link to the example code I'm using: >> > > >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set >> > to
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
> > IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API > browser. > has 4.2 made it into centos 7 yet? or only in fedora? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Documentation on the JSON format for ipa-web?
Great. Doesn't look like its made it into CentOS yet (still at 7.1). OK, going to go ahead and get it running on Fedora 23. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Marc Boorshtein wrote: >>> >>> IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API >>> browser. >>> >> >> has 4.2 made it into centos 7 yet? or only in fedora? >> > > It is in RHEL 7.2 and Fedora 23. > > rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
We actually tracked it down. The problem was the Authenticator was missing the authenticatorkvno field per the RFC. Once we set that to 5 we got past this issue. IPA 4.1 on CentOS7 Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce <s...@redhat.com> wrote: > On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote: >> I'm putting together a java kerberos client and am having an issue >> getting a SGT form IPA. I get a TGT without issue, but when I submit >> the TGS-REQ I get the following errors in the ipa log: >> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 >> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17 >> tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for >> krbtgt/rhelent@rhelent.lan >> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 >> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, >> for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a >> required field >> >> Here's the TGS request: >> >> Kerberos >> tgs-req >> pvno: 5 >> msg-type: krb-tgs-req (12) >> padata: 1 item >> PA-DATA PA-TGS-REQ >> padata-type: kRB5-PADATA-TGS-REQ (1) >> padata-value: >> 6e8201f8308201f4a003020105a10302010ea2070305... >> ap-req >> pvno: 5 >> msg-type: krb-ap-req (14) >> Padding: 0 >> ap-options: >> 0... = reserved: False >> .0.. = use-session-key: False >> ..0. = mutual-required: False >> ticket >> tkt-vno: 5 >> realm: RHELENT.LAN >> sname >> name-type: kRB5-NT-PRINCIPAL (1) >> name-string: 2 items >> KerberosString: krbtgt >> KerberosString: RHELENT.LAN >> enc-part >> etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) >> kvno: 1 >> cipher: >> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11... >> authenticator >> etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) >> kvno: 255 >> cipher: >> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74... >> req-body >> Padding: 0 >> kdc-options: >> 0... = reserved: False >> .0.. = forwardable: False >> ..0. = forwarded: False >> ...0 = proxiable: False >> 0... = proxy: False >> .0.. = allow-postdate: False >> ..0. = postdated: False >> ...0 = unused7: False >> 0... = renewable: False >> .0.. = unused9: False >> ..0. = unused10: False >> ...0 = opt-hardware-auth: False >> ..0. = request-anonymous: False >> ...0 = canonicalize: False >> 0... = constrained-delegation: False >> ..0. = disable-transited-check: False >> ...0 = renewable-ok: False >> 0... = enc-tkt-in-skey: False >> ..0. = renew: False >> ...0 = validate: False >> cname >> name-type: kRB5-NT-PRINCIPAL (1) >> name-string: 2 items >> KerberosString: HTTP >> KerberosString: s4u.rhelent.lan >> realm: RHELENT.LAN >> sname >> name-type: kRB5-NT-PRINCIPAL (1) >> name-string: 2 items >> KerberosString: HTTP >> KerberosString: ipa.rhelent.lan >> from: 2015-11-18 02:17:44 (UTC) >> till: 2015-11-18 10:17:44 (UTC) >>
[Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
I'm putting together a java kerberos client and am having an issue getting a SGT form IPA. I get a TGT without issue, but when I submit the TGS-REQ I get the following errors in the ipa log: Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a required field Here's the TGS request: Kerberos tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 1 item PA-DATA PA-TGS-REQ padata-type: kRB5-PADATA-TGS-REQ (1) padata-value: 6e8201f8308201f4a003020105a10302010ea2070305... ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 0... = reserved: False .0.. = use-session-key: False ..0. = mutual-required: False ticket tkt-vno: 5 realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: krbtgt KerberosString: RHELENT.LAN enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 1 cipher: 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11... authenticator etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) kvno: 255 cipher: f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74... req-body Padding: 0 kdc-options: 0... = reserved: False .0.. = forwardable: False ..0. = forwarded: False ...0 = proxiable: False 0... = proxy: False .0.. = allow-postdate: False ..0. = postdated: False ...0 = unused7: False 0... = renewable: False .0.. = unused9: False ..0. = unused10: False ...0 = opt-hardware-auth: False ..0. = request-anonymous: False ...0 = canonicalize: False 0... = constrained-delegation: False ..0. = disable-transited-check: False ...0 = renewable-ok: False 0... = enc-tkt-in-skey: False ..0. = renew: False ...0 = validate: False cname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: s4u.rhelent.lan realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: ipa.rhelent.lan from: 2015-11-18 02:17:44 (UTC) till: 2015-11-18 10:17:44 (UTC) nonce: 604310537 etype: 1 item ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) Is there a field missing? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
...0 = validate: False realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: unison-freeipa.rhelent.lan till: 1970-01-01 00:00:00 (UTC) nonce: 1950860413 etype: 4 items ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) ENCTYPE: eTYPE-DES3-CBC-SHA1 (16) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23) And the response: Kerberos tgs-rep pvno: 5 msg-type: krb-tgs-rep (13) crealm: RHELENT.LAN cname name-type: kRB5-NT-PRINCIPAL (1) name-string: 1 item KerberosString: mmosley ticket tkt-vno: 5 realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: unison-freeipa.rhelent.lan enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 1 cipher: d5ba7253ac30a63034ac5985fa0c782dc86cb0a9dd859127... enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: 7c6f2034caddf129d1550b91f4ef0157b2f9ac4c351023d3... On the IPA server I get: Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.2.167: ISSUE: authtime 1445908277, etypes {rep=18 tkt=18 ses=18}, HTTP/unison-freeipa.rhelent@rhelent.lan for HTTP/unison-freeipa.rhelent@rhelent.lan Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): ... PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan It looks like everything is working, right? If either Java didn't send the forwardable to "true" or if IPA sent the options back in the response I'd be in business? Any thoughts? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
>> >> Looking at KrbKdcRep.java:73 it looks like the failure is happening >> because java is setting the forwardable flag to true on the request >> but the response has no options in it. Should the forwardable option >> be false in the request? > > > That's a fair guess. > the whole point of constrained delegation (including protocol impersonation) > is that you do not want to forward tickets, so you shouldn't ask for > forwardable tickets methinks. > > Simo. > Thanks Simio. I tried running kinit with forwarding disabled: $ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t ./unison-freeipa.keytab -F $ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan Valid starting ExpiresService principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan Flags: IA But when I try again Java refuses to generate the ticket: tremoloadmin@unison-freeipa ~]$ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan Valid starting ExpiresService principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan Flags: IA Hello World! Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject >>>KinitOptions cache name is /tmp/krb5cc_500 >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan >>>DEBUG server principal is krbtgt/rhelent@rhelent.lan >>>DEBUG key type: 18 >>>DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan Java config name: /home/tremoloadmin/krb5.conf Loaded from Java config >>>DEBUG server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN >>>DEBUG key type: 0 >>>DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG start time: null >>>DEBUG end time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 Search Subject for SPNEGO INIT cred (<>, sun.security.jgss.spnego.SpNegoCredElement) No Subject Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject >>>KinitOptions cache name is /tmp/krb5cc_500 >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan >>>DEBUG server principal is krbtgt/rhelent@rhelent.lan >>>DEBUG key type: 18 >>>DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan >>>DEBUG server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN >>>DEBUG key type: 0 >>>DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG start time: null >>>DEBUG end time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 >>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType Exception in thread "main" GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) at io.tremolo.App.main(App.java:27) Caused by: KrbException: Invalid option setting in ticket request. (101) at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165) at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100) at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66) at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) ... 3 more Looking at KrbTgsReq line 165: if (options.get(KDCOptions.FORWARDABLE) && (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE { throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); } If I read this correctly it has to be forwardable? If thats the case is Java wrong for requiring the options to be there or is ipa wrong for not sending the options with the response ticket? Thanks -- Manage your subscription for
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
Thanks Simo. It wouldn't surprise me that java's implementation is wrong. The comments in the source even ask if its necessary to check. Thanks Marc Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce <s...@redhat.com> wrote: > On 27/10/15 15:43, Marc Boorshtein wrote: >>>> >>>> >>>> Looking at KrbKdcRep.java:73 it looks like the failure is happening >>>> because java is setting the forwardable flag to true on the request >>>> but the response has no options in it. Should the forwardable option >>>> be false in the request? >>> >>> >>> >>> That's a fair guess. >>> the whole point of constrained delegation (including protocol >>> impersonation) >>> is that you do not want to forward tickets, so you shouldn't ask for >>> forwardable tickets methinks. >>> >>> Simo. >>> >> >> Thanks Simio. I tried running kinit with forwarding disabled: >> >> $ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t >> ./unison-freeipa.keytab -F >> >> $ klist -f >> >> Ticket cache: FILE:/tmp/krb5cc_500 >> >> Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan >> >> >> Valid starting ExpiresService principal >> >> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan >> >> Flags: IA >> >> But when I try again Java refuses to generate the ticket: >> >> tremoloadmin@unison-freeipa ~]$ klist -f >> Ticket cache: FILE:/tmp/krb5cc_500 >> Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan >> >> Valid starting ExpiresService principal >> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan >> Flags: IA >> >> Hello World! >> Search Subject for Kerberos V5 INIT cred (<>, >> sun.security.jgss.krb5.Krb5InitCredential) >> No Subject >>>>> >>>>> KinitOptions cache name is /tmp/krb5cc_500 >>>>> DEBUG client principal is >>>>> HTTP/unison-freeipa.rhelent@rhelent.lan >>>>> DEBUG server principal is >>>>> krbtgt/rhelent@rhelent.lan >>>>> DEBUG key type: 18 >>>>> DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 >>>>> DEBUG renew_till time: null >>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>>> DEBUG client principal is >>>>> HTTP/unison-freeipa.rhelent@rhelent.lan >> >> Java config name: /home/tremoloadmin/krb5.conf >> Loaded from Java config >>>>> >>>>> DEBUG server principal is >>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN >>>>> DEBUG key type: 0 >>>>> DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 >>>>> DEBUG start time: null >>>>> DEBUG end time: Wed Dec 31 19:00:00 EST 1969 >>>>> DEBUG renew_till time: null >>>>> CCacheInputStream: readFlags() >> >> Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to >> krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT >> 2015 >> Search Subject for SPNEGO INIT cred (<>, >> sun.security.jgss.spnego.SpNegoCredElement) >> No Subject >> Search Subject for Kerberos V5 INIT cred (<>, >> sun.security.jgss.krb5.Krb5InitCredential) >> No Subject >>>>> >>>>> KinitOptions cache name is /tmp/krb5cc_500 >>>>> DEBUG client principal is >>>>> HTTP/unison-freeipa.rhelent@rhelent.lan >>>>> DEBUG server principal is >>>>> krbtgt/rhelent@rhelent.lan >>>>> DEBUG key type: 18 >>>>> DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 >>>>> DEBUG renew_till time: null >>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>>> DEBUG client principal is >>>>> HTTP/unison-freeipa.rhelent@rhelent.lan >>>>> DEBUG server principal is >>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN >>>>> DEBUG key type: 0 >>>>