subject:"\[Freeipa\-users\] \"ASN.1 structure is missing a required field\" \- what is missing\?"

Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

2015-11-23 Thread Simo Sorce

On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
> I'm putting together a java kerberos client and am having an issue
> getting a SGT form IPA.  I get a TGT without issue, but when I submit
> the TGS-REQ I get the following errors in the ipa log:
> 
> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
> tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
> krbtgt/rhelent@rhelent.lan
> 
> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0,  
> for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a
> required field
> 
> Here's the TGS request:
> 
> Kerberos
> tgs-req
> pvno: 5
> msg-type: krb-tgs-req (12)
> padata: 1 item
> PA-DATA PA-TGS-REQ
> padata-type: kRB5-PADATA-TGS-REQ (1)
> padata-value:
> 6e8201f8308201f4a003020105a10302010ea2070305...
> ap-req
> pvno: 5
> msg-type: krb-ap-req (14)
> Padding: 0
> ap-options: 
> 0...  = reserved: False
> .0..  = use-session-key: False
> ..0.  = mutual-required: False
> ticket
> tkt-vno: 5
> realm: RHELENT.LAN
> sname
> name-type: kRB5-NT-PRINCIPAL (1)
> name-string: 2 items
> KerberosString: krbtgt
> KerberosString: RHELENT.LAN
> enc-part
> etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
> kvno: 1
> cipher:
> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
> authenticator
> etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> kvno: 255
> cipher:
> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
> req-body
> Padding: 0
> kdc-options: 
> 0...  = reserved: False
> .0..  = forwardable: False
> ..0.  = forwarded: False
> ...0  = proxiable: False
>  0... = proxy: False
>  .0.. = allow-postdate: False
>  ..0. = postdated: False
>  ...0 = unused7: False
> 0...  = renewable: False
> .0..  = unused9: False
> ..0.  = unused10: False
> ...0  = opt-hardware-auth: False
>  ..0. = request-anonymous: False
>  ...0 = canonicalize: False
> 0...  = constrained-delegation: False
> ..0.  = disable-transited-check: False
> ...0  = renewable-ok: False
>  0... = enc-tkt-in-skey: False
>  ..0. = renew: False
>  ...0 = validate: False
> cname
> name-type: kRB5-NT-PRINCIPAL (1)
> name-string: 2 items
> KerberosString: HTTP
> KerberosString: s4u.rhelent.lan
> realm: RHELENT.LAN
> sname
> name-type: kRB5-NT-PRINCIPAL (1)
> name-string: 2 items
> KerberosString: HTTP
> KerberosString: ipa.rhelent.lan
> from: 2015-11-18 02:17:44 (UTC)
> till: 2015-11-18 10:17:44 (UTC)
> nonce: 604310537
> etype: 1 item
> ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> 
> 
> Is there a field missing?

CCing Andreas as this one sounds like a bug we recently discovered in
the ASN.1 parser in samba.

Andreas,
does this ring a bell ?

Marc,
what version of IPA/OS are you seeing this on ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

2015-11-23 Thread Marc Boorshtein

We actually tracked it down.  The problem was the Authenticator was
missing the authenticatorkvno field per the RFC.  Once we set that to
5 we got past this issue.

IPA 4.1 on CentOS7

Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com



On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce  wrote:
> On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
>> I'm putting together a java kerberos client and am having an issue
>> getting a SGT form IPA.  I get a TGT without issue, but when I submit
>> the TGS-REQ I get the following errors in the ipa log:
>>
>> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
>> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
>> tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
>> krbtgt/rhelent@rhelent.lan
>>
>> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
>> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0,  
>> for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a
>> required field
>>
>> Here's the TGS request:
>>
>> Kerberos
>> tgs-req
>> pvno: 5
>> msg-type: krb-tgs-req (12)
>> padata: 1 item
>> PA-DATA PA-TGS-REQ
>> padata-type: kRB5-PADATA-TGS-REQ (1)
>> padata-value:
>> 6e8201f8308201f4a003020105a10302010ea2070305...
>> ap-req
>> pvno: 5
>> msg-type: krb-ap-req (14)
>> Padding: 0
>> ap-options: 
>> 0...  = reserved: False
>> .0..  = use-session-key: False
>> ..0.  = mutual-required: False
>> ticket
>> tkt-vno: 5
>> realm: RHELENT.LAN
>> sname
>> name-type: kRB5-NT-PRINCIPAL (1)
>> name-string: 2 items
>> KerberosString: krbtgt
>> KerberosString: RHELENT.LAN
>> enc-part
>> etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>> kvno: 1
>> cipher:
>> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
>> authenticator
>> etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>> kvno: 255
>> cipher:
>> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
>> req-body
>> Padding: 0
>> kdc-options: 
>> 0...  = reserved: False
>> .0..  = forwardable: False
>> ..0.  = forwarded: False
>> ...0  = proxiable: False
>>  0... = proxy: False
>>  .0.. = allow-postdate: False
>>  ..0. = postdated: False
>>  ...0 = unused7: False
>> 0...  = renewable: False
>> .0..  = unused9: False
>> ..0.  = unused10: False
>> ...0  = opt-hardware-auth: False
>>  ..0. = request-anonymous: False
>>  ...0 = canonicalize: False
>> 0...  = constrained-delegation: False
>> ..0.  = disable-transited-check: False
>> ...0  = renewable-ok: False
>>  0... = enc-tkt-in-skey: False
>>  ..0. = renew: False
>>  ...0 = validate: False
>> cname
>> name-type: kRB5-NT-PRINCIPAL (1)
>> name-string: 2 items
>> KerberosString: HTTP
>> KerberosString: s4u.rhelent.lan
>> realm: RHELENT.LAN
>> sname
>> name-type: kRB5-NT-PRINCIPAL (1)
>> name-string: 2 items
>> KerberosString: HTTP
>> KerberosString: ipa.rhelent.lan
>> from: 2015-11-18 02:17:44 (UTC)
>> till: 2015-11-18 10:17:44 (UTC)
>> nonce: 604310537
>> etype: 1 item
>> ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>>
>>
>> Is there a field missing?
>
> CCing Andreas as this one sounds like a bug we recently discovered in
> the ASN.1 parser in samba.
>
> Andreas,
> does this ring a bell ?
>
> Marc,
> what version of IPA/OS are you seeing this on ?
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to

[Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

2015-11-17 Thread Marc Boorshtein

I'm putting together a java kerberos client and am having an issue
getting a SGT form IPA.  I get a TGT without issue, but when I submit
the TGS-REQ I get the following errors in the ipa log:

Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
krbtgt/rhelent@rhelent.lan

Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0,  
for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a
required field

Here's the TGS request:

Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 1 item
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
padata-value:
6e8201f8308201f4a003020105a10302010ea2070305...
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 
0...  = reserved: False
.0..  = use-session-key: False
..0.  = mutual-required: False
ticket
tkt-vno: 5
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: krbtgt
KerberosString: RHELENT.LAN
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 1
cipher:
0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
authenticator
etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
kvno: 255
cipher:
f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
req-body
Padding: 0
kdc-options: 
0...  = reserved: False
.0..  = forwardable: False
..0.  = forwarded: False
...0  = proxiable: False
 0... = proxy: False
 .0.. = allow-postdate: False
 ..0. = postdated: False
 ...0 = unused7: False
0...  = renewable: False
.0..  = unused9: False
..0.  = unused10: False
...0  = opt-hardware-auth: False
 ..0. = request-anonymous: False
 ...0 = canonicalize: False
0...  = constrained-delegation: False
..0.  = disable-transited-check: False
...0  = renewable-ok: False
 0... = enc-tkt-in-skey: False
 ..0. = renew: False
 ...0 = validate: False
cname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: s4u.rhelent.lan
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: ipa.rhelent.lan
from: 2015-11-18 02:17:44 (UTC)
till: 2015-11-18 10:17:44 (UTC)
nonce: 604310537
etype: 1 item
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)


Is there a field missing?

Thanks


Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

[Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

3 matches

Site Navigation

Mail list logo

Footer information