Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote: > I'm putting together a java kerberos client and am having an issue > getting a SGT form IPA. I get a TGT without issue, but when I submit > the TGS-REQ I get the following errors in the ipa log: > > Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 > etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17 > tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > krbtgt/rhelent@rhelent.lan > > Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 > etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, > for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a > required field > > Here's the TGS request: > > Kerberos > tgs-req > pvno: 5 > msg-type: krb-tgs-req (12) > padata: 1 item > PA-DATA PA-TGS-REQ > padata-type: kRB5-PADATA-TGS-REQ (1) > padata-value: > 6e8201f8308201f4a003020105a10302010ea2070305... > ap-req > pvno: 5 > msg-type: krb-ap-req (14) > Padding: 0 > ap-options: > 0... = reserved: False > .0.. = use-session-key: False > ..0. = mutual-required: False > ticket > tkt-vno: 5 > realm: RHELENT.LAN > sname > name-type: kRB5-NT-PRINCIPAL (1) > name-string: 2 items > KerberosString: krbtgt > KerberosString: RHELENT.LAN > enc-part > etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) > kvno: 1 > cipher: > 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11... > authenticator > etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) > kvno: 255 > cipher: > f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74... > req-body > Padding: 0 > kdc-options: > 0... = reserved: False > .0.. = forwardable: False > ..0. = forwarded: False > ...0 = proxiable: False > 0... = proxy: False > .0.. = allow-postdate: False > ..0. = postdated: False > ...0 = unused7: False > 0... = renewable: False > .0.. = unused9: False > ..0. = unused10: False > ...0 = opt-hardware-auth: False > ..0. = request-anonymous: False > ...0 = canonicalize: False > 0... = constrained-delegation: False > ..0. = disable-transited-check: False > ...0 = renewable-ok: False > 0... = enc-tkt-in-skey: False > ..0. = renew: False > ...0 = validate: False > cname > name-type: kRB5-NT-PRINCIPAL (1) > name-string: 2 items > KerberosString: HTTP > KerberosString: s4u.rhelent.lan > realm: RHELENT.LAN > sname > name-type: kRB5-NT-PRINCIPAL (1) > name-string: 2 items > KerberosString: HTTP > KerberosString: ipa.rhelent.lan > from: 2015-11-18 02:17:44 (UTC) > till: 2015-11-18 10:17:44 (UTC) > nonce: 604310537 > etype: 1 item > ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) > > > Is there a field missing? CCing Andreas as this one sounds like a bug we recently discovered in the ASN.1 parser in samba. Andreas, does this ring a bell ? Marc, what version of IPA/OS are you seeing this on ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
We actually tracked it down. The problem was the Authenticator was missing the authenticatorkvno field per the RFC. Once we set that to 5 we got past this issue. IPA 4.1 on CentOS7 Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorcewrote: > On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote: >> I'm putting together a java kerberos client and am having an issue >> getting a SGT form IPA. I get a TGT without issue, but when I submit >> the TGS-REQ I get the following errors in the ipa log: >> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 >> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17 >> tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for >> krbtgt/rhelent@rhelent.lan >> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 >> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, >> for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a >> required field >> >> Here's the TGS request: >> >> Kerberos >> tgs-req >> pvno: 5 >> msg-type: krb-tgs-req (12) >> padata: 1 item >> PA-DATA PA-TGS-REQ >> padata-type: kRB5-PADATA-TGS-REQ (1) >> padata-value: >> 6e8201f8308201f4a003020105a10302010ea2070305... >> ap-req >> pvno: 5 >> msg-type: krb-ap-req (14) >> Padding: 0 >> ap-options: >> 0... = reserved: False >> .0.. = use-session-key: False >> ..0. = mutual-required: False >> ticket >> tkt-vno: 5 >> realm: RHELENT.LAN >> sname >> name-type: kRB5-NT-PRINCIPAL (1) >> name-string: 2 items >> KerberosString: krbtgt >> KerberosString: RHELENT.LAN >> enc-part >> etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) >> kvno: 1 >> cipher: >> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11... >> authenticator >> etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) >> kvno: 255 >> cipher: >> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74... >> req-body >> Padding: 0 >> kdc-options: >> 0... = reserved: False >> .0.. = forwardable: False >> ..0. = forwarded: False >> ...0 = proxiable: False >> 0... = proxy: False >> .0.. = allow-postdate: False >> ..0. = postdated: False >> ...0 = unused7: False >> 0... = renewable: False >> .0.. = unused9: False >> ..0. = unused10: False >> ...0 = opt-hardware-auth: False >> ..0. = request-anonymous: False >> ...0 = canonicalize: False >> 0... = constrained-delegation: False >> ..0. = disable-transited-check: False >> ...0 = renewable-ok: False >> 0... = enc-tkt-in-skey: False >> ..0. = renew: False >> ...0 = validate: False >> cname >> name-type: kRB5-NT-PRINCIPAL (1) >> name-string: 2 items >> KerberosString: HTTP >> KerberosString: s4u.rhelent.lan >> realm: RHELENT.LAN >> sname >> name-type: kRB5-NT-PRINCIPAL (1) >> name-string: 2 items >> KerberosString: HTTP >> KerberosString: ipa.rhelent.lan >> from: 2015-11-18 02:17:44 (UTC) >> till: 2015-11-18 10:17:44 (UTC) >> nonce: 604310537 >> etype: 1 item >> ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) >> >> >> Is there a field missing? > > CCing Andreas as this one sounds like a bug we recently discovered in > the ASN.1 parser in samba. > > Andreas, > does this ring a bell ? > > Marc, > what version of IPA/OS are you seeing this on ? > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to
[Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
I'm putting together a java kerberos client and am having an issue getting a SGT form IPA. I get a TGT without issue, but when I submit the TGS-REQ I get the following errors in the ipa log: Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, for HTTP/ipa.rhelent@rhelent.lan, ASN.1 structure is missing a required field Here's the TGS request: Kerberos tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 1 item PA-DATA PA-TGS-REQ padata-type: kRB5-PADATA-TGS-REQ (1) padata-value: 6e8201f8308201f4a003020105a10302010ea2070305... ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 0... = reserved: False .0.. = use-session-key: False ..0. = mutual-required: False ticket tkt-vno: 5 realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: krbtgt KerberosString: RHELENT.LAN enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 1 cipher: 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11... authenticator etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) kvno: 255 cipher: f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74... req-body Padding: 0 kdc-options: 0... = reserved: False .0.. = forwardable: False ..0. = forwarded: False ...0 = proxiable: False 0... = proxy: False .0.. = allow-postdate: False ..0. = postdated: False ...0 = unused7: False 0... = renewable: False .0.. = unused9: False ..0. = unused10: False ...0 = opt-hardware-auth: False ..0. = request-anonymous: False ...0 = canonicalize: False 0... = constrained-delegation: False ..0. = disable-transited-check: False ...0 = renewable-ok: False 0... = enc-tkt-in-skey: False ..0. = renew: False ...0 = validate: False cname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: s4u.rhelent.lan realm: RHELENT.LAN sname name-type: kRB5-NT-PRINCIPAL (1) name-string: 2 items KerberosString: HTTP KerberosString: ipa.rhelent.lan from: 2015-11-18 02:17:44 (UTC) till: 2015-11-18 10:17:44 (UTC) nonce: 604310537 etype: 1 item ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) Is there a field missing? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project