Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
On Tue, 2015-12-01 at 11:34 -0500, Marc Boorshtein wrote: > Simo & Team, > > After talking to the OpenJDK security list it turned out there is a > bug in JDK8. The issue is fixed in JDK9 and after testing I'm running > into a new issue. Same scenario described earlier in this email > chain, but now it looks like the TGS-REP is not being marked as > forwardable which is required for an s4u2self ticket is used in > s4u2proxy (https://msdn.microsoft.com/en-us/library/cc246079.aspx) : > "The S4U2proxy extension requires that the service ticket to the first > service has the forwardable flag set (see Service 1 in the figure > specifying Kerberos delegation with forwarded TGT, section 1.3.3). > This ticket can be obtained through an S4U2self protocol exchange.". > The TGS-REQ is asking for a forwardable ticket, but it doesn't look > like the response is setting it as forwardable. Here's the exception: > > GSSException: Failure unspecified at GSS-API level (Mechanism level: > Attempt to obtain S4U2self credentials failed!) > at > sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) > at > sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92) > at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153) > at test24u2.KerberosDemo$1.run(KerberosDemo.java:128) > at test24u2.KerberosDemo$1.run(KerberosDemo.java:1) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121) > at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179) > at test24u2.KerberosDemo.main(KerberosDemo.java:215) > Caused by: KrbException: S4U2self ticket must be FORWARDABLE > at > sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75) > at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) > at > sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) > ... 9 more > > Here's the entire debug output: > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 83; type: 18 > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 67; type: 17 > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 75; type: 16 > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 67; type: 23 > Looking for keys for: HTTP/s4u.rhelent@rhelent.lan > Java config name: null > Native config name: /etc/krb5.conf > Loading krb5 profile at /etc/krb5.conf > Loaded from native config > Added key: 23version: 1 > Added key: 16version: 1 > Added key: 17version: 1 > Found unsupported keytype (18) for HTTP/s4u.rhelent@rhelent.lan > >>> KdcAccessibility: reset > Looking for keys for: HTTP/s4u.rhelent@rhelent.lan > Added key: 23version: 1 > Added key: 16version: 1 > Added key: 17version: 1 > Found unsupported keytype (18) for HTTP/s4u.rhelent@rhelent.lan > default etypes for default_tkt_enctypes: 17 23 16. > >>> KrbAsReq creating message > >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=3, number of > >>> retries =3, #bytes=175 > >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=3,Attempt > >>> =1, #bytes=175 > >>> KrbKdcReq send: #bytes read=327 > >>>Pre-Authentication Data: > PA-DATA type = 136 > > >>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null > PA-ETYPE-INFO2 etype = 16, salt = KaQ|KBPA-ETYPE-INFO2 etype = 23, salt = Wl=W>9){.`Y;1k, s2kparams = null > > >>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP > >>>Pre-Authentication Data: > PA-DATA type = 133 > > >>> KdcAccessibility: remove freeipa.rhelent.lan > >>> KDCRep: init() encoding tag is 126 req type is 11 > >>>KRBError: > cTime is Sat Jan 20 19:00:57 EST 1996 822182457000 > sTime is Mon Nov 30 21:35:51 EST 2015 1448937351000 > suSec is 558140 > error code is 25 > error Message is Additional pre-authentication required > cname is HTTP/s4u.rhelent@rhelent.lan > sname is krbtgt/rhelent@rhelent.lan > eData provided. > msgType is 30 > >>>Pre-Authentication Data: > PA-DATA type = 136 > > >>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null > PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9){.`Y;1k, s2kparams = null > > >>>Pre-Authentication Data: >
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: > > > > How do you acquire the user ticket ? > > > > Using a keytab. Here's a link to the example code I'm using: > https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to > use IPA as the DNS server and I'm passing in mmosley as the user to > impersonate and HTTP/freeipa.rhelent.lan as the service that will > consume the impersonated user's ticket. > > > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the > > server has been requested and what it released ? > > > > Sure: > > Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: > HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, > Additional pre-authentication required > Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > krbtgt/rhelent@rhelent.lan > Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 > etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > HTTP/s4u.rhelent@rhelent.lan > Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... > PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan > > Thanks I think for s4u2self you may have missed a conf step (we primarily use s4u2proxy in the product *without* any s4u2self step). Can you check that you followed the procedure described here: https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 I think they key part is setting the +ok_to_auth_as_delegate flag which we do not provide an official higher level interface for yet. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
> > How do you acquire the user ticket ? > Using a keytab. Here's a link to the example code I'm using: https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to use IPA as the DNS server and I'm passing in mmosley as the user to impersonate and HTTP/freeipa.rhelent.lan as the service that will consume the impersonated user's ticket. > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the > server has been requested and what it released ? > Sure: Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, Additional pre-authentication required Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for HTTP/s4u.rhelent@rhelent.lan Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: > I can now get a ticket! This is how I originally created the user: > > $ kinit admin > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true ok-as-delegate != ok_to_auth_as_delegate ... I know, it is a little confusing :-/ but these are the upstream flag names, and they both exist and do different things. Simo. > Here's the object in the directory: > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts, > dc=rhelent,dc=lan > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan > objectClass: ipaobject > objectClass: ipaservice > objectClass: krbticketpolicyaux > objectClass: ipakrbprincipal > objectClass: krbprincipal > objectClass: krbprincipalaux > objectClass: pkiuser > objectClass: top > krbTicketFlags: 1048704 > managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa > krbLastPwdChange: 20151112021359Z > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A > krbLastSuccessfulAuth: 20151201165518Z > > Just now, I ran: > [root@freeipa ~]# kadmin.local > Authenticating as principal admin/ad...@rhelent.lan with password. > kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan > Principal "HTTP/s4u.rhelent@rhelent.lan" modified. > > and now the directory object is > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts, > dc=rhelent,dc=lan > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan > objectClass: ipaobject > objectClass: ipaservice > objectClass: krbticketpolicyaux > objectClass: ipakrbprincipal > objectClass: krbprincipal > objectClass: krbprincipalaux > objectClass: pkiuser > objectClass: top > krbTicketFlags: 3145856 > managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa > krbLastPwdChange: 20151112021359Z > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A > krbLastSuccessfulAuth: 20151201175200Z > > Ticket flags clearly changed. Now to see if this works with ipa-web. > Thanks > > Marc Boorshtein > CTO Tremolo Security > marc.boorsht...@tremolosecurity.com > (703) 828-4902 > > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorcewrote: > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: > >> > > >> > How do you acquire the user ticket ? > >> > > >> > >> Using a keytab. Here's a link to the example code I'm using: > >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to > >> use IPA as the DNS server and I'm passing in mmosley as the user to > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will > >> consume the impersonated user's ticket. > >> > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the > >> > server has been requested and what it released ? > >> > > >> > >> Sure: > >> > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: > >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, > >> Additional pre-authentication required > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > >> krbtgt/rhelent@rhelent.lan > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > >> HTTP/s4u.rhelent@rhelent.lan > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... > >> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan > >> > >> Thanks > > > > I think for s4u2self you may have missed a conf step (we primarily use > > s4u2proxy in the product *without* any s4u2self step). > > > > Can you check that you followed the procedure described here: > > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 > > > > I think they key part is setting the +ok_to_auth_as_delegate flag which > > we do not provide an official higher level interface for yet. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
I can now get a ticket! This is how I originally created the user: $ kinit admin $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true Here's the object in the directory: dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts, dc=rhelent,dc=lan ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top krbTicketFlags: 1048704 managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa krbLastPwdChange: 20151112021359Z krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A krbLastSuccessfulAuth: 20151201165518Z Just now, I ran: [root@freeipa ~]# kadmin.local Authenticating as principal admin/ad...@rhelent.lan with password. kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan Principal "HTTP/s4u.rhelent@rhelent.lan" modified. and now the directory object is dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts, dc=rhelent,dc=lan ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top krbTicketFlags: 3145856 managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa krbLastPwdChange: 20151112021359Z krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A krbLastSuccessfulAuth: 20151201175200Z Ticket flags clearly changed. Now to see if this works with ipa-web. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorcewrote: > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: >> > >> > How do you acquire the user ticket ? >> > >> >> Using a keytab. Here's a link to the example code I'm using: >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to >> use IPA as the DNS server and I'm passing in mmosley as the user to >> impersonate and HTTP/freeipa.rhelent.lan as the service that will >> consume the impersonated user's ticket. >> >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the >> > server has been requested and what it released ? >> > >> >> Sure: >> >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, >> Additional pre-authentication required >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for >> krbtgt/rhelent@rhelent.lan >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for >> HTTP/s4u.rhelent@rhelent.lan >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... >> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan >> >> Thanks > > I think for s4u2self you may have missed a conf step (we primarily use > s4u2proxy in the product *without* any s4u2self step). > > Can you check that you followed the procedure described here: > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 > > I think they key part is setting the +ok_to_auth_as_delegate flag which > we do not provide an official higher level interface for yet. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help! Marc Boorshtein CTO, Tremolo Security, Inc. On Dec 1, 2015 1:14 PM, "Simo Sorce"wrote: > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: > > I can now get a ticket! This is how I originally created the user: > > > > $ kinit admin > > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true > > ok-as-delegate != ok_to_auth_as_delegate ... > > I know, it is a little confusing :-/ but these are the upstream flag > names, and they both exist and do different things. > > Simo. > > > Here's the object in the directory: > > > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan > ,cn=services,cn=accounts, > > dc=rhelent,dc=lan > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan > > objectClass: ipaobject > > objectClass: ipaservice > > objectClass: krbticketpolicyaux > > objectClass: ipakrbprincipal > > objectClass: krbprincipal > > objectClass: krbprincipalaux > > objectClass: pkiuser > > objectClass: top > > krbTicketFlags: 1048704 > > managedBy: > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa > > krbLastPwdChange: 20151112021359Z > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A > > krbLastSuccessfulAuth: 20151201165518Z > > > > Just now, I ran: > > [root@freeipa ~]# kadmin.local > > Authenticating as principal admin/ad...@rhelent.lan with password. > > kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan > > Principal "HTTP/s4u.rhelent@rhelent.lan" modified. > > > > and now the directory object is > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan > ,cn=services,cn=accounts, > > dc=rhelent,dc=lan > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan > > objectClass: ipaobject > > objectClass: ipaservice > > objectClass: krbticketpolicyaux > > objectClass: ipakrbprincipal > > objectClass: krbprincipal > > objectClass: krbprincipalaux > > objectClass: pkiuser > > objectClass: top > > krbTicketFlags: 3145856 > > managedBy: > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa > > krbLastPwdChange: 20151112021359Z > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A > > krbLastSuccessfulAuth: 20151201175200Z > > > > Ticket flags clearly changed. Now to see if this works with ipa-web. > > > > > Thanks > > > > Marc Boorshtein > > CTO Tremolo Security > > marc.boorsht...@tremolosecurity.com > > (703) 828-4902 > > > > > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce wrote: > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: > > >> > > > >> > How do you acquire the user ticket ? > > >> > > > >> > > >> Using a keytab. Here's a link to the example code I'm using: > > >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set > to > > >> use IPA as the DNS server and I'm passing in mmosley as the user to > > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will > > >> consume the impersonated user's ticket. > > >> > > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the > > >> > server has been requested and what it released ? > > >> > > > >> > > >> Sure: > > >> > > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: > > >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, > > >> Additional pre-authentication required > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > > >> krbtgt/rhelent@rhelent.lan > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for > > >> HTTP/s4u.rhelent@rhelent.lan > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... > > >> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan > > >> > > >> Thanks > > > > > > I think for s4u2self you may have missed a conf step (we primarily use > > > s4u2proxy in the product *without* any s4u2self step). > > > > > > Can you check that you followed the procedure described here: > > > > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 > > > > > > I think they key part is setting the +ok_to_auth_as_delegate flag which > > > we do not provide an official higher level interface for yet. > > > > > > Simo. > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
What projects (including my own) doesn't need better docs? :-) Once I publish the work I'm doing part of that will have a step-by-step on getting this setup. It was pretty easy really if you are comfortable with LDAP. Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 1:46 PM, Simo Sorcewrote: > On Tue, 2015-12-01 at 13:28 -0500, Marc Boorshtein wrote: >> Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help! > > Glad it works, and sorry it took so long to figure out. > > We definitely need some better docs around this point. > > Simo. > >> Marc Boorshtein >> CTO, Tremolo Security, Inc. >> On Dec 1, 2015 1:14 PM, "Simo Sorce" wrote: >> >> > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: >> > > I can now get a ticket! This is how I originally created the user: >> > > >> > > $ kinit admin >> > > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true >> > >> > ok-as-delegate != ok_to_auth_as_delegate ... >> > >> > I know, it is a little confusing :-/ but these are the upstream flag >> > names, and they both exist and do different things. >> > >> > Simo. >> > >> > > Here's the object in the directory: >> > > >> > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan >> > ,cn=services,cn=accounts, >> > > dc=rhelent,dc=lan >> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan >> > > objectClass: ipaobject >> > > objectClass: ipaservice >> > > objectClass: krbticketpolicyaux >> > > objectClass: ipakrbprincipal >> > > objectClass: krbprincipal >> > > objectClass: krbprincipalaux >> > > objectClass: pkiuser >> > > objectClass: top >> > > krbTicketFlags: 1048704 >> > > managedBy: >> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan >> > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan >> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa >> > > krbLastPwdChange: 20151112021359Z >> > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A >> > > krbLastSuccessfulAuth: 20151201165518Z >> > > >> > > Just now, I ran: >> > > [root@freeipa ~]# kadmin.local >> > > Authenticating as principal admin/ad...@rhelent.lan with password. >> > > kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan >> > > Principal "HTTP/s4u.rhelent@rhelent.lan" modified. >> > > >> > > and now the directory object is >> > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan >> > ,cn=services,cn=accounts, >> > > dc=rhelent,dc=lan >> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan >> > > objectClass: ipaobject >> > > objectClass: ipaservice >> > > objectClass: krbticketpolicyaux >> > > objectClass: ipakrbprincipal >> > > objectClass: krbprincipal >> > > objectClass: krbprincipalaux >> > > objectClass: pkiuser >> > > objectClass: top >> > > krbTicketFlags: 3145856 >> > > managedBy: >> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan >> > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan >> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa >> > > krbLastPwdChange: 20151112021359Z >> > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A >> > > krbLastSuccessfulAuth: 20151201175200Z >> > > >> > > Ticket flags clearly changed. Now to see if this works with ipa-web. >> > >> > >> > >> > > Thanks >> > > >> > > Marc Boorshtein >> > > CTO Tremolo Security >> > > marc.boorsht...@tremolosecurity.com >> > > (703) 828-4902 >> > > >> > > >> > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce wrote: >> > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: >> > > >> > >> > > >> > How do you acquire the user ticket ? >> > > >> > >> > > >> >> > > >> Using a keytab. Here's a link to the example code I'm using: >> > > >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set >> > to >> > > >> use IPA as the DNS server and I'm passing in mmosley as the user to >> > > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will >> > > >> consume the impersonated user's ticket. >> > > >> >> > > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the >> > > >> > server has been requested and what it released ? >> > > >> > >> > > >> >> > > >> Sure: >> > > >> >> > > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> > > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: >> > > >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan, >> > > >> Additional pre-authentication required >> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for >> > > >> krbtgt/rhelent@rhelent.lan >> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 >> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> > > >> {rep=17 tkt=18
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
On 27/10/15 13:11, Marc Boorshtein wrote: All, I'm trying to create an S4u2self/proxy that will give me a ticket to log into ipa web. I have ipa installed on centos 7 and the client installed on centos 6. The client is written in Java (Java 8). When I try the following impersonation code: GSSManager manager = GSSManager.getInstance(); GSSCredential self = manager.createCredential(GSSCredential.INITIATE_ONLY); GSSName user = manager.createName("mmosley", GSSName.NT_USER_NAME); GSSCredential impCred = ((ExtendedGSSCredential)self).impersonate(user); I get the following output from Java: [tremoloadmin@unison-freeipa ~]$ java -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true-jar tests4u-1.0-SNAPSHOT-jar-with-dependencies.jar Hello World! Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject KinitOptions cache name is /tmp/krb5cc_500 DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan DEBUG server principal is krbtgt/rhelent@rhelent.lan DEBUG key type: 18 DEBUG auth time: Mon Oct 26 21:11:17 EDT 2015 DEBUG start time: Mon Oct 26 21:11:17 EDT 2015 DEBUG end time: Tue Oct 27 21:11:17 EDT 2015 DEBUG renew_till time: Tue Oct 27 21:11:18 EDT 2015 CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH; DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan Java config name: null Native config name: /etc/krb5.conf Loaded from native config DEBUG server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN DEBUG key type: 0 DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 DEBUG start time: null DEBUG end time: Wed Dec 31 19:00:00 EST 1969 DEBUG renew_till time: null CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Tue Oct 27 21:11:17 EDT 2015 Search Subject for SPNEGO INIT cred (<>, sun.security.jgss.spnego.SpNegoCredElement) No Subject Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject KinitOptions cache name is /tmp/krb5cc_500 DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan DEBUG server principal is krbtgt/rhelent@rhelent.lan DEBUG key type: 18 DEBUG auth time: Mon Oct 26 21:11:17 EDT 2015 DEBUG start time: Mon Oct 26 21:11:17 EDT 2015 DEBUG end time: Tue Oct 27 21:11:17 EDT 2015 DEBUG renew_till time: Tue Oct 27 21:11:18 EDT 2015 CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH; DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan DEBUG server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN DEBUG key type: 0 DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 DEBUG start time: null DEBUG end time: Wed Dec 31 19:00:00 EST 1969 DEBUG renew_till time: null CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Tue Oct 27 21:11:17 EDT 2015 CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType KdcAccessibility: reset getKDCFromDNS using UDP KrbKdcReq send: kdc=freeipa.rhelent.lan. UDP:88, timeout=3, number of retries =3, #bytes=825 KDCCommunication: kdc=freeipa.rhelent.lan. UDP:88, timeout=3,Attempt =1, #bytes=825 KrbKdcReq send: #bytes read=680 KdcAccessibility: remove freeipa.rhelent.lan.:88 EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType KrbKdcRep.check: at #1. request for true, received false Exception in thread "main" GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) at io.tremolo.App.main(App.java:27) Caused by: KrbException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:73) at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:87) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270) at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:67) at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) ... 3 more Looking at KrbKdcRep.java:73 it looks like the
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
>> >> Looking at KrbKdcRep.java:73 it looks like the failure is happening >> because java is setting the forwardable flag to true on the request >> but the response has no options in it. Should the forwardable option >> be false in the request? > > > That's a fair guess. > the whole point of constrained delegation (including protocol impersonation) > is that you do not want to forward tickets, so you shouldn't ask for > forwardable tickets methinks. > > Simo. > Thanks Simio. I tried running kinit with forwarding disabled: $ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t ./unison-freeipa.keytab -F $ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan Valid starting ExpiresService principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan Flags: IA But when I try again Java refuses to generate the ticket: tremoloadmin@unison-freeipa ~]$ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan Valid starting ExpiresService principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan Flags: IA Hello World! Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject >>>KinitOptions cache name is /tmp/krb5cc_500 >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan >>>DEBUG server principal is krbtgt/rhelent@rhelent.lan >>>DEBUG key type: 18 >>>DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan Java config name: /home/tremoloadmin/krb5.conf Loaded from Java config >>>DEBUG server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN >>>DEBUG key type: 0 >>>DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG start time: null >>>DEBUG end time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 Search Subject for SPNEGO INIT cred (<>, sun.security.jgss.spnego.SpNegoCredElement) No Subject Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject >>>KinitOptions cache name is /tmp/krb5cc_500 >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan >>>DEBUG server principal is krbtgt/rhelent@rhelent.lan >>>DEBUG key type: 18 >>>DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>DEBUG client principal is >>>HTTP/unison-freeipa.rhelent@rhelent.lan >>>DEBUG server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN >>>DEBUG key type: 0 >>>DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG start time: null >>>DEBUG end time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG renew_till time: null >>> CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 >>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType Exception in thread "main" GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) at io.tremolo.App.main(App.java:27) Caused by: KrbException: Invalid option setting in ticket request. (101) at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165) at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100) at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66) at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) ... 3 more Looking at KrbTgsReq line 165: if (options.get(KDCOptions.FORWARDABLE) && (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE { throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); } If I read this correctly it has to be forwardable? If thats the case is Java wrong for requiring the options to be there or is ipa wrong for not sending the options with the response ticket? Thanks -- Manage your subscription for
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
On 27/10/15 15:43, Marc Boorshtein wrote: Looking at KrbKdcRep.java:73 it looks like the failure is happening because java is setting the forwardable flag to true on the request but the response has no options in it. Should the forwardable option be false in the request? That's a fair guess. the whole point of constrained delegation (including protocol impersonation) is that you do not want to forward tickets, so you shouldn't ask for forwardable tickets methinks. Simo. Thanks Simio. I tried running kinit with forwarding disabled: $ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t ./unison-freeipa.keytab -F $ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan Valid starting ExpiresService principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan Flags: IA But when I try again Java refuses to generate the ticket: tremoloadmin@unison-freeipa ~]$ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan Valid starting ExpiresService principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan Flags: IA Hello World! Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject KinitOptions cache name is /tmp/krb5cc_500 DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan DEBUG server principal is krbtgt/rhelent@rhelent.lan DEBUG key type: 18 DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 DEBUG renew_till time: null CCacheInputStream: readFlags() INITIAL; PRE_AUTH; DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan Java config name: /home/tremoloadmin/krb5.conf Loaded from Java config DEBUG server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN DEBUG key type: 0 DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 DEBUG start time: null DEBUG end time: Wed Dec 31 19:00:00 EST 1969 DEBUG renew_till time: null CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 Search Subject for SPNEGO INIT cred (<>, sun.security.jgss.spnego.SpNegoCredElement) No Subject Search Subject for Kerberos V5 INIT cred (<>, sun.security.jgss.krb5.Krb5InitCredential) No Subject KinitOptions cache name is /tmp/krb5cc_500 DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan DEBUG server principal is krbtgt/rhelent@rhelent.lan DEBUG key type: 18 DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 DEBUG renew_till time: null CCacheInputStream: readFlags() INITIAL; PRE_AUTH; DEBUG client principal is HTTP/unison-freeipa.rhelent@rhelent.lan DEBUG server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN DEBUG key type: 0 DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 DEBUG start time: null DEBUG end time: Wed Dec 31 19:00:00 EST 1969 DEBUG renew_till time: null CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType Exception in thread "main" GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) at io.tremolo.App.main(App.java:27) Caused by: KrbException: Invalid option setting in ticket request. (101) at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165) at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100) at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66) at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) ... 3 more Looking at KrbTgsReq line 165: if (options.get(KDCOptions.FORWARDABLE) && (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE { throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); } If I read this correctly it has to be forwardable? If thats the case is Java wrong for requiring the options to be there or is ipa wrong for not sending the options with the response ticket? I think the best answer would be to look at what the MIT test program does and make sure Java does the same. This stuff works with the
Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
Thanks Simo. It wouldn't surprise me that java's implementation is wrong. The comments in the source even ask if its necessary to check. Thanks Marc Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorcewrote: > On 27/10/15 15:43, Marc Boorshtein wrote: Looking at KrbKdcRep.java:73 it looks like the failure is happening because java is setting the forwardable flag to true on the request but the response has no options in it. Should the forwardable option be false in the request? >>> >>> >>> >>> That's a fair guess. >>> the whole point of constrained delegation (including protocol >>> impersonation) >>> is that you do not want to forward tickets, so you shouldn't ask for >>> forwardable tickets methinks. >>> >>> Simo. >>> >> >> Thanks Simio. I tried running kinit with forwarding disabled: >> >> $ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t >> ./unison-freeipa.keytab -F >> >> $ klist -f >> >> Ticket cache: FILE:/tmp/krb5cc_500 >> >> Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan >> >> >> Valid starting ExpiresService principal >> >> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan >> >> Flags: IA >> >> But when I try again Java refuses to generate the ticket: >> >> tremoloadmin@unison-freeipa ~]$ klist -f >> Ticket cache: FILE:/tmp/krb5cc_500 >> Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan >> >> Valid starting ExpiresService principal >> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent@rhelent.lan >> Flags: IA >> >> Hello World! >> Search Subject for Kerberos V5 INIT cred (<>, >> sun.security.jgss.krb5.Krb5InitCredential) >> No Subject > > KinitOptions cache name is /tmp/krb5cc_500 > DEBUG client principal is > HTTP/unison-freeipa.rhelent@rhelent.lan > DEBUG server principal is > krbtgt/rhelent@rhelent.lan > DEBUG key type: 18 > DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 > DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 > DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 > DEBUG renew_till time: null > CCacheInputStream: readFlags() INITIAL; PRE_AUTH; > DEBUG client principal is > HTTP/unison-freeipa.rhelent@rhelent.lan >> >> Java config name: /home/tremoloadmin/krb5.conf >> Loaded from Java config > > DEBUG server principal is > X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN > DEBUG key type: 0 > DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 > DEBUG start time: null > DEBUG end time: Wed Dec 31 19:00:00 EST 1969 > DEBUG renew_till time: null > CCacheInputStream: readFlags() >> >> Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to >> krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT >> 2015 >> Search Subject for SPNEGO INIT cred (<>, >> sun.security.jgss.spnego.SpNegoCredElement) >> No Subject >> Search Subject for Kerberos V5 INIT cred (<>, >> sun.security.jgss.krb5.Krb5InitCredential) >> No Subject > > KinitOptions cache name is /tmp/krb5cc_500 > DEBUG client principal is > HTTP/unison-freeipa.rhelent@rhelent.lan > DEBUG server principal is > krbtgt/rhelent@rhelent.lan > DEBUG key type: 18 > DEBUG auth time: Tue Oct 27 15:32:52 EDT 2015 > DEBUG start time: Tue Oct 27 15:32:52 EDT 2015 > DEBUG end time: Wed Oct 28 15:32:52 EDT 2015 > DEBUG renew_till time: null > CCacheInputStream: readFlags() INITIAL; PRE_AUTH; > DEBUG client principal is > HTTP/unison-freeipa.rhelent@rhelent.lan > DEBUG server principal is > X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN > DEBUG key type: 0 > DEBUG auth time: Wed Dec 31 19:00:00 EST 1969 > DEBUG start time: null > DEBUG end time: Wed Dec 31 19:00:00 EST 1969 > DEBUG renew_till time: null > CCacheInputStream: readFlags() >> >> Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to >> krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT >> 2015 > > CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType >> >> Exception in thread "main" GSSException: Failure unspecified at >> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials >> failed!) >> at >> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) >> at >> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) >> at >> sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) >> at io.tremolo.App.main(App.java:27) >> Caused by: KrbException: Invalid option setting in ticket request. (101) >> at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165) >> at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100)