subject:"Re\: \[Freeipa\-users\] IPA \+ Java 8 \+ S4U2Self\/Proxy"

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce

On Tue, 2015-12-01 at 11:34 -0500, Marc Boorshtein wrote:
> Simo & Team,
> 
> After talking to the OpenJDK security list it turned out there is a
> bug in JDK8.  The issue is fixed in JDK9 and after testing I'm running
> into a new issue.  Same scenario described earlier in this email
> chain, but now it looks like the TGS-REP is not being marked as
> forwardable which is required for an s4u2self ticket is used in
> s4u2proxy (https://msdn.microsoft.com/en-us/library/cc246079.aspx) :
> "The S4U2proxy extension requires that the service ticket to the first
> service has the forwardable flag set (see Service 1 in the figure
> specifying Kerberos delegation with forwarded TGT, section 1.3.3).
> This ticket can be obtained through an S4U2self protocol exchange.".
> The TGS-REQ is asking for a forwardable ticket, but it doesn't look
> like the response is setting it as forwardable.  Here's the exception:
> 
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Attempt to obtain S4U2self credentials failed!)
> at 
> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
> at 
> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92)
> at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153)
> at test24u2.KerberosDemo$1.run(KerberosDemo.java:128)
> at test24u2.KerberosDemo$1.run(KerberosDemo.java:1)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121)
> at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
> at test24u2.KerberosDemo.main(KerberosDemo.java:215)
> Caused by: KrbException: S4U2self ticket must be FORWARDABLE
> at 
> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75)
> at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
> at 
> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
> ... 9 more
> 
> Here's the entire debug output:
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 83; type: 18
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 67; type: 17
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 75; type: 16
> >>> KeyTabInputStream, readName(): RHELENT.LAN
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): s4u.rhelent.lan
> >>> KeyTab: load() entry length: 67; type: 23
> Looking for keys for: HTTP/s4u.rhelent@rhelent.lan
> Java config name: null
> Native config name: /etc/krb5.conf
> Loading krb5 profile at /etc/krb5.conf
> Loaded from native config
> Added key: 23version: 1
> Added key: 16version: 1
> Added key: 17version: 1
> Found unsupported keytype (18) for HTTP/s4u.rhelent@rhelent.lan
> >>> KdcAccessibility: reset
> Looking for keys for: HTTP/s4u.rhelent@rhelent.lan
> Added key: 23version: 1
> Added key: 16version: 1
> Added key: 17version: 1
> Found unsupported keytype (18) for HTTP/s4u.rhelent@rhelent.lan
> default etypes for default_tkt_enctypes: 17 23 16.
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=3, number of 
> >>> retries =3, #bytes=175
> >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=3,Attempt 
> >>> =1, #bytes=175
> >>> KrbKdcReq send: #bytes read=327
> >>>Pre-Authentication Data:
> PA-DATA type = 136
> 
> >>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null
> PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9){.`Y;1k, s2kparams = null
> 
> >>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:
> PA-DATA type = 133
> 
> >>> KdcAccessibility: remove freeipa.rhelent.lan
> >>> KDCRep: init() encoding tag is 126 req type is 11
> >>>KRBError:
> cTime is Sat Jan 20 19:00:57 EST 1996 822182457000
> sTime is Mon Nov 30 21:35:51 EST 2015 1448937351000
> suSec is 558140
> error code is 25
> error Message is Additional pre-authentication required
> cname is HTTP/s4u.rhelent@rhelent.lan
> sname is krbtgt/rhelent@rhelent.lan
> eData provided.
> msgType is 30
> >>>Pre-Authentication Data:
> PA-DATA type = 136
> 
> >>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null
> PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9){.`Y;1k, s2kparams = null
> 
> >>>Pre-Authentication Data:
>

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce

On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
> >
> > How do you acquire the user ticket ?
> >
> 
> Using a keytab.  Here's a link to the example code I'm using:
> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set to
> use IPA as the DNS server and I'm passing in mmosley as the user to
> impersonate and HTTP/freeipa.rhelent.lan as the service that will
> consume the impersonated user's ticket.
> 
> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> > server has been requested and what it released ?
> >
> 
> Sure:
> 
> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan,
> Additional pre-authentication required
> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
> krbtgt/rhelent@rhelent.lan
> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
> HTTP/s4u.rhelent@rhelent.lan
> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan
> 
> Thanks

I think for s4u2self you may have missed a conf step (we primarily use
s4u2proxy in the product *without* any s4u2self step).

Can you check that you followed the procedure described here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90

I think they key part is setting the +ok_to_auth_as_delegate flag which
we do not provide an official higher level interface for yet.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein

>
> How do you acquire the user ticket ?
>

Using a keytab.  Here's a link to the example code I'm using:
https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set to
use IPA as the DNS server and I'm passing in mmosley as the user to
impersonate and HTTP/freeipa.rhelent.lan as the service that will
consume the impersonated user's ticket.

> Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> server has been requested and what it released ?
>

Sure:

Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan,
Additional pre-authentication required
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
{rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
krbtgt/rhelent@rhelent.lan
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
{rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
HTTP/s4u.rhelent@rhelent.lan
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan

Thanks

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce

On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> I can now get a ticket!  This is how I originally created the user:
> 
> $ kinit admin
> $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true

ok-as-delegate != ok_to_auth_as_delegate ...

I know, it is a little confusing :-/  but these are the upstream flag
names, and they both exist and do different things.

Simo.

> Here's the object in the directory:
> 
> dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts,
>  dc=rhelent,dc=lan
> ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> krbTicketFlags: 1048704
> managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
> ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> krbLastPwdChange: 20151112021359Z
> krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
> krbLastSuccessfulAuth: 20151201165518Z
> 
> Just now, I ran:
> [root@freeipa ~]# kadmin.local
> Authenticating as principal admin/ad...@rhelent.lan with password.
> kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
> Principal "HTTP/s4u.rhelent@rhelent.lan" modified.
> 
> and now the directory object is
> dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts,
>  dc=rhelent,dc=lan
> ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> krbTicketFlags: 3145856
> managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
> ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> krbLastPwdChange: 20151112021359Z
> krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
> krbLastSuccessfulAuth: 20151201175200Z
> 
> Ticket flags clearly changed.  Now to see if this works with ipa-web.



> Thanks
> 
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorsht...@tremolosecurity.com
> (703) 828-4902
> 
> 
> On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce  wrote:
> > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
> >> >
> >> > How do you acquire the user ticket ?
> >> >
> >>
> >> Using a keytab.  Here's a link to the example code I'm using:
> >> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set to
> >> use IPA as the DNS server and I'm passing in mmosley as the user to
> >> impersonate and HTTP/freeipa.rhelent.lan as the service that will
> >> consume the impersonated user's ticket.
> >>
> >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> >> > server has been requested and what it released ?
> >> >
> >>
> >> Sure:
> >>
> >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
> >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan,
> >> Additional pre-authentication required
> >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
> >> krbtgt/rhelent@rhelent.lan
> >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
> >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
> >> HTTP/s4u.rhelent@rhelent.lan
> >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
> >> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan
> >>
> >> Thanks
> >
> > I think for s4u2self you may have missed a conf step (we primarily use
> > s4u2proxy in the product *without* any s4u2self step).
> >
> > Can you check that you followed the procedure described here:
> > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
> >
> > I think they key part is setting the +ok_to_auth_as_delegate flag which
> > we do not provide an official higher level interface for yet.
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein

I can now get a ticket!  This is how I originally created the user:

$ kinit admin
$ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true

Here's the object in the directory:

dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts,
 dc=rhelent,dc=lan
ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
krbTicketFlags: 1048704
managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
krbLastPwdChange: 20151112021359Z
krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
krbLastSuccessfulAuth: 20151201165518Z

Just now, I ran:
[root@freeipa ~]# kadmin.local
Authenticating as principal admin/ad...@rhelent.lan with password.
kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
Principal "HTTP/s4u.rhelent@rhelent.lan" modified.

and now the directory object is
dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts,
 dc=rhelent,dc=lan
ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
krbTicketFlags: 3145856
managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
krbLastPwdChange: 20151112021359Z
krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
krbLastSuccessfulAuth: 20151201175200Z

Ticket flags clearly changed.  Now to see if this works with ipa-web.

Thanks

Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902


On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce  wrote:
> On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
>> >
>> > How do you acquire the user ticket ?
>> >
>>
>> Using a keytab.  Here's a link to the example code I'm using:
>> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set to
>> use IPA as the DNS server and I'm passing in mmosley as the user to
>> impersonate and HTTP/freeipa.rhelent.lan as the service that will
>> consume the impersonated user's ticket.
>>
>> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
>> > server has been requested and what it released ?
>> >
>>
>> Sure:
>>
>> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
>> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan,
>> Additional pre-authentication required
>> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
>> krbtgt/rhelent@rhelent.lan
>> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
>> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
>> HTTP/s4u.rhelent@rhelent.lan
>> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
>> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan
>>
>> Thanks
>
> I think for s4u2self you may have missed a conf step (we primarily use
> s4u2proxy in the product *without* any s4u2self step).
>
> Can you check that you followed the procedure described here:
> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
>
> I think they key part is setting the +ok_to_auth_as_delegate flag which
> we do not provide an official higher level interface for yet.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein

Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!

Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 1, 2015 1:14 PM, "Simo Sorce"  wrote:

> On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> > I can now get a ticket!  This is how I originally created the user:
> >
> > $ kinit admin
> > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true
>
> ok-as-delegate != ok_to_auth_as_delegate ...
>
> I know, it is a little confusing :-/  but these are the upstream flag
> names, and they both exist and do different things.
>
> Simo.
>
> > Here's the object in the directory:
> >
> > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan
> ,cn=services,cn=accounts,
> >  dc=rhelent,dc=lan
> > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
> > objectClass: ipaobject
> > objectClass: ipaservice
> > objectClass: krbticketpolicyaux
> > objectClass: ipakrbprincipal
> > objectClass: krbprincipal
> > objectClass: krbprincipalaux
> > objectClass: pkiuser
> > objectClass: top
> > krbTicketFlags: 1048704
> > managedBy:
> fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
> > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> > krbLastPwdChange: 20151112021359Z
> > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
> > krbLastSuccessfulAuth: 20151201165518Z
> >
> > Just now, I ran:
> > [root@freeipa ~]# kadmin.local
> > Authenticating as principal admin/ad...@rhelent.lan with password.
> > kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
> > Principal "HTTP/s4u.rhelent@rhelent.lan" modified.
> >
> > and now the directory object is
> > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan
> ,cn=services,cn=accounts,
> >  dc=rhelent,dc=lan
> > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
> > objectClass: ipaobject
> > objectClass: ipaservice
> > objectClass: krbticketpolicyaux
> > objectClass: ipakrbprincipal
> > objectClass: krbprincipal
> > objectClass: krbprincipalaux
> > objectClass: pkiuser
> > objectClass: top
> > krbTicketFlags: 3145856
> > managedBy:
> fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
> > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> > krbLastPwdChange: 20151112021359Z
> > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
> > krbLastSuccessfulAuth: 20151201175200Z
> >
> > Ticket flags clearly changed.  Now to see if this works with ipa-web.
>
>
>
> > Thanks
> >
> > Marc Boorshtein
> > CTO Tremolo Security
> > marc.boorsht...@tremolosecurity.com
> > (703) 828-4902
> >
> >
> > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce  wrote:
> > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
> > >> >
> > >> > How do you acquire the user ticket ?
> > >> >
> > >>
> > >> Using a keytab.  Here's a link to the example code I'm using:
> > >> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set
> to
> > >> use IPA as the DNS server and I'm passing in mmosley as the user to
> > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will
> > >> consume the impersonated user's ticket.
> > >>
> > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> > >> > server has been requested and what it released ?
> > >> >
> > >>
> > >> Sure:
> > >>
> > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
> > >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan,
> > >> Additional pre-authentication required
> > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
> > >> krbtgt/rhelent@rhelent.lan
> > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
> > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
> > >> HTTP/s4u.rhelent@rhelent.lan
> > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
> > >> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan
> > >>
> > >> Thanks
> > >
> > > I think for s4u2self you may have missed a conf step (we primarily use
> > > s4u2proxy in the product *without* any s4u2self step).
> > >
> > > Can you check that you followed the procedure described here:
> > >
> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
> > >
> > > I think they key part is setting the +ok_to_auth_as_delegate flag which
> > > we do not provide an official higher level interface for yet.
> > >
> > > Simo.
> > >
> > > --
> > > Simo Sorce * Red Hat, Inc * New York
> > >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Marc Boorshtein

What projects (including my own) doesn't need better docs? :-)  Once I
publish the work I'm doing part of that will have a step-by-step on
getting this setup.  It was pretty easy really if you are comfortable
with LDAP.
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902


On Tue, Dec 1, 2015 at 1:46 PM, Simo Sorce  wrote:
> On Tue, 2015-12-01 at 13:28 -0500, Marc Boorshtein wrote:
>> Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!
>
> Glad it works, and sorry it took so long to figure out.
>
> We definitely need some better docs around this point.
>
> Simo.
>
>> Marc Boorshtein
>> CTO, Tremolo Security, Inc.
>> On Dec 1, 2015 1:14 PM, "Simo Sorce"  wrote:
>>
>> > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
>> > > I can now get a ticket!  This is how I originally created the user:
>> > >
>> > > $ kinit admin
>> > > $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true
>> >
>> > ok-as-delegate != ok_to_auth_as_delegate ...
>> >
>> > I know, it is a little confusing :-/  but these are the upstream flag
>> > names, and they both exist and do different things.
>> >
>> > Simo.
>> >
>> > > Here's the object in the directory:
>> > >
>> > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan
>> > ,cn=services,cn=accounts,
>> > >  dc=rhelent,dc=lan
>> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
>> > > objectClass: ipaobject
>> > > objectClass: ipaservice
>> > > objectClass: krbticketpolicyaux
>> > > objectClass: ipakrbprincipal
>> > > objectClass: krbprincipal
>> > > objectClass: krbprincipalaux
>> > > objectClass: pkiuser
>> > > objectClass: top
>> > > krbTicketFlags: 1048704
>> > > managedBy:
>> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
>> > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
>> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
>> > > krbLastPwdChange: 20151112021359Z
>> > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
>> > > krbLastSuccessfulAuth: 20151201165518Z
>> > >
>> > > Just now, I ran:
>> > > [root@freeipa ~]# kadmin.local
>> > > Authenticating as principal admin/ad...@rhelent.lan with password.
>> > > kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
>> > > Principal "HTTP/s4u.rhelent@rhelent.lan" modified.
>> > >
>> > > and now the directory object is
>> > > dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan
>> > ,cn=services,cn=accounts,
>> > >  dc=rhelent,dc=lan
>> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent@rhelent.lan
>> > > objectClass: ipaobject
>> > > objectClass: ipaservice
>> > > objectClass: krbticketpolicyaux
>> > > objectClass: ipakrbprincipal
>> > > objectClass: krbprincipal
>> > > objectClass: krbprincipalaux
>> > > objectClass: pkiuser
>> > > objectClass: top
>> > > krbTicketFlags: 3145856
>> > > managedBy:
>> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
>> > > krbPrincipalName: HTTP/s4u.rhelent@rhelent.lan
>> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
>> > > krbLastPwdChange: 20151112021359Z
>> > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
>> > > krbLastSuccessfulAuth: 20151201175200Z
>> > >
>> > > Ticket flags clearly changed.  Now to see if this works with ipa-web.
>> >
>> >
>> >
>> > > Thanks
>> > >
>> > > Marc Boorshtein
>> > > CTO Tremolo Security
>> > > marc.boorsht...@tremolosecurity.com
>> > > (703) 828-4902
>> > >
>> > >
>> > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce  wrote:
>> > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
>> > > >> >
>> > > >> > How do you acquire the user ticket ?
>> > > >> >
>> > > >>
>> > > >> Using a keytab.  Here's a link to the example code I'm using:
>> > > >> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set
>> > to
>> > > >> use IPA as the DNS server and I'm passing in mmosley as the user to
>> > > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will
>> > > >> consume the impersonated user's ticket.
>> > > >>
>> > > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
>> > > >> > server has been requested and what it released ?
>> > > >> >
>> > > >>
>> > > >> Sure:
>> > > >>
>> > > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> > > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
>> > > >> HTTP/s4u.rhelent@rhelent.lan for krbtgt/rhelent@rhelent.lan,
>> > > >> Additional pre-authentication required
>> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent@rhelent.lan for
>> > > >> krbtgt/rhelent@rhelent.lan
>> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
>> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> > > >> {rep=17 tkt=18

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-10-27 Thread Simo Sorce


On 27/10/15 13:11, Marc Boorshtein wrote:

All,

I'm trying to create an S4u2self/proxy that will give me a ticket to
log into ipa web.  I have ipa installed on centos 7 and the client
installed on centos 6.  The client is written in Java (Java 8).  When
I try the following impersonation code:

GSSManager manager = GSSManager.getInstance();

 GSSCredential self  =
manager.createCredential(GSSCredential.INITIATE_ONLY);

 GSSName user = manager.createName("mmosley", GSSName.NT_USER_NAME);

 GSSCredential impCred = 
((ExtendedGSSCredential)self).impersonate(user);

I get the following output from Java:

[tremoloadmin@unison-freeipa ~]$ java
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true-jar
tests4u-1.0-SNAPSHOT-jar-with-dependencies.jar
Hello World!
Search Subject for Kerberos V5 INIT cred (<>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject

KinitOptions cache name is /tmp/krb5cc_500
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan
DEBUG  server principal is krbtgt/rhelent@rhelent.lan
DEBUG  key type: 18
DEBUG  auth time: Mon Oct 26 21:11:17 EDT 2015
DEBUG  start time: Mon Oct 26 21:11:17 EDT 2015
DEBUG  end time: Tue Oct 27 21:11:17 EDT 2015
DEBUG  renew_till time: Tue Oct 27 21:11:18 EDT 2015
CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan

Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config

DEBUG  server principal is 
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
DEBUG  key type: 0
DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG  start time: null
DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
DEBUG  renew_till time: null
CCacheInputStream: readFlags()

Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
krbtgt/rhelent@rhelent.lan expiring on Tue Oct 27 21:11:17 EDT
2015
Search Subject for SPNEGO INIT cred (<>,
sun.security.jgss.spnego.SpNegoCredElement)
No Subject
Search Subject for Kerberos V5 INIT cred (<>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject

KinitOptions cache name is /tmp/krb5cc_500
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan
DEBUG  server principal is krbtgt/rhelent@rhelent.lan
DEBUG  key type: 18
DEBUG  auth time: Mon Oct 26 21:11:17 EDT 2015
DEBUG  start time: Mon Oct 26 21:11:17 EDT 2015
DEBUG  end time: Tue Oct 27 21:11:17 EDT 2015
DEBUG  renew_till time: Tue Oct 27 21:11:18 EDT 2015
CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan
DEBUG  server principal is 
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
DEBUG  key type: 0
DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG  start time: null
DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
DEBUG  renew_till time: null
CCacheInputStream: readFlags()

Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
krbtgt/rhelent@rhelent.lan expiring on Tue Oct 27 21:11:17 EDT
2015

CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType

Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.

CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KdcAccessibility: reset

getKDCFromDNS using UDP

KrbKdcReq send: kdc=freeipa.rhelent.lan. UDP:88, timeout=3, number of 
retries =3, #bytes=825
KDCCommunication: kdc=freeipa.rhelent.lan. UDP:88, timeout=3,Attempt =1, 
#bytes=825
KrbKdcReq send: #bytes read=680
KdcAccessibility: remove freeipa.rhelent.lan.:88
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

KrbKdcRep.check: at #1. request for true, received false

Exception in thread "main" GSSException: Failure unspecified at
GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
failed!)
at 
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at 
sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
at io.tremolo.App.main(App.java:27)
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:73)
at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:87)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
at 
sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:67)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at 
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 3 more

Looking at KrbKdcRep.java:73 it looks like the

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-10-27 Thread Marc Boorshtein

>>
>> Looking at KrbKdcRep.java:73 it looks like the failure is happening
>> because java is setting the forwardable flag to true on the request
>> but the response has no options in it.  Should the forwardable option
>> be false in the request?
>
>
> That's a fair guess.
> the whole point of constrained delegation (including protocol impersonation)
> is that you do not want to forward tickets, so you shouldn't ask for
> forwardable tickets methinks.
>
> Simo.
>

Thanks Simio.  I tried running kinit with forwarding disabled:

$ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t
./unison-freeipa.keytab -F

$ klist -f

Ticket cache: FILE:/tmp/krb5cc_500

Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan


Valid starting ExpiresService principal

10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent@rhelent.lan

Flags: IA

But when I try again Java refuses to generate the ticket:

tremoloadmin@unison-freeipa ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan

Valid starting ExpiresService principal
10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent@rhelent.lan
Flags: IA

Hello World!
Search Subject for Kerberos V5 INIT cred (<>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
>>>KinitOptions cache name is /tmp/krb5cc_500
>>>DEBUG   client principal is 
>>>HTTP/unison-freeipa.rhelent@rhelent.lan
>>>DEBUG  server principal is krbtgt/rhelent@rhelent.lan
>>>DEBUG  key type: 18
>>>DEBUG  auth time: Tue Oct 27 15:32:52 EDT 2015
>>>DEBUG  start time: Tue Oct 27 15:32:52 EDT 2015
>>>DEBUG  end time: Wed Oct 28 15:32:52 EDT 2015
>>>DEBUG  renew_till time: null
>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
>>>DEBUG   client principal is 
>>>HTTP/unison-freeipa.rhelent@rhelent.lan
Java config name: /home/tremoloadmin/krb5.conf
Loaded from Java config
>>>DEBUG  server principal is 
>>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
>>>DEBUG  key type: 0
>>>DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG  start time: null
>>>DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG  renew_till time: null
>>> CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
2015
Search Subject for SPNEGO INIT cred (<>,
sun.security.jgss.spnego.SpNegoCredElement)
No Subject
Search Subject for Kerberos V5 INIT cred (<>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
>>>KinitOptions cache name is /tmp/krb5cc_500
>>>DEBUG   client principal is 
>>>HTTP/unison-freeipa.rhelent@rhelent.lan
>>>DEBUG  server principal is krbtgt/rhelent@rhelent.lan
>>>DEBUG  key type: 18
>>>DEBUG  auth time: Tue Oct 27 15:32:52 EDT 2015
>>>DEBUG  start time: Tue Oct 27 15:32:52 EDT 2015
>>>DEBUG  end time: Wed Oct 28 15:32:52 EDT 2015
>>>DEBUG  renew_till time: null
>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
>>>DEBUG   client principal is 
>>>HTTP/unison-freeipa.rhelent@rhelent.lan
>>>DEBUG  server principal is 
>>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
>>>DEBUG  key type: 0
>>>DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG  start time: null
>>>DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG  renew_till time: null
>>> CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
2015
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Exception in thread "main" GSSException: Failure unspecified at
GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
failed!)
at 
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at 
sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
at io.tremolo.App.main(App.java:27)
Caused by: KrbException: Invalid option setting in ticket request. (101)
at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165)
at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100)
at 
sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at 
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 3 more

Looking at KrbTgsReq line 165:

if (options.get(KDCOptions.FORWARDABLE) &&
(!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE {
throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
}

If I read this correctly it has to be forwardable?  If thats the case
is Java wrong for requiring the options to be there or is ipa wrong
for not sending the options with the response ticket?

Thanks

-- 
Manage your subscription for

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-10-27 Thread Simo Sorce


On 27/10/15 15:43, Marc Boorshtein wrote:


Looking at KrbKdcRep.java:73 it looks like the failure is happening
because java is setting the forwardable flag to true on the request
but the response has no options in it.  Should the forwardable option
be false in the request?



That's a fair guess.
the whole point of constrained delegation (including protocol impersonation)
is that you do not want to forward tickets, so you shouldn't ask for
forwardable tickets methinks.

Simo.



Thanks Simio.  I tried running kinit with forwarding disabled:

$ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t
./unison-freeipa.keytab -F

$ klist -f

Ticket cache: FILE:/tmp/krb5cc_500

Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan


Valid starting ExpiresService principal

10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent@rhelent.lan

Flags: IA

But when I try again Java refuses to generate the ticket:

tremoloadmin@unison-freeipa ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan

Valid starting ExpiresService principal
10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent@rhelent.lan
Flags: IA

Hello World!
Search Subject for Kerberos V5 INIT cred (<>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject

KinitOptions cache name is /tmp/krb5cc_500
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan
DEBUG  server principal is krbtgt/rhelent@rhelent.lan
DEBUG  key type: 18
DEBUG  auth time: Tue Oct 27 15:32:52 EDT 2015
DEBUG  start time: Tue Oct 27 15:32:52 EDT 2015
DEBUG  end time: Wed Oct 28 15:32:52 EDT 2015
DEBUG  renew_till time: null
CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan

Java config name: /home/tremoloadmin/krb5.conf
Loaded from Java config

DEBUG  server principal is 
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
DEBUG  key type: 0
DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG  start time: null
DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
DEBUG  renew_till time: null
CCacheInputStream: readFlags()

Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
2015
Search Subject for SPNEGO INIT cred (<>,
sun.security.jgss.spnego.SpNegoCredElement)
No Subject
Search Subject for Kerberos V5 INIT cred (<>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject

KinitOptions cache name is /tmp/krb5cc_500
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan
DEBUG  server principal is krbtgt/rhelent@rhelent.lan
DEBUG  key type: 18
DEBUG  auth time: Tue Oct 27 15:32:52 EDT 2015
DEBUG  start time: Tue Oct 27 15:32:52 EDT 2015
DEBUG  end time: Wed Oct 28 15:32:52 EDT 2015
DEBUG  renew_till time: null
CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
DEBUG   client principal is 
HTTP/unison-freeipa.rhelent@rhelent.lan
DEBUG  server principal is 
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
DEBUG  key type: 0
DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG  start time: null
DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
DEBUG  renew_till time: null
CCacheInputStream: readFlags()

Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
2015

CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType

Exception in thread "main" GSSException: Failure unspecified at
GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
failed!)
at 
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at 
sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
at io.tremolo.App.main(App.java:27)
Caused by: KrbException: Invalid option setting in ticket request. (101)
at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165)
at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100)
at 
sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at 
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 3 more

Looking at KrbTgsReq line 165:

if (options.get(KDCOptions.FORWARDABLE) &&
 (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE {
 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
 }

If I read this correctly it has to be forwardable?  If thats the case
is Java wrong for requiring the options to be there or is ipa wrong
for not sending the options with the response ticket?


I think the best answer would be to look at what the MIT test program 
does and make sure Java does the same.
This stuff works with the

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-10-27 Thread Marc Boorshtein

Thanks Simo.  It wouldn't surprise me that java's implementation is
wrong.  The comments in the source even ask if its necessary to check.

Thanks
Marc
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902


On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce  wrote:
> On 27/10/15 15:43, Marc Boorshtein wrote:


 Looking at KrbKdcRep.java:73 it looks like the failure is happening
 because java is setting the forwardable flag to true on the request
 but the response has no options in it.  Should the forwardable option
 be false in the request?
>>>
>>>
>>>
>>> That's a fair guess.
>>> the whole point of constrained delegation (including protocol
>>> impersonation)
>>> is that you do not want to forward tickets, so you shouldn't ask for
>>> forwardable tickets methinks.
>>>
>>> Simo.
>>>
>>
>> Thanks Simio.  I tried running kinit with forwarding disabled:
>>
>> $ kinit HTTP/unison-freeipa.rhelent@rhelent.lan -k -t
>> ./unison-freeipa.keytab -F
>>
>> $ klist -f
>>
>> Ticket cache: FILE:/tmp/krb5cc_500
>>
>> Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan
>>
>>
>> Valid starting ExpiresService principal
>>
>> 10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent@rhelent.lan
>>
>> Flags: IA
>>
>> But when I try again Java refuses to generate the ticket:
>>
>> tremoloadmin@unison-freeipa ~]$ klist -f
>> Ticket cache: FILE:/tmp/krb5cc_500
>> Default principal: HTTP/unison-freeipa.rhelent@rhelent.lan
>>
>> Valid starting ExpiresService principal
>> 10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/rhelent@rhelent.lan
>> Flags: IA
>>
>> Hello World!
>> Search Subject for Kerberos V5 INIT cred (<>,
>> sun.security.jgss.krb5.Krb5InitCredential)
>> No Subject
>
> KinitOptions cache name is /tmp/krb5cc_500
> DEBUG   client principal is
> HTTP/unison-freeipa.rhelent@rhelent.lan
> DEBUG  server principal is
> krbtgt/rhelent@rhelent.lan
> DEBUG  key type: 18
> DEBUG  auth time: Tue Oct 27 15:32:52 EDT 2015
> DEBUG  start time: Tue Oct 27 15:32:52 EDT 2015
> DEBUG  end time: Wed Oct 28 15:32:52 EDT 2015
> DEBUG  renew_till time: null
> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
> DEBUG   client principal is
> HTTP/unison-freeipa.rhelent@rhelent.lan
>>
>> Java config name: /home/tremoloadmin/krb5.conf
>> Loaded from Java config
>
> DEBUG  server principal is
> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
> DEBUG  key type: 0
> DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
> DEBUG  start time: null
> DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
> DEBUG  renew_till time: null
> CCacheInputStream: readFlags()
>>
>> Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
>> krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
>> 2015
>> Search Subject for SPNEGO INIT cred (<>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> No Subject
>> Search Subject for Kerberos V5 INIT cred (<>,
>> sun.security.jgss.krb5.Krb5InitCredential)
>> No Subject
>
> KinitOptions cache name is /tmp/krb5cc_500
> DEBUG   client principal is
> HTTP/unison-freeipa.rhelent@rhelent.lan
> DEBUG  server principal is
> krbtgt/rhelent@rhelent.lan
> DEBUG  key type: 18
> DEBUG  auth time: Tue Oct 27 15:32:52 EDT 2015
> DEBUG  start time: Tue Oct 27 15:32:52 EDT 2015
> DEBUG  end time: Wed Oct 28 15:32:52 EDT 2015
> DEBUG  renew_till time: null
> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
> DEBUG   client principal is
> HTTP/unison-freeipa.rhelent@rhelent.lan
> DEBUG  server principal is
> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent@rhelent.lan@RHELENT.LAN
> DEBUG  key type: 0
> DEBUG  auth time: Wed Dec 31 19:00:00 EST 1969
> DEBUG  start time: null
> DEBUG  end time: Wed Dec 31 19:00:00 EST 1969
> DEBUG  renew_till time: null
> CCacheInputStream: readFlags()
>>
>> Found ticket for HTTP/unison-freeipa.rhelent@rhelent.lan to go to
>> krbtgt/rhelent@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT
>> 2015
>
> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
>>
>> Exception in thread "main" GSSException: Failure unspecified at
>> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
>> failed!)
>> at
>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
>> at
>> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
>> at
>> sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
>> at io.tremolo.App.main(App.java:27)
>> Caused by: KrbException: Invalid option setting in ticket request. (101)
>> at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165)
>> at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100)

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

11 matches

Site Navigation

Mail list logo

Footer information