Confusion about delegation
Hi,
I'm confused about a couple of points regarding delegation - could anyone
help to educate me please?
I am trying to perform a constrained delegation authentication with a web
application. The user authenticates to a web application (principal HTTP/
www.example.com) and that web application then authenticates to another web
app (HTTP/datastore.examle.com).
Based on the information here (
https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html) I think I
need the first web app to get proxy credentials for the user from the KDC,
then initialize a security context using those creds, and then use the
token it gets from that security context to authenticate against second web
app as that user. Have I read that correctly?
With this in mind, I'm using the following code on the intermediate server.
It's using the python-gssapi library, which uses MIT krb5 underneath (v
1.15.1). Hopefully it's clear what's happening here in pure gssapi terms:
name = gssapi.Name('HTTP/www.example.com',) #the principal for this
service
creds = gssapi.Credentials(name=name, usage='initiate')
username = gssapi.Name('kerbtestjohn') # the user that this service
wants to impersonate
proxy_creds = creds.impersonate(username, usage='initiate')
target_name = gssapi.Name('HTTP/datastore.example.com') # the service
that this service wants to access as the impersonated user
client_ctx = gssapi.SecurityContext(name=target_name,
creds=proxy_creds, usage='initiate')
initial_client_token = client_ctx.step()
t = base64.b64encode(initial_client_token)
headers = {'Authorization': 'Negotiate ' + t}
r = requests.get('http://datastore.example.com/', headers=headers)
The client_ctx.step() call returns this error: gssapi.raw.misc.GSSError:
Major (851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639053): Matching credential not found
I've made sure that the target_name principal is in the default keytab, but
honestly I'm not even sure why it's looking for a credential for this
principal at this point. In any case, having it in the keytab doesn't seem
to help.
The surprising thing is that if I initialize the context with the other
name instead (HTTP/www.example.com), then this code works perfectly, and
authenticates me as 'kerbtestjohn' to www.datastore.com. I didn't think
that should work. Even stranger, if I omit the proxy_creds from the
SecurityContext, then it also works, using either of the 2 service names.
So I can impersonate users without the proxy creds!? Shouldn't that be
rejected?
The final confusing thing is that I don't have the 'ok_to_auth_as_delegate'
bit set on any of my principals. Shouldn't I have to set that for HTTP/
www.example.com in order for that service to be able to impersonate a user?
The datastore.example.com service is using nginx +
spnego-http-auth-nginx-module. Again, this uses MIT krb5 (same version,
1.15.1). I don't see any signs that this component is not working
correctly. It's definitely enforcing authentication.
Can anyone explain what I'm doing wrong here? Thanks in advance for any
insight you can provide!
-John
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Confusion about delegation
Thanks, this helps a lot.
I think the reason it appeared to be working for me when I used the wrong
name HTTP/www.example.com is because I incorrectly had that principal in
the keytab of the other service. An in the second case, where I omitted the
creds altogether, you are correct, it just authenticated as HTTP/
www.example.com and not kerbtestjohn.
So, I have set ok_to_auth_as_delegate in my KDC for the intermediate
service principal HTTP/www.example.com, but now I'm getting this error on
the step() call:
Feb 01 14:47:14 localhost.localdomain krb5kdc[6376](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
authtime 0, HTTP/www.example@example.com for HTTP/
datastore.example@example.com, Plugin does not support the operation
I couldn't find any info on this, but I did some reading in the source code
and it looks like the necessary function 'check_allowed_to_delegate' is
only defined for the ldap plugin. Have I got that right - I have to use
ldap to get this feature to work with the krb5 server? Or is there another
way?
Thanks again for the info on this!
-John
On Fri, Feb 1, 2019 at 12:26 PM Greg Hudson wrote:
> On 1/31/19 1:32 PM, John Byrne wrote:
> > The client_ctx.step() call returns this error: gssapi.raw.misc.GSSError:
> > Major (851968): Unspecified GSS failure. Minor code may provide more
> > information, Minor (2529639053): Matching credential not found
>
> This is a bad error message, and we have an open ticket noting the need
> to improve it:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=8586
>
> Because you haven't set the ok_to_auth_as_delegate bit on
> HTTP/www.example.com, the KDC issues a non-forwardable service ticket in
> the creds.impersonate() step. The GSSAPI layer stores this as a regular
> cred object containing a user -> HTTP/www.example.com service ticket,
> not an impersonator cred. Such a credential can be interrogated for
> name attributes to get PAC information (if it came from a KDC supporting
> PACs) or to authenticate to the intermediate service itself, but it
> can't be used to authenticate to any other service.
>
> When gss_init_sec_context() tries to authenticate with this credential,
> it can't find either a client -> target or client -> krbtgt/REALM
> credential, so it fails with the uninformative error message.
>
> Release 1.16 added the ability to query a credential for whether it is
> an impersonator credential, as noted in the documentation page you
> referenced.
>
> > I've made sure that the target_name principal is in the default keytab
>
> Only the target service should have a target_name keytab entry. Giving
> out that keytab to other parties poses a security issue, allowing those
> parties to impersonate (in the attacker sense, not the S4U2Proxy sense)
> the target service.
>
> > The surprising thing is that if I initialize the context with the other
> > name instead (HTTP/www.example.com), then this code works perfectly, and
> > authenticates me as 'kerbtestjohn' to www.datastore.com.
>
> I would expect this to authenticate from kerbtestjohn to
> HTTP/www.example.com. How would it authenticate to www.datastore.com if
> you didn't ask gss_init_sec_context() to do so?
>
> > Even stranger, if I omit the proxy_creds from the
> > SecurityContext, then it also works, using either of the 2 service names.
> > So I can impersonate users without the proxy creds!? Shouldn't that be
> > rejected?
>
> If you omit proxy_creds, then it should authenticate from whatever
> client is in the default ccache (probably HTTP/www.example.com) to the
> target service. It shouldn't authenticate as krbtestjohn.
>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Setting up the KDC ldap backend
Hi, I'm trying to set up the KDC with the LDAP plugin. I've been using: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html and https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the info on the Ubuntu page above seems to be fairly generic). When I run the command to create the database, it challenges me for a password. I didn't set one up, and if I just hit enter, I get this: $ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s Password for "cn=admin,dc=example,dc=com": kdb5_ldap_util: Cannot allocate memory while retrieving ldap configuration Now, I don't really know much about LDAP, so I could be missing something. Do I have to create "cn=admin,dc=example,dc=com" as a user somehow before I run this? I've tried reading up on LDAP, but I haven't found anything that explains what I need to do here. I'm looking for a shortcut to the quickest possible setup - I don't really need LDAP except that I'm trying to test constrained delegation in a web application, and apparently that only works with the LDAP backend. Can anyone explain what's the bare minimum I need to do to get this working? Thanks, John Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Setting up the KDC ldap backend
Thanks for the replies. I had found a walkthrough on setting up LDAP on it's own on that site too: https://community.hortonworks.com/articles/79806/how-to-setup-openldap-24-on-centos-7.html And that explained how to set up the user with the access I needed - that got me past that error from my last email. Now I'm getting this: $ kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s Password for "cn=admin,dc=example,dc=com": Initializing database for realm 'EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kdb5_ldap_util: Kerberos Container create FAILED: No such object while creating realm 'EXAMPLE.COM' I'll take a look at the tutorial you linked to, but I just thought I'd post this and see if anyone recognizes the error message. -John On Wed, Feb 6, 2019 at 11:49 AM Todd Grayson wrote: > I'm not sure whats going on with the error message you are seeing. > > AS far as how to info: The hortonworks community has a walkthrough of MIT > KDC with LDAP backend on CentOS7, here: > > > https://community.hortonworks.com/articles/199542/configuring-kerberos-with-openldap-back-end.html > > On Tue, Feb 5, 2019 at 1:33 PM John Byrne wrote: > >> Hi, >> >> I'm trying to set up the KDC with the LDAP plugin. I've been using: >> >> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html >> and >> >> https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu >> >> as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the >> info on the Ubuntu page above seems to be fairly generic). >> >> When I run the command to create the database, it challenges me for a >> password. I didn't set one up, and if I just hit enter, I get this: >> >> $ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s >> Password for "cn=admin,dc=example,dc=com": >> kdb5_ldap_util: Cannot allocate memory while retrieving ldap configuration >> >> Now, I don't really know much about LDAP, so I could be missing something. >> Do I have to create "cn=admin,dc=example,dc=com" as a user somehow before >> I >> run this? >> >> I've tried reading up on LDAP, but I haven't found anything that explains >> what I need to do here. I'm looking for a shortcut to the quickest >> possible >> setup - I don't really need LDAP except that I'm trying to test >> constrained >> delegation in a web application, and apparently that only works with the >> LDAP backend. >> >> Can anyone explain what's the bare minimum I need to do to get this >> working? >> >> Thanks, >> John >> >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > -- > Todd Grayson > Customer Operations Engineering > Security SME > > Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Setting up the KDC ldap backend
In case anyone has a similar issue, I was able to get it set up eventually. The problem was that I needed to create the "dc=example,dc=com" entry first. I don't understand why I was able to create a rootdn user called "cn=admin,dc=example,dc=com" if "dc=example,dc=com" doens't exist, but anyway I created a ldif file like this: dn: dc=example,dc=com objectClass: domain And after running ldapmodify on that, I was able to finish creating the krb5 database. Thanks, John On Wed, Feb 6, 2019 at 12:21 PM John Byrne wrote: > Thanks for the replies. I had found a walkthrough on setting up LDAP on > it's own on that site too: > > https://community.hortonworks.com/articles/79806/how-to-setup-openldap-24-on-centos-7.html > > And that explained how to set up the user with the access I needed - that > got me past that error from my last email. > > Now I'm getting this: > > $ kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s > Password for "cn=admin,dc=example,dc=com": > Initializing database for realm 'EXAMPLE.COM' > You will be prompted for the database Master Password. > It is important that you NOT FORGET this password. > Enter KDC database master key: > Re-enter KDC database master key to verify: > kdb5_ldap_util: Kerberos Container create FAILED: No such object while > creating realm 'EXAMPLE.COM' > > I'll take a look at the tutorial you linked to, but I just thought I'd > post this and see if anyone recognizes the error message. > > -John > > > On Wed, Feb 6, 2019 at 11:49 AM Todd Grayson > wrote: > >> I'm not sure whats going on with the error message you are seeing. >> >> AS far as how to info: The hortonworks community has a walkthrough of MIT >> KDC with LDAP backend on CentOS7, here: >> >> >> https://community.hortonworks.com/articles/199542/configuring-kerberos-with-openldap-back-end.html >> >> On Tue, Feb 5, 2019 at 1:33 PM John Byrne wrote: >> >>> Hi, >>> >>> I'm trying to set up the KDC with the LDAP plugin. I've been using: >>> >>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html >>> and >>> >>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu >>> >>> as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the >>> info on the Ubuntu page above seems to be fairly generic). >>> >>> When I run the command to create the database, it challenges me for a >>> password. I didn't set one up, and if I just hit enter, I get this: >>> >>> $ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create >>> -s >>> Password for "cn=admin,dc=example,dc=com": >>> kdb5_ldap_util: Cannot allocate memory while retrieving ldap >>> configuration >>> >>> Now, I don't really know much about LDAP, so I could be missing >>> something. >>> Do I have to create "cn=admin,dc=example,dc=com" as a user somehow >>> before I >>> run this? >>> >>> I've tried reading up on LDAP, but I haven't found anything that explains >>> what I need to do here. I'm looking for a shortcut to the quickest >>> possible >>> setup - I don't really need LDAP except that I'm trying to test >>> constrained >>> delegation in a web application, and apparently that only works with the >>> LDAP backend. >>> >>> Can anyone explain what's the bare minimum I need to do to get this >>> working? >>> >>> Thanks, >>> John >>> >>> Kerberos mailing list Kerberos@mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> >> -- >> Todd Grayson >> Customer Operations Engineering >> Security SME >> >> Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Constrained Delegation error "KDC policy rejects request"
Hi,
I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
I'm trying to perform constrained delegation. However, I'm getting this
error from the KDC when the intermediate service calls the step() function
on the security context: "KDC policy rejects request"
Here's the KDC log:
Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
authtime 0, HTTP/www.example@example.com for HTTP/
datastore.example@example.com, KDC policy rejects request
I've set the "ok_to_auth_as_delegate" flag on the intermediate service
principal HTTP/www.example.com, using kadmin.local (output of getprinc
below).
Is there something else I need to do to allow this?
Thanks,
John
PS. here's the output of kadmin.local getprinc command for the intermediate
service principal:
kadmin.local: getprinc HTTP/www.example.com
Principal: HTTP/www.example@example.com
Expiration date: [never]
Last password change: Wed Feb 06 14:58:41 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Feb 06 15:19:15 EST 2019 (root/ad...@example.com)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: OK_TO_AUTH_AS_DELEGATE
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Constrained Delegation error "KDC policy rejects request"
I figured it out, and it's working for me now.
For anyone else who's having this issue, there are 2 separate things you
have to set up to allow an intermediate service to impersonate a user:
* the ok_to_auth_as_delegate flag (in kadmin)
* an access control list in ldap.
I wasn't sure if editing ldap directly was the best thing to do, but I
didn't know of any alternative, so I created an ldif file like this:
dn: krbPrincipalName=HTTP/www.example@example.com,cn=EXAMPLE.COM
,cn=krbContainer,dc=example,dc=com
changetype: modify
add: krbAllowedToDelegateTo
krbAllowedToDelegateTo: HTTP/datastore.example.com
You might be able to guess your appropriate ldap dn name based on that
format, but I just found it by doing a search with ldapsearch for my top
level entry, dc=example,dc=com.
After adding the above ldif with ldapmodify, constrained delegation now
works nicely and I can turn it on and off for that intermediate service via
kadmin, using the ok_to_auth_as_delegate flag.
Thanks again to everyone who replied to my other threads on this!
References:
http://kerberos.996246.n3.nabble.com/ACL-for-Constrained-Delegation-td39665.html
-John
On Wed, Feb 6, 2019 at 3:49 PM John Byrne wrote:
> Hi,
>
> I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
> I'm trying to perform constrained delegation. However, I'm getting this
> error from the KDC when the intermediate service calls the step() function
> on the security context: "KDC policy rejects request"
>
> Here's the KDC log:
>
> Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
> authtime 0, HTTP/www.example@example.com for HTTP/
> datastore.example@example.com, KDC policy rejects request
>
> I've set the "ok_to_auth_as_delegate" flag on the intermediate service
> principal HTTP/www.example.com, using kadmin.local (output of getprinc
> below).
>
> Is there something else I need to do to allow this?
>
> Thanks,
> John
>
> PS. here's the output of kadmin.local getprinc command for the
> intermediate service principal:
>
> kadmin.local: getprinc HTTP/www.example.com
> Principal: HTTP/www.example@example.com
> Expiration date: [never]
> Last password change: Wed Feb 06 14:58:41 EST 2019
> Password expiration date: [never]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Wed Feb 06 15:19:15 EST 2019 (root/ad...@example.com)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 2, aes256-cts-hmac-sha1-96
> Key: vno 2, aes128-cts-hmac-sha1-96
> MKey: vno 1
> Attributes: OK_TO_AUTH_AS_DELEGATE
>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Using Kerberos on PYTHON
Hi, You need a python binding for MIT Kerberos. I've had success with python-gssapi (https://pypi.org/project/python-gssapi/). -John On Fri, Oct 9, 2020 at 1:50 PM Luciano Custodio wrote: > Hi, > > I am writing a program in python to put a message in a kafka topic. > > I need to connect kafka with kerberos. > > My computer has windows 8 64bit. > > I installed de MIT Kerberos for windows and get a ticket kerberos. > > But now, i don t know how to get this ticket kerberos in the python > program. > > Could someone help me? > > Ats, > Luciano > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
