I’m not sure about this and wonder it may not work. But I have no idea for now
how to extract the TGT correctly.
encKdcRepPart = new EncAsRepPart();
encKdcRepPart.setAuthTime(cred.getAuthTime());
encKdcRepPart.setCaddr(cred.getClientAddresses());
encKdcRepPart.setEndTime(cred.getEndTime());
encKdcRepPart.setFlags(cred.getTicketFlags());
encKdcRepPart.setKey(cred.getKey());
encKdcRepPart.setRenewTill(cred.getRenewTill());
encKdcRepPart.setSname(cred.getServerName());
encKdcRepPart.setSrealm(cred.getServerName().getRealm());
encKdcRepPart.setStartTime(cred.getStartTime());
From: Christopher Lamb [mailto:christopher.l...@ch.ibm.com]
Sent: Tuesday, May 09, 2017 1:34 PM
To: kerby@directory.apache.org
Subject: Re: Using Kerby kerb-client as an alternative for GSS-API Sgt
Request fails
Hi all
I can now retrieve the Tgt from the creds-cache, and request a Sgt. However I
am now bouncing between 2 errors. "ERR BAD OPTION" and "ERR GENERIC".
If I create the Tgt with the clientPrincipal, the request is rejected by the
KDC with "ERR BAD OPTION".
Examining the request with Wireshark shows a cname element in the req-body.
This is not present in successful requests via GSS-API.
cname
name-type: kRB5-NT-PRINCIPAL (1)
cname-string: 1 item
CNameString: lamb
The KDC log shows "TGT NOT PROXIABLE:" for the failed request.
On the other hand, if I fill the clientPrincipal on the Tgt with null the
request is rejected by the KDC with "ERR GENERIC".
The cname element is no longer present in the request body (which now looks
identical that made by GSS-API).
The KDC logs show "ASN.1 structure is missing a required field". I suspect this
refers to the encrypted "app-req/authenticator/cname",
which debugging shows is now null!
private TgtTicket retrieveCachedTicket(File ccacheFile) throws KrbException {
Ticket ticket = null;
PrincipalName clientPrincipal = null;
EncAsRepPart encKdcRepPart = null;
if (ccacheFile.exists() && ccacheFile.canRead()) {
CredentialCache cCache = new CredentialCache();
try {
cCache.load(ccacheFile);
List credentials = cCache.getCredentials();
for (Credential cred : credentials) {
//we only want a tgt
if (cred.getServerName().toString().startsWith("krbtgt")) {
ticket = cred.getTicket();
clientPrincipal = cred.getClientName();
encKdcRepPart = new EncAsRepPart();
encKdcRepPart.setAuthTime(cred.getAuthTime());
encKdcRepPart.setCaddr(cred.getClientAddresses());
encKdcRepPart.setEndTime(cred.getEndTime());
encKdcRepPart.setFlags(cred.getTicketFlags());
encKdcRepPart.setKey(cred.getKey());
encKdcRepPart.setRenewTill(cred.getRenewTill());
encKdcRepPart.setSname(cred.getServerName());
encKdcRepPart.setSrealm(cred.getServerName().getRealm());
encKdcRepPart.setStartTime(cred.getStartTime());
}
}
} catch (IOException e) {
throw new KrbException("Failed to load credentials", e);
}
} else {
throw new IllegalArgumentException("Invalid ccache file, "
+ "does not exist, or is not readable: " + ccacheFile.getAbsolutePath());
}
return new TgtTicket(ticket, encKdcRepPart, clientPrincipal);
}
private void getKerbyServiceTicket() {
try {
File confFileDir = new File("/home/lamb/OTMS/kerberosTesting/");
KrbClient krbClient = new KrbClient(confFileDir);
krbClient.setKdcHost("kdc.acme.com");
krbClient.setAllowUdp(true);
krbClient.setAllowTcp(true);
krbClient.setKdcUdpPort(88);
krbClient.setKdcTcpPort(88);
krbClient.init();
File credsCache = new File("/tmp/krb5cc_9337");
TgtTicket tgtTicket = retrieveCachedTicket(credsCache);
KOptions requestOptions = new KOptions();
requestOptions.add(KrbKdcOption.PROXIABLE, true);
requestOptions.add(KrbKdcOption.FORWARDABLE);
requestOptions.add(KrbKdcOption.CANONICALIZE, true);
requestOptions.add(KrbKdcOption.RENEWABLE_OK, false);
requestOptions.add(KrbOption.USE_TGT, tgtTicket);
requestOptions.add(KrbOption.SERVER_PRINCIPAL,
"HTTP/app-srv.acme@acme.com<mailto:HTTP/app-srv.acme@acme.com>");
SgtTicket sgtTicket = krbClient.requestSgt(requestOptions);
} catch (KrbException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
Rejected Request "BAD OPTION":
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 1 item
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
padata-value: 6e82023b30820237a003020105a10302010ea2070305...
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options:
0... = reserved: False
.0.. = use-session-key: False
..0. = mutual-required: False
ticket
tkt-vno: 5
realm: ACME.COM
sname
name-type: kRB5-NT-PRINCIPAL (1)
sname-string: 2 items
SNameString: krbtgt
SNameString: ACME.COM
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 1
cipher: c2da50b960fdfdc44e098ee243f0aa698cfad82b8867fb98...
authenticator
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: 5e944cb16b72c6cb12b830b91e83ca84b3b7eadfb364e7da..