directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: How to request a forwardable ticket?
Date Wed, 18 Nov 2015 13:56:40 GMT
Marc,

As Steve noted, the MIT kinit program sets FORWARDABLE, PROXIABLE and RENEWABLE_OK by default.
We can and should do that. So if what you need is to request a forwardable ticket, please
do it over there as a quick work way for you. The default flags can be set in the KdcRequest
constructor where kdcOptions is just created. I will go to sleep now :).

Regards,
Kai

-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com] 
Sent: Wednesday, November 18, 2015 9:38 PM
To: kerby@directory.apache.org; Steve Moyer <smoyer@psu.edu>
Subject: RE: How to request a forwardable ticket?

Hi Steve,

Thanks for your digging!

>> Here's the snippet of code I created to copy the KrbOptions to KdcOptions ... I think
this was the designed intention ...
I'm wondering if it could be better if we check explicitly the KdcOption related options contained
in KrbOptions passed from above layer. For example, If (requestOptions.contain(KrbOption.
FORWARDABLE) {
    asRequest.getKdcOptions().setFlag(KdcOption. FORWARDABLE); }

>> Is a pull request on GitHub the easiest way to send you code changes or would you
prefer patches attached to the issues in Jira?
If you're convenient to generate a patch and upload it to the JIRA, it would be great, but
GH PR should also work for us as well!

Regards,
Kai

-----Original Message-----
From: Steve Moyer [mailto:smoyer@psu.edu]
Sent: Wednesday, November 18, 2015 9:18 PM
To: kerby@directory.apache.org
Subject: Re: How to request a forwardable ticket?

I've got working code for FORWARDABLE AND PROXIABLE ... I've been looking at the changes needed
for RENEWABLE_OK (and maybe other flags).

Right now the code feels a bit strange.  I set a flag in KrbOptions and I'm converting the
appropriate flags to KdcOptions, then generating the bitmap.  Should this really be happening
just by matching the enum name() from KrbOption to KdcOption?  DIRKRB-449 (https://issues.apache.org/jira/browse/DIRKRB-449)
is resolved as of commit 9e504bd785d894491bd8f4fbe2359f346d951299 (https://github.com/apache/directory-kerby/commit/c3c778f3af0fe2a187c10447682bf12b9bed7c6d),
so the flags in the AsRequest are set properly.

Here's the snippet of code I created to copy the KrbOptions to KdcOptions ... I think this
was the designed intention:

        KdcOptions kdcOptions = new KdcOptions();
        for (KOption koption: requestOptions.getOptions()) {
            try {
              KdcOption kdcOption = KdcOption.valueOf(koption.getOptionName());
              kdcOptions.setFlag(kdcOption, requestOptions.getBooleanOption(koption, false));
            } catch (IllegalArgumentException | NullPointerException e) {
              // It's completely acceptable that a request option is NOT a KdcOption
              // but PMD doesn't like empty finally or catch blocks - here's a message
              // just for you!
              e.getMessage();
            }
        }
        
        asRequest.setKdcOptions(kdcOptions);

DIRKRB-450 (https://issues.apache.org/jira/browse/DIRKRB-450) was assigned to me and I'll
try to get a pull request for this code issued today.  As noted below, DIRKRB-452 (https://issues.apache.org/jira/browse/DIRKRB-452)
is also required for those using the KinitTool (at the moment, I'm requesting TGTs programmatically).

Kai and Jia:

Is a pull request on GitHub the easiest way to send you code changes or would you prefer patches
attached to the issues in Jira?

Steve

--

“The mark of the immature man is that he wants to die nobly for a cause, while the mark
of the mature man is that he wants to live humbly for one.” - Wilhelm Stekel

----- Original Message -----
From: "Zheng, Kai" <kai.zheng@intel.com>
To: kerby@directory.apache.org
Sent: Tuesday, November 17, 2015 10:18:09 PM
Subject: RE: How to request a forwardable ticket?

Looks like we're hitting this issue, which isn't resolved yet. I got some mistaken. 
https://issues.apache.org/jira/browse/DIRKRB-452


-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com]
Sent: Wednesday, November 18, 2015 11:10 AM
To: kerby@directory.apache.org
Subject: RE: How to request a forwardable ticket?

Ok, see. Looks like KrbOption.FORWARDABLE in request options isn't passed down to KdcOptions
for the final AsReq. 
Will take a look and possible fix it soon.

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
Sent: Wednesday, November 18, 2015 10:43 AM
To: kerby@directory.apache.org
Subject: Re: How to request a forwardable ticket?

Thanks Kai, I'm having the same issue with the latest code.  Here's the pull log:

emote: Counting objects: 467, done.
remote: Compressing objects: 100% (70/70), done.
remote: Total 143 (delta 47), reused 0 (delta 0) Receiving objects: 100% (143/143), 12.23
KiB | 0 bytes/s, done.
Resolving deltas: 100% (47/47), completed with 35 local objects.
From https://git1-us-west.apache.org/repos/asf/directory-kerby
   955a845..d18ad29  master     -> origin/master
Updating 955a845..d18ad29
Fast-forward
 .../zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
|   8 +--
 kerby-config/src/main/java/org/apache/kerby/config/Conf.java
                                     |  48 +++++++++---------  kerby-config/src/main/java/org/apache/kerby/config/Config.java
                                     |  35 +++++++------  kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java
                                     |  71 +++++++++++++++-----------  kerby-config/src/test/java/org/apache/kerby/config/ConfTest.java
                                     |  11 ++--  kerby-dist/kdc-dist/assembly.xml
                                     |   2 +
 kerby-dist/tool-dist/assembly.xml
                                      |   2 +
 kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
                      |  43 ++++++++++------  kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfigKey.java
                   |   2 +-
 kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
 |   8 +++
 kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
              |  10 ++--
 .../kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoadWithDefaultRealm.java
     |  45 +++++++++++++++++
 kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf
                                     |  19 +++++++  kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbConfHelper.java
                  |  17 ++++---
 kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestAsReqCodec.java
               |   3 +-
 kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb/codec/TestTgsReqCodec.java
              |   5 +-
 kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlags.java
                      |  28 ++++++-----
 kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlagsTest.java
                  | 155
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
                      |  44 +++++++++-------  kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcUtil.java
                        |   2 +-
 20 files changed, 420 insertions(+), 138 deletions(-)  create mode 100644 kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/TestKrbConfigLoadWithDefaultRealm.java
 create mode 100644
kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf
 create mode 100644
kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec/base/KrbFlagsTest.java


On Tue, Nov 17, 2015 at 9:32 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Hi Marc,
>
> There're recent contribution fixes related to this from Steve. Would 
> you checkout and update to the latest codes?
>
> commit c3c778f3af0fe2a187c10447682bf12b9bed7c6d
> Author: plusplusjiajia <jiajia.li@intel.com>
> Date:   Tue Nov 17 15:08:59 2015 +0800
>
>     DIRKRB-449 Fix the bit manipulation functions in KrbFlags. 
> Contributed by Steve.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Wednesday, November 18, 2015 10:27 AM
> To: kerby@directory.apache.org
> Subject: How to request a forwardable ticket?
>
> I can't seem to workout how to specify any options for a ticket.  For 
> s4u the TGT and SGTs need to be forwardable.  Here's my code so far:
>
> KOptions requestOptions = new KOptions();
>
>         requestOptions.add(KrbOption.CLIENT_PRINCIPAL,
> "HTTP/s4u.rhelent.lan@RHELENT.LAN");
>
>         requestOptions.add(KrbOption.USE_KEYTAB, true);
>
>         requestOptions.add(KrbOption.KEYTAB_FILE, new File( 
> "/Users/mlb/Documents/localdev.keytab"));
>
>         requestOptions.add(KrbOption.FORWARDABLE,true);
>
> TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions);
>
> Looking at the code it doesn't look like the options are ever picked up.
> Any thoughts on how to set the forwardable flag?
>
> Thanks
>
> Marc
>
Mime
View raw message