directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: How to request a forwardable ticket?
Date Thu, 19 Nov 2015 02:40:29 GMT
Great. I thought we need it. Note Steve is also looking at the changes needed for RENEWABLE_OK
(and maybe other flags) (from his email), so let's keep synced. Thanks.

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com] 
Sent: Thursday, November 19, 2015 10:35 AM
To: kerby@directory.apache.org
Subject: Re: How to request a forwardable ticket?

Sounds like a good exercise to me.  I'll take a crack at it tomorrow.

Thanks

On Wed, Nov 18, 2015 at 9:33 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Hi Marc,
>
> If it's missed there, how about adding it similarly? Thanks.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Thursday, November 19, 2015 10:29 AM
> To: kerby@directory.apache.org
> Subject: Re: How to request a forwardable ticket?
>
> Kai & Steve,
>
> Thanks for tackling this so quickly!  For TGT the request IS being 
> sent as forward-able, but for SGT it still isn't.  Also, which of the 
> KrbOptions lines up with RENEWABLE_OK?  I only see RENEW and RENEW_TIME.
>
> Thanks!
>
> On Wed, Nov 18, 2015 at 8:56 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Marc,
> >
> > As Steve noted, the MIT kinit program sets FORWARDABLE, PROXIABLE 
> > and RENEWABLE_OK by default. We can and should do that. So if what 
> > you need is to request a forwardable ticket, please do it over there 
> > as a quick work way for you. The default flags can be set in the 
> > KdcRequest constructor where kdcOptions is just created. I will go to sleep now
:).
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Zheng, Kai [mailto:kai.zheng@intel.com]
> > Sent: Wednesday, November 18, 2015 9:38 PM
> > To: kerby@directory.apache.org; Steve Moyer <smoyer@psu.edu>
> > Subject: RE: How to request a forwardable ticket?
> >
> > Hi Steve,
> >
> > Thanks for your digging!
> >
> > >> Here's the snippet of code I created to copy the KrbOptions to
> > KdcOptions ... I think this was the designed intention ...
> > I'm wondering if it could be better if we check explicitly the 
> > KdcOption related options contained in KrbOptions passed from above 
> > layer. For example, If (requestOptions.contain(KrbOption. FORWARDABLE) {
> >     asRequest.getKdcOptions().setFlag(KdcOption. FORWARDABLE); }
> >
> > >> Is a pull request on GitHub the easiest way to send you code 
> > >> changes or
> > would you prefer patches attached to the issues in Jira?
> > If you're convenient to generate a patch and upload it to the JIRA, 
> > it would be great, but GH PR should also work for us as well!
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Steve Moyer [mailto:smoyer@psu.edu]
> > Sent: Wednesday, November 18, 2015 9:18 PM
> > To: kerby@directory.apache.org
> > Subject: Re: How to request a forwardable ticket?
> >
> > I've got working code for FORWARDABLE AND PROXIABLE ... I've been 
> > looking at the changes needed for RENEWABLE_OK (and maybe other flags).
> >
> > Right now the code feels a bit strange.  I set a flag in KrbOptions 
> > and I'm converting the appropriate flags to KdcOptions, then 
> > generating the bitmap.  Should this really be happening just by 
> > matching the enum name() from KrbOption to KdcOption?  DIRKRB-449 (
> > https://issues.apache.org/jira/browse/DIRKRB-449) is resolved as of 
> > commit 9e504bd785d894491bd8f4fbe2359f346d951299 (
> > https://github.com/apache/directory-kerby/commit/c3c778f3af0fe2a187c
> > 10 447682bf12b9bed7c6d), so the flags in the AsRequest are set 
> > properly.
> >
> > Here's the snippet of code I created to copy the KrbOptions to 
> > KdcOptions ... I think this was the designed intention:
> >
> >         KdcOptions kdcOptions = new KdcOptions();
> >         for (KOption koption: requestOptions.getOptions()) {
> >             try {
> >               KdcOption kdcOption =
> > KdcOption.valueOf(koption.getOptionName());
> >               kdcOptions.setFlag(kdcOption, 
> > requestOptions.getBooleanOption(koption, false));
> >             } catch (IllegalArgumentException | NullPointerException e) {
> >               // It's completely acceptable that a request option is 
> > NOT a KdcOption
> >               // but PMD doesn't like empty finally or catch blocks 
> > - here's a message
> >               // just for you!
> >               e.getMessage();
> >             }
> >         }
> >
> >         asRequest.setKdcOptions(kdcOptions);
> >
> > DIRKRB-450 (https://issues.apache.org/jira/browse/DIRKRB-450) was 
> > assigned to me and I'll try to get a pull request for this code 
> > issued today.  As noted below, DIRKRB-452 (
> > https://issues.apache.org/jira/browse/DIRKRB-452) is also required 
> > for those using the KinitTool (at the moment, I'm requesting TGTs 
> > programmatically).
> >
> > Kai and Jia:
> >
> > Is a pull request on GitHub the easiest way to send you code changes 
> > or would you prefer patches attached to the issues in Jira?
> >
> > Steve
> >
> > --
> >
> > “The mark of the immature man is that he wants to die nobly for a 
> > cause, while the mark of the mature man is that he wants to live 
> > humbly
> for one.”
> > - Wilhelm Stekel
> >
> > ----- Original Message -----
> > From: "Zheng, Kai" <kai.zheng@intel.com>
> > To: kerby@directory.apache.org
> > Sent: Tuesday, November 17, 2015 10:18:09 PM
> > Subject: RE: How to request a forwardable ticket?
> >
> > Looks like we're hitting this issue, which isn't resolved yet. I got 
> > some mistaken.
> > https://issues.apache.org/jira/browse/DIRKRB-452
> >
> >
> > -----Original Message-----
> > From: Zheng, Kai [mailto:kai.zheng@intel.com]
> > Sent: Wednesday, November 18, 2015 11:10 AM
> > To: kerby@directory.apache.org
> > Subject: RE: How to request a forwardable ticket?
> >
> > Ok, see. Looks like KrbOption.FORWARDABLE in request options isn't 
> > passed down to KdcOptions for the final AsReq.
> > Will take a look and possible fix it soon.
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > Sent: Wednesday, November 18, 2015 10:43 AM
> > To: kerby@directory.apache.org
> > Subject: Re: How to request a forwardable ticket?
> >
> > Thanks Kai, I'm having the same issue with the latest code.  Here's 
> > the pull log:
> >
> > emote: Counting objects: 467, done.
> > remote: Compressing objects: 100% (70/70), done.
> > remote: Total 143 (delta 47), reused 0 (delta 0) Receiving objects:
> > 100% (143/143), 12.23 KiB | 0 bytes/s, done.
> > Resolving deltas: 100% (47/47), completed with 35 local objects.
> > From https://git1-us-west.apache.org/repos/asf/directory-kerby
> >    955a845..d18ad29  master     -> origin/master
> > Updating 955a845..d18ad29
> > Fast-forward
> >
> >
> > .../zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/id
> > en titybackend/ZookeeperIdentityBackend.java
> > |   8 +--
> >  kerby-config/src/main/java/org/apache/kerby/config/Conf.java
> >                                      |  48 +++++++++--------- 
> > kerby-config/src/main/java/org/apache/kerby/config/Config.java
> >                                      |  35 +++++++------ 
> > kerby-config/src/main/java/org/apache/kerby/config/ConfigImpl.java
> >                                      |  71 
> > +++++++++++++++----------- kerby-config/src/test/java/org/apache/kerby/config/ConfTest.java
> >                                      |  11 ++-- 
> > kerby-dist/kdc-dist/assembly.xml
> >                                      |   2 +
> >  kerby-dist/tool-dist/assembly.xml
> >                                       |   2 +
> >
> >
> kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl
> ient/KrbConfig.java
> >                       |  43 ++++++++++------
> >
> kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl
> ient/KrbConfigKey.java
> >                    |   2 +-
> >
> >
> kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl
> ient/impl/AbstractInternalKrbClient.java
> >  |   8 +++
> >
> >
> kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/cl
> ient/request/AsRequest.java
> >               |  10 ++--
> >
> >
> .../kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/Te
> stKrbConfigLoadWithDefaultRealm.java
> >      |  45 +++++++++++++++++
> >  kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf
> >                                      |  19 +++++++
> >
> kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/co
> mmon/KrbConfHelper.java
> >                   |  17 ++++---
> >
> >
> kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb
> /codec/TestAsReqCodec.java
> >                |   3 +-
> >
> >
> kerby-kerb/kerb-core-test/src/test/java/org/apache/kerby/kerberos/kerb
> /codec/TestTgsReqCodec.java
> >               |   5 +-
> >
> >
> kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec
> /base/KrbFlags.java
> >                       |  28 ++++++-----
> >
> >
> kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/spec
> /base/KrbFlagsTest.java
> >                   | 155
> > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> >
> kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/se
> rver/KdcConfig.java
> >                       |  44 +++++++++-------
> >
> kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/se
> rver/KdcUtil.java
> >                         |   2 +-
> >  20 files changed, 420 insertions(+), 138 deletions(-)  create mode
> > 100644
> > kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/
> > cl ient/TestKrbConfigLoadWithDefaultRealm.java
> >  create mode 100644
> > kerby-kerb/kerb-client/src/test/resources/krb5-kdcrealm.conf
> >  create mode 100644
> >
> > kerby-kerb/kerb-core/src/test/java/org/apache/kerby/kerberos/kerb/sp
> > ec
> > /base/KrbFlagsTest.java
> >
> >
> > On Tue, Nov 17, 2015 at 9:32 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
> >
> > > Hi Marc,
> > >
> > > There're recent contribution fixes related to this from Steve. 
> > > Would you checkout and update to the latest codes?
> > >
> > > commit c3c778f3af0fe2a187c10447682bf12b9bed7c6d
> > > Author: plusplusjiajia <jiajia.li@intel.com>
> > > Date:   Tue Nov 17 15:08:59 2015 +0800
> > >
> > >     DIRKRB-449 Fix the bit manipulation functions in KrbFlags.
> > > Contributed by Steve.
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > > Sent: Wednesday, November 18, 2015 10:27 AM
> > > To: kerby@directory.apache.org
> > > Subject: How to request a forwardable ticket?
> > >
> > > I can't seem to workout how to specify any options for a ticket.
> > > For s4u the TGT and SGTs need to be forwardable.  Here's my code 
> > > so
> far:
> > >
> > > KOptions requestOptions = new KOptions();
> > >
> > >         requestOptions.add(KrbOption.CLIENT_PRINCIPAL,
> > > "HTTP/s4u.rhelent.lan@RHELENT.LAN");
> > >
> > >         requestOptions.add(KrbOption.USE_KEYTAB, true);
> > >
> > >         requestOptions.add(KrbOption.KEYTAB_FILE, new File( 
> > > "/Users/mlb/Documents/localdev.keytab"));
> > >
> > >         requestOptions.add(KrbOption.FORWARDABLE,true);
> > >
> > > TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions);
> > >
> > > Looking at the code it doesn't look like the options are ever 
> > > picked
> up.
> > > Any thoughts on how to set the forwardable flag?
> > >
> > > Thanks
> > >
> > > Marc
> > >
> >
>
Mime
View raw message