directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: KDC is rejecting my TGS
Date Fri, 20 Nov 2015 22:27:33 GMT
Marc,

You detail looks pretty good. Thanks!

From your observation I copied below, I thought all the differences should be checked. The
kvno (255 too large, bet 1) and principal name types for client and server may be the causes
that block you, but I'm not very sure. 
For now, please set principal type manually, and would be good to provide the similar comparing
for the AS-REQ because that's the starting. I'm looking into this. Thanks.

The differences I see are:
1.  The authenticator from kerby PS-TGS-REQ has a kvno=255, java doesn't have that attribute
2.  Kerby has a cname section with the name of the client, java's implementation does not
3.  Kerby's SNAME has a name-type of KRB5-NT-Principal where as java's is KRB5-NT-Unknown
4.  Kerby has a "from", java does not
5.  Kerby's from and till are real dates, Java's is expired


-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com] 
Sent: Saturday, November 21, 2015 1:00 AM
To: kerby@directory.apache.org
Subject: KDC is rejecting my TGS

I've merged in all the new changes from Kai and Steve.  I get a TGT without issue, but now
I'm getting the following error from freeipa (built on MIT
kerberos):

Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes
{17}) 10.8.0.2: ISSUE: authtime 1448030320, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN
for krbtgt/RHELENT.LAN@RHELENT.LAN

Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
{17}) 10.8.0.2: PROCESS_TGS: authtime 0,  <unknown client> for HTTP/ipa.rhelent.lan@RHELENT.LAN,
ASN.1 structure is missing a required field

Now unfortunately its not say WHAT the missing field is.  I've got a control setup to make
the same request in java using the same keytab for the same resources.  Here's the TGS request
that works using the standard java kerberos libraries:

No.     Time           Source                Destination           Protocol
Length Info

     84 4.103473000    10.8.0.2              192.168.2.166         KRB5
693    TGS-REQ


Frame 84: 693 bytes on wire (5544 bits), 693 bytes captured (5544 bits) on interface 3

    Interface id: 3 (utun0)

    Encapsulation type: NULL (15)

    Arrival Time: Nov 20, 2015 11:47:55.953694000 EST

    [Time shift for this packet: 0.000000000 seconds]

    Epoch Time: 1448038075.953694000 seconds

    [Time delta from previous captured frame: 0.019420000 seconds]

    [Time delta from previous displayed frame: 0.019361000 seconds]

    [Time since reference or first frame: 4.103473000 seconds]

    Frame Number: 84

    Frame Length: 693 bytes (5544 bits)

    Capture Length: 693 bytes (5544 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: null:ip:udp:kerberos]

    [Coloring Rule Name: UDP]

    [Coloring Rule String: udp]

Null/Loopback

    Family: IP (2)

Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166
(192.168.2.166)

    Version: 4

    Header Length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport)
(0x00)

    Total Length: 689

    Identification: 0x175e (5982)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 64

    Protocol: UDP (17)

    Header checksum: 0x9386 [validation disabled]

        [Good: False]

        [Bad: False]

    Source: 10.8.0.2 (10.8.0.2)

    Destination: 192.168.2.166 (192.168.2.166)

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

User Datagram Protocol, Src Port: 49177 (49177), Dst Port: 88 (88)

    Source Port: 49177 (49177)

    Destination Port: 88 (88)

    Length: 669

    Checksum: 0x8f4e [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [Stream index: 8]

Kerberos

    tgs-req

        pvno: 5

        msg-type: krb-tgs-req (12)

        padata: 1 item

            PA-DATA PA-TGS-REQ

                padata-type: kRB5-PADATA-TGS-REQ (1)

                    padata-value:
6e8201fa308201f6a003020105a10302010ea20703050000...

                        ap-req

                            pvno: 5

                            msg-type: krb-ap-req (14)

                            Padding: 0

                            ap-options: 00000000

                                0... .... = reserved: False

                                .0.. .... = use-session-key: False

                                ..0. .... = mutual-required: False

                            ticket

                                tkt-vno: 5

                                realm: RHELENT.LAN

                                sname

                                    name-type: kRB5-NT-SRV-INST (2)

                                    name-string: 2 items

                                        KerberosString: krbtgt

                                        KerberosString: RHELENT.LAN

                                enc-part

                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96
(18)

                                    kvno: 1

                                    cipher:
28198273460862c515248752f713987ea6857b206fe8fe86...

                            authenticator

                                etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

                                cipher:
9101cb1fb3694bbc9cfb972c73711cb8e33d59e1de7fdb1a...

        req-body

            Padding: 0

            kdc-options: 40000000 (forwardable)

                0... .... = reserved: False

                .1.. .... = forwardable: True

                ..0. .... = forwarded: False

                ...0 .... = proxiable: False

                .... 0... = proxy: False

                .... .0.. = allow-postdate: False

                .... ..0. = postdated: False

                .... ...0 = unused7: False

                0... .... = renewable: False

                .0.. .... = unused9: False

                ..0. .... = unused10: False

                ...0 .... = opt-hardware-auth: False

                .... ..0. = request-anonymous: False

                .... ...0 = canonicalize: False

                0... .... = constrained-delegation: False

                ..0. .... = disable-transited-check: False

                ...0 .... = renewable-ok: False

                .... 0... = enc-tkt-in-skey: False

                .... ..0. = renew: False

                .... ...0 = validate: False

            realm: RHELENT.LAN

            sname

                name-type: kRB5-NT-UNKNOWN (0)

                name-string: 2 items

                    KerberosString: HTTP

                    KerberosString: freeipa.rhelent.lan

            till: 1970-01-01 00:00:00 (UTC)

            nonce: 1040086776

            etype: 3 items

                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

                ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)

                ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)

and from kerby:

No.     Time           Source                Destination           Protocol
Length Info

   2888 255.037980000  10.8.0.2              192.168.2.166         KRB5
742    TGS-REQ


Frame 2888: 742 bytes on wire (5936 bits), 742 bytes captured (5936 bits) on interface 3

    Interface id: 3 (utun0)

    Encapsulation type: NULL (15)

    Arrival Time: Nov 20, 2015 11:52:06.888201000 EST

    [Time shift for this packet: 0.000000000 seconds]

    Epoch Time: 1448038326.888201000 seconds

    [Time delta from previous captured frame: -0.000117000 seconds]

    [Time delta from previous displayed frame: 0.010323000 seconds]

    [Time since reference or first frame: 255.037980000 seconds]

    Frame Number: 2888

    Frame Length: 742 bytes (5936 bits)

    Capture Length: 742 bytes (5936 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: null:ip:udp:kerberos]

    [Coloring Rule Name: UDP]

    [Coloring Rule String: udp]

Null/Loopback

    Family: IP (2)

Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166
(192.168.2.166)

    Version: 4

    Header Length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport)
(0x00)

    Total Length: 738

    Identification: 0x226e (8814)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 64

    Protocol: UDP (17)

    Header checksum: 0x8845 [validation disabled]

        [Good: False]

        [Bad: False]

    Source: 10.8.0.2 (10.8.0.2)

    Destination: 192.168.2.166 (192.168.2.166)

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

User Datagram Protocol, Src Port: 56122 (56122), Dst Port: 88 (88)

    Source Port: 56122 (56122)

    Destination Port: 88 (88)

    Length: 718

    Checksum: 0x461a [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [Stream index: 30]

Kerberos

    tgs-req

        pvno: 5

        msg-type: krb-tgs-req (12)

        padata: 1 item

            PA-DATA PA-TGS-REQ

                padata-type: kRB5-PADATA-TGS-REQ (1)

                    padata-value:
6e8201f8308201f4a003020105a10302010ea20703050000...

                        ap-req

                            pvno: 5

                            msg-type: krb-ap-req (14)

                            Padding: 0

                            ap-options: 00000000

                                0... .... = reserved: False

                                .0.. .... = use-session-key: False

                                ..0. .... = mutual-required: False

                            ticket

                                tkt-vno: 5

                                realm: RHELENT.LAN

                                sname

                                    name-type: kRB5-NT-PRINCIPAL (1)

                                    name-string: 2 items

                                        KerberosString: krbtgt

                                        KerberosString: RHELENT.LAN

                                enc-part

                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96
(18)

                                    kvno: 1

                                    cipher:
1bea5e1ce7205e55dd088dc647222d5a20d62c41a172c0b4...

                            authenticator

                                etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

                                kvno: 255

                                cipher:
dd243f0d6aaa9c03a6e6737b18ca8510d4bfac33296a07d2...

        req-body

            Padding: 0

            kdc-options: 40000000 (forwardable)

                0... .... = reserved: False

                .1.. .... = forwardable: True

                ..0. .... = forwarded: False

                ...0 .... = proxiable: False

                .... 0... = proxy: False

                .... .0.. = allow-postdate: False

                .... ..0. = postdated: False

                .... ...0 = unused7: False

                0... .... = renewable: False

                .0.. .... = unused9: False

                ..0. .... = unused10: False

                ...0 .... = opt-hardware-auth: False

                .... ..0. = request-anonymous: False

                .... ...0 = canonicalize: False

                0... .... = constrained-delegation: False

                ..0. .... = disable-transited-check: False

                ...0 .... = renewable-ok: False

                .... 0... = enc-tkt-in-skey: False

                .... ..0. = renew: False

                .... ...0 = validate: False

            cname

                name-type: kRB5-NT-PRINCIPAL (1)

                name-string: 2 items

                    KerberosString: HTTP

                    KerberosString: s4u.rhelent.lan

            realm: RHELENT.LAN

            sname

                name-type: kRB5-NT-PRINCIPAL (1)

                name-string: 2 items

                    KerberosString: HTTP

                    KerberosString: freeipa.rhelent.lan

            from: 2015-11-20 16:52:06 (UTC)

            till: 2015-11-21 00:52:06 (UTC)

            nonce: 984126497

            etype: 1 item

                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

The differences I see are:

1.  The authenticator from kerby PS-TGS-REQ has a kvno=255, java doesn't have that attribute

2.  Kerby has a cname section with the name of the client, java's implementation does not

3.  Kerby's SNAME has a name-type of KRB5-NT-Principal where as java's is KRB5-NT-Unknown

4.  Kerby has a "from", java does not

5.  Kerby's from and till are real dates, Java's is expired

My guess is the issue is #3?  I'm thinking I can set that in the options.
I already added a method that lets me get an SGT with options (like the tgtWithOptions method).
 I'll see if there's a way to specify the principal type from there.  Anything else stand
out?


Thanks

Marc
Mime
View raw message