directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: KDC is rejecting my TGS
Date Sat, 21 Nov 2015 04:05:08 GMT
See your snapshots. In the two AS-REQes, a diff is the kdc-option flags. Kerby sets the following
all by default, which may be incorrect. 
In the client side KdcRequest.java file:
    protected void processKdcOptions() {
        // By default enforce these flags
        kdcOptions.setFlag(KdcOption.FORWARDABLE);
        kdcOptions.setFlag(KdcOption.PROXIABLE);
        kdcOptions.setFlag(KdcOption.RENEWABLE_OK);

A try would be to remove above 3 lines. I haven't got these flags clear yet but guess they
may need extra fields?

Regards,
Kai

-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com] 
Sent: Saturday, November 21, 2015 11:47 AM
To: kerby@directory.apache.org
Subject: RE: KDC is rejecting my TGS

OK, I will install the pcap stuff.

What I've fixed is the TGS principal type, not the server principal type. As I said in the
JIRA, it may be not the cause for the problem here.
Another fix is the kvno. Still not the exact cause.

I thought we need to figure out what field is missing in the ASN1 structure. Would you dig
into MIT KDC logs? Verbose?

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
Sent: Saturday, November 21, 2015 11:36 AM
To: kerby@directory.apache.org
Subject: Re: KDC is rejecting my TGS

I think I'll make this easier and just provide links to a pcap.  I pulled your updates Kai
but am getting the same error.  Here's the control:

https://s3.amazonaws.com/ts-public-downloads/captures/kerberos-control.pcap.pcapng

Here's the kerby capture:

https://s3.amazonaws.com/ts-public-downloads/captures/kerby-capture.pcapng

The sname type is still NT-Principal.  I added some code that let me specify the server principal
as a PrincipalName instead of just a string.
When I do this though I get same error out of freeipa.

Anything else standout?

Thanks

On Fri, Nov 20, 2015 at 8:12 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> The hex format may does the good letting us find the exact missing or 
> different field, though. It's concise and exact.
>
> -----Original Message-----
> From: Zheng, Kai [mailto:kai.zheng@intel.com]
> Sent: Saturday, November 21, 2015 9:06 AM
> To: kerby@directory.apache.org
> Subject: RE: KDC is rejecting my TGS
>
> The text format might save us some time when just want to take a look 
> from having a tool dump out from hex.
> I guess the text could be ok if it's made more compact?
>
> -----Original Message-----
> From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
> Sent: Saturday, November 21, 2015 7:04 AM
> To: kerby@directory.apache.org
> Subject: Re: KDC is rejecting my TGS
>
> Le 20/11/15 23:27, Zheng, Kai a écrit :
> > Marc,
> >
> > You detail looks pretty good. Thanks!
> >
> > From your observation I copied below, I thought all the differences
> should be checked. The kvno (255 too large, bet 1) and principal name 
> types for client and server may be the causes that block you, but I'm 
> not very sure.
> > For now, please set principal type manually, and would be good to
> provide the similar comparing for the AS-REQ because that's the starting.
> I'm looking into this. Thanks.
> >
> > The differences I see are:
> > 1.  The authenticator from kerby PS-TGS-REQ has a kvno=255, java 
> > doesn't have that attribute 2.  Kerby has a cname section with the 
> > name of the client, java's implementation does not 3.  Kerby's SNAME 
> > has a name-type of KRB5-NT-Principal where as java's is 
> > KRB5-NT-Unknown 4.  Kerby has a "from", java does not 5.  Kerby's 
> > from and till are real dates, Java's is expired
>
> What would be good is to provide the PDU as it's being transmitted, in 
> Hex format. I must say it's easier for me to read such things than any 
> other output.
>
>
Mime
View raw message