directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: KDC is rejecting my TGS
Date Mon, 23 Nov 2015 13:19:49 GMT
OK. Did you make the following change as I told in my last email, in addition to checking out
the latest commits?
====
if you'd just go on with your case, please make the following change and try.
In client side TgsRequest.java: processResponse(), use KeyUsage.TGS_REP_ENCPART_SUBKEY.
====

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com] 
Sent: Monday, November 23, 2015 9:05 PM
To: kerby@directory.apache.org
Subject: Re: KDC is rejecting my TGS

New error:

Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes
{17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN
for krbtgt/RHELENT.LAN@RHELENT.LAN

Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
{17}) 192.168.2.129: PROCESS_TGS: authtime 0, HTTP/s4u.rhelent.lan@RHELENT.LAN for HTTP/freeipa.rhelent.lan@RHELENT.LAN,
Decrypt integrity check failed

Here's the packet trace :
https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_integrity.pcapng

On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

> With above fixup, I hit another issue that Kerby client failed to 
> decrypt the TGS-REP.
>
> I got it work in my setup but I can't commit the codes because 
> there're more cases to be investigated. Ref. the issue
> https://issues.apache.org/jira/browse/DIRKRB-472
>
> Marc,
> if you'd just go on with your case, please make the following change 
> and try.
> In client side TgsRequest.java: processResponse(), use 
> KeyUsage.TGS_REP_ENCPART_SUBKEY.
>
> -----Original Message-----
> From: Zheng, Kai [mailto:kai.zheng@intel.com]
> Sent: Monday, November 23, 2015 2:21 PM
> To: kerby@directory.apache.org
> Subject: RE: KDC is rejecting my TGS
>
> Fired and resolved the following issue to track the authenticator 
> issue we're handling.
> Will setup a box to test: Kerby client -> MIT KDC (in service ticket 
> path)
>
> commit df6ba15d4f990b104efcf36ede913f4eeb09a872
> Author: Drankye <drankye@gmail.com>
> Date:   Tue Nov 24 14:16:32 2015 +0800
>
>     DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making 
> authenticator
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Monday, November 23, 2015 11:30 AM
> To: kerby@directory.apache.org
> Subject: RE: KDC is rejecting my TGS
>
> ah. That would do it :) sounds like we are getting close!
>
> Thanks
> Marc
> On Nov 22, 2015 10:27 PM, "Zheng, Kai" <kai.zheng@intel.com> wrote:
>
> > OK, forget it. I just checked the codes, and found the checksum 
> > isn't done and filled in authenticator. I will get it fixed ASAP.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> > Sent: Monday, November 23, 2015 11:24 AM
> > To: kerby@directory.apache.org
> > Subject: RE: KDC is rejecting my TGS
> >
> > >
> > > Cool!! Thanks a lot for getting the hard issue figured out.
> > >
> >
> > My pleasure. I'm glad I'm making progress.
> >
> > > I'm looking at the checksum issue, and trying to go into the context.
> > > Did
> > you try the usage value of 10 or 6? Could you give me a snapshot of 
> > the stacktrace (or call stack) so I can know sooner about the context?
> Thanks.
> >
> > I haven't yet. I've shutdown for the night but the there really 
> > isn't a stack trace because MIT is returning a kerberos generic 
> > error (with the accompanying log messages I sent over). I wanted to 
> > make sure I was reading the code properly before I started trying 
> > things since MIT isn't giving me the best error messages.  I'll give it a go tomorrow.
> >
> > Thanks
> > Marc
> >
>
Mime
View raw message