directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: KDC is rejecting my TGS
Date Sun, 29 Nov 2015 02:07:30 GMT
Yes Marc the fix is still pending there thinking you have a work around. It needs to take some
time to sort it out. I'm currently focusing on ASN1/X509/CMS stuffs. Hopefully I could be
back to it soon.

Regards,
Kai

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com] 
Sent: Sunday, November 29, 2015 9:55 AM
To: kerby@directory.apache.org
Subject: Re: KDC is rejecting my TGS

Just a heads up, I've pulled in the latest commits and I'm still able to get a Tgt, and I
I can get a server principal back with a Tgt but the Sgt request still gets an error back
of "bad integrity" with the following in the logs:

Nov 28 20:45:57 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
{17}) 192.168.2.129: PROCESS_TGS: authtime 0, HTTP/s4u.rhelent.lan@RHELENT.LAN for HTTP/freeipa.rhelent.lan@RHELENT.LAN,
Decrypt integrity check failed


Thanks

On Mon, Nov 23, 2015 at 3:50 PM, Marc Boorshtein <mboorshtein@gmail.com>
wrote:

> OK, so that DOES get me an SGT!  now I just need to figure out how to 
> convert that into a SPNEGO negotiate header.  Any thoughts?
>
> On Mon, Nov 23, 2015 at 9:16 AM, Marc Boorshtein 
> <mboorshtein@gmail.com>
> wrote:
>
>> Interesting. I'll give that a try
>> On Nov 23, 2015 9:02 AM, "Zheng, Kai" <kai.zheng@intel.com> wrote:
>>
>>> Maybe we can be back to this issue some time later after I fix the 
>>> sessionkey/subkey issue.
>>> For now, we can try and also should the approach used by Steve 
>>> (actually aligned with MIT kinit -S behavior): request the service 
>>> ticket directly using the AS-REQ. So your codes may be as follows.
>>>
>>> KrbClient kerb = new KrbClient(new
>>> File("/Users/mlb/Documents/testkerb"));
>>> kerb.init();
>>> kerb.setKdcRealm("RHELENT.LAN");
>>> KOptions requestOptions = new KOptions();
>>>     requestOptions.add(KrbOption.CLIENT_PRINCIPAL,
>>> "HTTP/s4u.rhelent.lan@RHELENT.LAN");
>>>     requestOptions.add(KrbOption.SERVER_PRINCIPAL, new 
>>> PrincipalName("HTTP/freeipa.rhelent.lan@RHELENT.LAN
>>> ",NameType.NT_UNKNOWN));
>>>     requestOptions.add(KrbOption.USE_KEYTAB, true);
>>>     requestOptions.add(KrbOption.KEYTAB_FILE, new 
>>> File("/Users/mlb/Documents/localdev.keytab"));
>>>     requestOptions.add(KrbOption.FORWARDABLE,true);
>>>     requestOptions.add(KrbOption.PROXIABLE,false);
>>>     requestOptions.add(KrbOption.RENEWABLE_OK,false);
>>>
>>> TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions);
>>> Then the tgt should be actually the service ticket you desired.
>>>
>>> -----Original Message-----
>>> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>>> Sent: Monday, November 23, 2015 9:53 PM
>>> To: kerby@directory.apache.org
>>> Subject: Re: KDC is rejecting my TGS
>>>
>>> Yes, I did.  I also have several minor changes to get it to line up 
>>> with the way java's libraries are working so i wonder if the merge 
>>> missed something.  i'll try debugging it tonight.
>>>
>>> On Mon, Nov 23, 2015 at 8:19 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>>>
>>> > OK. Did you make the following change as I told in my last email, 
>>> > in addition to checking out the latest commits?
>>> > ====
>>> > if you'd just go on with your case, please make the following 
>>> > change and try.
>>> > In client side TgsRequest.java: processResponse(), use 
>>> > KeyUsage.TGS_REP_ENCPART_SUBKEY.
>>> > ====
>>> >
>>> > -----Original Message-----
>>> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>>> > Sent: Monday, November 23, 2015 9:05 PM
>>> > To: kerby@directory.apache.org
>>> > Subject: Re: KDC is rejecting my TGS
>>> >
>>> > New error:
>>> >
>>> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 
>>> > etypes
>>> > {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 
>>> > tkt=18 ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for 
>>> > krbtgt/RHELENT.LAN@RHELENT.LAN
>>> >
>>> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ 
>>> > (1 etypes
>>> > {17}) 192.168.2.129: PROCESS_TGS: authtime 0, 
>>> > HTTP/s4u.rhelent.lan@RHELENT.LAN for 
>>> > HTTP/freeipa.rhelent.lan@RHELENT.LAN,
>>> > Decrypt integrity check failed
>>> >
>>> > Here's the packet trace :
>>> >
>>> > https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_int
>>> > egri
>>> > ty.pcapng
>>> >
>>> > On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <kai.zheng@intel.com>
>>> wrote:
>>> >
>>> > > With above fixup, I hit another issue that Kerby client failed 
>>> > > to decrypt the TGS-REP.
>>> > >
>>> > > I got it work in my setup but I can't commit the codes because 
>>> > > there're more cases to be investigated. Ref. the issue
>>> > > https://issues.apache.org/jira/browse/DIRKRB-472
>>> > >
>>> > > Marc,
>>> > > if you'd just go on with your case, please make the following 
>>> > > change and try.
>>> > > In client side TgsRequest.java: processResponse(), use 
>>> > > KeyUsage.TGS_REP_ENCPART_SUBKEY.
>>> > >
>>> > > -----Original Message-----
>>> > > From: Zheng, Kai [mailto:kai.zheng@intel.com]
>>> > > Sent: Monday, November 23, 2015 2:21 PM
>>> > > To: kerby@directory.apache.org
>>> > > Subject: RE: KDC is rejecting my TGS
>>> > >
>>> > > Fired and resolved the following issue to track the 
>>> > > authenticator issue we're handling.
>>> > > Will setup a box to test: Kerby client -> MIT KDC (in service 
>>> > > ticket
>>> > > path)
>>> > >
>>> > > commit df6ba15d4f990b104efcf36ede913f4eeb09a872
>>> > > Author: Drankye <drankye@gmail.com>
>>> > > Date:   Tue Nov 24 14:16:32 2015 +0800
>>> > >
>>> > >     DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when

>>> > > making authenticator
>>> > >
>>> > > -----Original Message-----
>>> > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>>> > > Sent: Monday, November 23, 2015 11:30 AM
>>> > > To: kerby@directory.apache.org
>>> > > Subject: RE: KDC is rejecting my TGS
>>> > >
>>> > > ah. That would do it :) sounds like we are getting close!
>>> > >
>>> > > Thanks
>>> > > Marc
>>> > > On Nov 22, 2015 10:27 PM, "Zheng, Kai" <kai.zheng@intel.com>
wrote:
>>> > >
>>> > > > OK, forget it. I just checked the codes, and found the 
>>> > > > checksum isn't done and filled in authenticator. I will get it
fixed ASAP.
>>> > > >
>>> > > > Regards,
>>> > > > Kai
>>> > > >
>>> > > > -----Original Message-----
>>> > > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>>> > > > Sent: Monday, November 23, 2015 11:24 AM
>>> > > > To: kerby@directory.apache.org
>>> > > > Subject: RE: KDC is rejecting my TGS
>>> > > >
>>> > > > >
>>> > > > > Cool!! Thanks a lot for getting the hard issue figured out.
>>> > > > >
>>> > > >
>>> > > > My pleasure. I'm glad I'm making progress.
>>> > > >
>>> > > > > I'm looking at the checksum issue, and trying to go into
the
>>> context.
>>> > > > > Did
>>> > > > you try the usage value of 10 or 6? Could you give me a 
>>> > > > snapshot of the stacktrace (or call stack) so I can know 
>>> > > > sooner about the
>>> context?
>>> > > Thanks.
>>> > > >
>>> > > > I haven't yet. I've shutdown for the night but the there 
>>> > > > really isn't a stack trace because MIT is returning a kerberos

>>> > > > generic error (with the accompanying log messages I sent 
>>> > > > over). I wanted to make sure I was reading the code properly 
>>> > > > before I started trying things since MIT isn't giving me the best
error messages.
>>> > > > I'll give
>>> > it a go tomorrow.
>>> > > >
>>> > > > Thanks
>>> > > > Marc
>>> > > >
>>> > >
>>> >
>>>
>>
>
Mime
View raw message