directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject Re: KDC is rejecting my TGS
Date Mon, 23 Nov 2015 20:50:22 GMT
OK, so that DOES get me an SGT!  now I just need to figure out how to
convert that into a SPNEGO negotiate header.  Any thoughts?

On Mon, Nov 23, 2015 at 9:16 AM, Marc Boorshtein <mboorshtein@gmail.com>
wrote:

> Interesting. I'll give that a try
> On Nov 23, 2015 9:02 AM, "Zheng, Kai" <kai.zheng@intel.com> wrote:
>
>> Maybe we can be back to this issue some time later after I fix the
>> sessionkey/subkey issue.
>> For now, we can try and also should the approach used by Steve (actually
>> aligned with MIT kinit -S behavior): request the service ticket directly
>> using the AS-REQ. So your codes may be as follows.
>>
>> KrbClient kerb = new KrbClient(new File("/Users/mlb/Documents/testkerb"));
>> kerb.init();
>> kerb.setKdcRealm("RHELENT.LAN");
>> KOptions requestOptions = new KOptions();
>>     requestOptions.add(KrbOption.CLIENT_PRINCIPAL,
>> "HTTP/s4u.rhelent.lan@RHELENT.LAN");
>>     requestOptions.add(KrbOption.SERVER_PRINCIPAL, new
>> PrincipalName("HTTP/freeipa.rhelent.lan@RHELENT.LAN
>> ",NameType.NT_UNKNOWN));
>>     requestOptions.add(KrbOption.USE_KEYTAB, true);
>>     requestOptions.add(KrbOption.KEYTAB_FILE, new
>> File("/Users/mlb/Documents/localdev.keytab"));
>>     requestOptions.add(KrbOption.FORWARDABLE,true);
>>     requestOptions.add(KrbOption.PROXIABLE,false);
>>     requestOptions.add(KrbOption.RENEWABLE_OK,false);
>>
>> TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions);
>> Then the tgt should be actually the service ticket you desired.
>>
>> -----Original Message-----
>> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>> Sent: Monday, November 23, 2015 9:53 PM
>> To: kerby@directory.apache.org
>> Subject: Re: KDC is rejecting my TGS
>>
>> Yes, I did.  I also have several minor changes to get it to line up with
>> the way java's libraries are working so i wonder if the merge missed
>> something.  i'll try debugging it tonight.
>>
>> On Mon, Nov 23, 2015 at 8:19 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>>
>> > OK. Did you make the following change as I told in my last email, in
>> > addition to checking out the latest commits?
>> > ====
>> > if you'd just go on with your case, please make the following change
>> > and try.
>> > In client side TgsRequest.java: processResponse(), use
>> > KeyUsage.TGS_REP_ENCPART_SUBKEY.
>> > ====
>> >
>> > -----Original Message-----
>> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>> > Sent: Monday, November 23, 2015 9:05 PM
>> > To: kerby@directory.apache.org
>> > Subject: Re: KDC is rejecting my TGS
>> >
>> > New error:
>> >
>> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
>> > etypes
>> > {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 tkt=18
>> > ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for
>> > krbtgt/RHELENT.LAN@RHELENT.LAN
>> >
>> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
>> > etypes
>> > {17}) 192.168.2.129: PROCESS_TGS: authtime 0,
>> > HTTP/s4u.rhelent.lan@RHELENT.LAN for
>> > HTTP/freeipa.rhelent.lan@RHELENT.LAN,
>> > Decrypt integrity check failed
>> >
>> > Here's the packet trace :
>> >
>> > https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_integri
>> > ty.pcapng
>> >
>> > On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai <kai.zheng@intel.com>
>> wrote:
>> >
>> > > With above fixup, I hit another issue that Kerby client failed to
>> > > decrypt the TGS-REP.
>> > >
>> > > I got it work in my setup but I can't commit the codes because
>> > > there're more cases to be investigated. Ref. the issue
>> > > https://issues.apache.org/jira/browse/DIRKRB-472
>> > >
>> > > Marc,
>> > > if you'd just go on with your case, please make the following change
>> > > and try.
>> > > In client side TgsRequest.java: processResponse(), use
>> > > KeyUsage.TGS_REP_ENCPART_SUBKEY.
>> > >
>> > > -----Original Message-----
>> > > From: Zheng, Kai [mailto:kai.zheng@intel.com]
>> > > Sent: Monday, November 23, 2015 2:21 PM
>> > > To: kerby@directory.apache.org
>> > > Subject: RE: KDC is rejecting my TGS
>> > >
>> > > Fired and resolved the following issue to track the authenticator
>> > > issue we're handling.
>> > > Will setup a box to test: Kerby client -> MIT KDC (in service ticket
>> > > path)
>> > >
>> > > commit df6ba15d4f990b104efcf36ede913f4eeb09a872
>> > > Author: Drankye <drankye@gmail.com>
>> > > Date:   Tue Nov 24 14:16:32 2015 +0800
>> > >
>> > >     DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making
>> > > authenticator
>> > >
>> > > -----Original Message-----
>> > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>> > > Sent: Monday, November 23, 2015 11:30 AM
>> > > To: kerby@directory.apache.org
>> > > Subject: RE: KDC is rejecting my TGS
>> > >
>> > > ah. That would do it :) sounds like we are getting close!
>> > >
>> > > Thanks
>> > > Marc
>> > > On Nov 22, 2015 10:27 PM, "Zheng, Kai" <kai.zheng@intel.com> wrote:
>> > >
>> > > > OK, forget it. I just checked the codes, and found the checksum
>> > > > isn't done and filled in authenticator. I will get it fixed ASAP.
>> > > >
>> > > > Regards,
>> > > > Kai
>> > > >
>> > > > -----Original Message-----
>> > > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>> > > > Sent: Monday, November 23, 2015 11:24 AM
>> > > > To: kerby@directory.apache.org
>> > > > Subject: RE: KDC is rejecting my TGS
>> > > >
>> > > > >
>> > > > > Cool!! Thanks a lot for getting the hard issue figured out.
>> > > > >
>> > > >
>> > > > My pleasure. I'm glad I'm making progress.
>> > > >
>> > > > > I'm looking at the checksum issue, and trying to go into the
>> context.
>> > > > > Did
>> > > > you try the usage value of 10 or 6? Could you give me a snapshot
>> > > > of the stacktrace (or call stack) so I can know sooner about the
>> context?
>> > > Thanks.
>> > > >
>> > > > I haven't yet. I've shutdown for the night but the there really
>> > > > isn't a stack trace because MIT is returning a kerberos generic
>> > > > error (with the accompanying log messages I sent over). I wanted
>> > > > to make sure I was reading the code properly before I started
>> > > > trying things since MIT isn't giving me the best error messages.
>> > > > I'll give
>> > it a go tomorrow.
>> > > >
>> > > > Thanks
>> > > > Marc
>> > > >
>> > >
>> >
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message