directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject KDC is rejecting my TGS
Date Fri, 20 Nov 2015 16:59:56 GMT
I've merged in all the new changes from Kai and Steve.  I get a TGT without
issue, but now I'm getting the following error from freeipa (built on MIT
kerberos):

Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes
{17}) 10.8.0.2: ISSUE: authtime 1448030320, etypes {rep=17 tkt=18 ses=17},
HTTP/s4u.rhelent.lan@RHELENT.LAN for krbtgt/RHELENT.LAN@RHELENT.LAN

Nov 20 09:38:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
{17}) 10.8.0.2: PROCESS_TGS: authtime 0,  <unknown client> for
HTTP/ipa.rhelent.lan@RHELENT.LAN, ASN.1 structure is missing a required
field

Now unfortunately its not say WHAT the missing field is.  I've got a
control setup to make the same request in java using the same keytab for
the same resources.  Here's the TGS request that works using the standard
java kerberos libraries:

No.     Time           Source                Destination           Protocol
Length Info

     84 4.103473000    10.8.0.2              192.168.2.166         KRB5
693    TGS-REQ


Frame 84: 693 bytes on wire (5544 bits), 693 bytes captured (5544 bits) on
interface 3

    Interface id: 3 (utun0)

    Encapsulation type: NULL (15)

    Arrival Time: Nov 20, 2015 11:47:55.953694000 EST

    [Time shift for this packet: 0.000000000 seconds]

    Epoch Time: 1448038075.953694000 seconds

    [Time delta from previous captured frame: 0.019420000 seconds]

    [Time delta from previous displayed frame: 0.019361000 seconds]

    [Time since reference or first frame: 4.103473000 seconds]

    Frame Number: 84

    Frame Length: 693 bytes (5544 bits)

    Capture Length: 693 bytes (5544 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: null:ip:udp:kerberos]

    [Coloring Rule Name: UDP]

    [Coloring Rule String: udp]

Null/Loopback

    Family: IP (2)

Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166
(192.168.2.166)

    Version: 4

    Header Length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)

    Total Length: 689

    Identification: 0x175e (5982)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 64

    Protocol: UDP (17)

    Header checksum: 0x9386 [validation disabled]

        [Good: False]

        [Bad: False]

    Source: 10.8.0.2 (10.8.0.2)

    Destination: 192.168.2.166 (192.168.2.166)

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

User Datagram Protocol, Src Port: 49177 (49177), Dst Port: 88 (88)

    Source Port: 49177 (49177)

    Destination Port: 88 (88)

    Length: 669

    Checksum: 0x8f4e [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [Stream index: 8]

Kerberos

    tgs-req

        pvno: 5

        msg-type: krb-tgs-req (12)

        padata: 1 item

            PA-DATA PA-TGS-REQ

                padata-type: kRB5-PADATA-TGS-REQ (1)

                    padata-value:
6e8201fa308201f6a003020105a10302010ea20703050000...

                        ap-req

                            pvno: 5

                            msg-type: krb-ap-req (14)

                            Padding: 0

                            ap-options: 00000000

                                0... .... = reserved: False

                                .0.. .... = use-session-key: False

                                ..0. .... = mutual-required: False

                            ticket

                                tkt-vno: 5

                                realm: RHELENT.LAN

                                sname

                                    name-type: kRB5-NT-SRV-INST (2)

                                    name-string: 2 items

                                        KerberosString: krbtgt

                                        KerberosString: RHELENT.LAN

                                enc-part

                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96
(18)

                                    kvno: 1

                                    cipher:
28198273460862c515248752f713987ea6857b206fe8fe86...

                            authenticator

                                etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

                                cipher:
9101cb1fb3694bbc9cfb972c73711cb8e33d59e1de7fdb1a...

        req-body

            Padding: 0

            kdc-options: 40000000 (forwardable)

                0... .... = reserved: False

                .1.. .... = forwardable: True

                ..0. .... = forwarded: False

                ...0 .... = proxiable: False

                .... 0... = proxy: False

                .... .0.. = allow-postdate: False

                .... ..0. = postdated: False

                .... ...0 = unused7: False

                0... .... = renewable: False

                .0.. .... = unused9: False

                ..0. .... = unused10: False

                ...0 .... = opt-hardware-auth: False

                .... ..0. = request-anonymous: False

                .... ...0 = canonicalize: False

                0... .... = constrained-delegation: False

                ..0. .... = disable-transited-check: False

                ...0 .... = renewable-ok: False

                .... 0... = enc-tkt-in-skey: False

                .... ..0. = renew: False

                .... ...0 = validate: False

            realm: RHELENT.LAN

            sname

                name-type: kRB5-NT-UNKNOWN (0)

                name-string: 2 items

                    KerberosString: HTTP

                    KerberosString: freeipa.rhelent.lan

            till: 1970-01-01 00:00:00 (UTC)

            nonce: 1040086776

            etype: 3 items

                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

                ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)

                ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)

and from kerby:

No.     Time           Source                Destination           Protocol
Length Info

   2888 255.037980000  10.8.0.2              192.168.2.166         KRB5
742    TGS-REQ


Frame 2888: 742 bytes on wire (5936 bits), 742 bytes captured (5936 bits)
on interface 3

    Interface id: 3 (utun0)

    Encapsulation type: NULL (15)

    Arrival Time: Nov 20, 2015 11:52:06.888201000 EST

    [Time shift for this packet: 0.000000000 seconds]

    Epoch Time: 1448038326.888201000 seconds

    [Time delta from previous captured frame: -0.000117000 seconds]

    [Time delta from previous displayed frame: 0.010323000 seconds]

    [Time since reference or first frame: 255.037980000 seconds]

    Frame Number: 2888

    Frame Length: 742 bytes (5936 bits)

    Capture Length: 742 bytes (5936 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: null:ip:udp:kerberos]

    [Coloring Rule Name: UDP]

    [Coloring Rule String: udp]

Null/Loopback

    Family: IP (2)

Internet Protocol Version 4, Src: 10.8.0.2 (10.8.0.2), Dst: 192.168.2.166
(192.168.2.166)

    Version: 4

    Header Length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)

    Total Length: 738

    Identification: 0x226e (8814)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 64

    Protocol: UDP (17)

    Header checksum: 0x8845 [validation disabled]

        [Good: False]

        [Bad: False]

    Source: 10.8.0.2 (10.8.0.2)

    Destination: 192.168.2.166 (192.168.2.166)

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

User Datagram Protocol, Src Port: 56122 (56122), Dst Port: 88 (88)

    Source Port: 56122 (56122)

    Destination Port: 88 (88)

    Length: 718

    Checksum: 0x461a [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [Stream index: 30]

Kerberos

    tgs-req

        pvno: 5

        msg-type: krb-tgs-req (12)

        padata: 1 item

            PA-DATA PA-TGS-REQ

                padata-type: kRB5-PADATA-TGS-REQ (1)

                    padata-value:
6e8201f8308201f4a003020105a10302010ea20703050000...

                        ap-req

                            pvno: 5

                            msg-type: krb-ap-req (14)

                            Padding: 0

                            ap-options: 00000000

                                0... .... = reserved: False

                                .0.. .... = use-session-key: False

                                ..0. .... = mutual-required: False

                            ticket

                                tkt-vno: 5

                                realm: RHELENT.LAN

                                sname

                                    name-type: kRB5-NT-PRINCIPAL (1)

                                    name-string: 2 items

                                        KerberosString: krbtgt

                                        KerberosString: RHELENT.LAN

                                enc-part

                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96
(18)

                                    kvno: 1

                                    cipher:
1bea5e1ce7205e55dd088dc647222d5a20d62c41a172c0b4...

                            authenticator

                                etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

                                kvno: 255

                                cipher:
dd243f0d6aaa9c03a6e6737b18ca8510d4bfac33296a07d2...

        req-body

            Padding: 0

            kdc-options: 40000000 (forwardable)

                0... .... = reserved: False

                .1.. .... = forwardable: True

                ..0. .... = forwarded: False

                ...0 .... = proxiable: False

                .... 0... = proxy: False

                .... .0.. = allow-postdate: False

                .... ..0. = postdated: False

                .... ...0 = unused7: False

                0... .... = renewable: False

                .0.. .... = unused9: False

                ..0. .... = unused10: False

                ...0 .... = opt-hardware-auth: False

                .... ..0. = request-anonymous: False

                .... ...0 = canonicalize: False

                0... .... = constrained-delegation: False

                ..0. .... = disable-transited-check: False

                ...0 .... = renewable-ok: False

                .... 0... = enc-tkt-in-skey: False

                .... ..0. = renew: False

                .... ...0 = validate: False

            cname

                name-type: kRB5-NT-PRINCIPAL (1)

                name-string: 2 items

                    KerberosString: HTTP

                    KerberosString: s4u.rhelent.lan

            realm: RHELENT.LAN

            sname

                name-type: kRB5-NT-PRINCIPAL (1)

                name-string: 2 items

                    KerberosString: HTTP

                    KerberosString: freeipa.rhelent.lan

            from: 2015-11-20 16:52:06 (UTC)

            till: 2015-11-21 00:52:06 (UTC)

            nonce: 984126497

            etype: 1 item

                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)

The differences I see are:

1.  The authenticator from kerby PS-TGS-REQ has a kvno=255, java doesn't
have that attribute

2.  Kerby has a cname section with the name of the client, java's
implementation does not

3.  Kerby's SNAME has a name-type of KRB5-NT-Principal where as java's is
KRB5-NT-Unknown

4.  Kerby has a "from", java does not

5.  Kerby's from and till are real dates, Java's is expired

My guess is the issue is #3?  I'm thinking I can set that in the options.
I already added a method that lets me get an SGT with options (like the
tgtWithOptions method).  I'll see if there's a way to specify the principal
type from there.  Anything else stand out?


Thanks

Marc

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message