directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject Re: KDC is rejecting my TGS
Date Sun, 22 Nov 2015 14:20:28 GMT
Kai,

I'm setup with FreeIPA on CentOS7 (it gets everything setup very quickly).
Here's my code for generating the tickets:

KrbClient kerb = new KrbClient(new File("/Users/mlb/Documents/testkerb"));

kerb.init();
kerb.setKdcRealm("RHELENT.LAN");

KOptions requestOptions = new KOptions();
    requestOptions.add(KrbOption.CLIENT_PRINCIPAL,
"HTTP/s4u.rhelent.lan@RHELENT.LAN");
    requestOptions.add(KrbOption.USE_KEYTAB, true);
    requestOptions.add(KrbOption.KEYTAB_FILE, new
File("/Users/mlb/Documents/localdev.keytab"));
    requestOptions.add(KrbOption.FORWARDABLE,true);
    requestOptions.add(KrbOption.PROXIABLE,false);
    requestOptions.add(KrbOption.RENEWABLE_OK,false);

TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions);

requestOptions = new KOptions();
requestOptions.add(KrbOption.USE_TGT, tgt);
requestOptions.add(KrbOption.SERVER_PRINCIPAL, new
PrincipalName("HTTP/freeipa.rhelent.lan@RHELENT.LAN",NameType.NT_UNKNOWN));
requestOptions.add(KrbOption.FORWARDABLE,true);
requestOptions.add(KrbOption.PROXIABLE,false);
requestOptions.add(KrbOption.RENEWABLE_OK,false);

kerb.requestServiceTicketWithTgt(requestOptions);

Out of curiosity has this api been tested with active directory at all?

I've got to get back to getting MyVD integrated with M20 but I'll be
hopping back into this probably tomorrow or tuesday.

Thanks


On Sun, Nov 22, 2015 at 7:38 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Marc, glad we made some thing clear. I also noted the unknown client issue
> (authtime = 0) and had already checked the MIT codes, but had no idea where
> exactly it is emitted. We need to debug to figure it out. I have a MIT KDC
> installation. May be you could let know how to repeat this in my side? In
> the process, is the TGS-REQ separated from AS-REQ? If so, you might try use
> the TGT generated by MIT client -> MIT KDC, and then use the TGT for Kerby
> client -> MIT KDC. I'm working on Kerby CMS/X509 things, but surely would
> have some time on this given more inputs. Thanks.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
> Sent: Sunday, November 22, 2015 11:13 AM
> To: kerby@directory.apache.org
> Subject: Re: KDC is rejecting my TGS
>
> ‚ÄčOK, so I fixed the kvno and its still not working.  Looking at the mit
> kerberos log I see the following for the control:
>
> Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes
> {17 23 16}) 192.168.2.102: NEEDED_PREAUTH:
> HTTP/s4u.rhelent.lan@RHELENT.LAN for krbtgt/RHELENT.LAN@RHELENT.LAN,
> Additional pre-authentication required
>
> Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes
> {17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17
> tkt=18 ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for
> krbtgt/RHELENT.LAN@RHELENT.LAN
>
> Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 etypes
> {17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17
> tkt=18 ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for
> HTTP/freeipa.rhelent.lan@RHELENT.LAN
>
> here's for kerby
>
> Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes
> {17}) 192.168.2.102: ISSUE: authtime 1448160431, etypes {rep=17 tkt=18
> ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for
> krbtgt/RHELENT.LAN@RHELENT.LAN
>
> Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
> {17}) 192.168.2.102: PROCESS_TGS: authtime 0,  <unknown client> for
> HTTP/freeipa.rhelent.lan@RHELENT.LAN, ASN.1 structure is missing a
> required field
>
> The TGS_REQ line shows that the client is unknown...so maybe there's an
> issue with how the TGT is being used to create SGT in Kerby?
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message