Return-Path: X-Original-To: apmail-directory-kerby-archive@minotaur.apache.org Delivered-To: apmail-directory-kerby-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D567618C0E for ; Mon, 23 Nov 2015 20:50:33 +0000 (UTC) Received: (qmail 4133 invoked by uid 500); 23 Nov 2015 20:50:33 -0000 Delivered-To: apmail-directory-kerby-archive@directory.apache.org Received: (qmail 4105 invoked by uid 500); 23 Nov 2015 20:50:33 -0000 Mailing-List: contact kerby-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: kerby@directory.apache.org Delivered-To: mailing list kerby@directory.apache.org Received: (qmail 4088 invoked by uid 99); 23 Nov 2015 20:50:33 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Nov 2015 20:50:33 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id E022D1A0976 for ; Mon, 23 Nov 2015 20:50:32 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.899 X-Spam-Level: ** X-Spam-Status: No, score=2.899 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id RdPZKJAKj5OL for ; Mon, 23 Nov 2015 20:50:24 +0000 (UTC) Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 8134420C8B for ; Mon, 23 Nov 2015 20:50:23 +0000 (UTC) Received: by qgec40 with SMTP id c40so122485019qge.2 for ; Mon, 23 Nov 2015 12:50:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=8EJArvi9bcdRha/WReACnVEDAkzraho+S+2sc2H37/o=; b=EvIHsQwckx1OH472eEEbsNziZ0ZUKjrYo/86ALwSWuM07FoawdDNL6GScgtE+PMEdy rku2ThMe91+gbBxfTvDs3CPC4VllDtutwwmWBw7ASZXlJAWG84YBQWeNn9avOZYZmXiK scBgyTqQrvKLSplCOQPsZJOn0cYh57drAXqZ64YF+tNKwyM++GlBbuqqKt3RAZ23ztOB XnoGPxe7R7MRVan3RGoP6dUYryMz8OCDnbt6FDunc7yzwX0JR97d727aZ5HVg09vJ7zD boUCODXAhrKgModb8Cjy3BXAaMxRxuGjjyiame/RFXGZ51QJftAYTLcOfsM/AnW2mP+q PFNA== MIME-Version: 1.0 X-Received: by 10.140.128.87 with SMTP id 84mr29867656qha.54.1448311822452; Mon, 23 Nov 2015 12:50:22 -0800 (PST) Received: by 10.55.43.75 with HTTP; Mon, 23 Nov 2015 12:50:22 -0800 (PST) In-Reply-To: References: <8D5F7E3237B3ED47B84CF187BB17B66611CC9468@SHSMSX152.ccr.corp.intel.com> <564FA6CF.4000302@gmail.com> <8D5F7E3237B3ED47B84CF187BB17B66611CC9641@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CC967A@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CC9757@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CC9774@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CC9EC9@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CCA052@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CCA418@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CCA4B1@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CCA647@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CCA925@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CCAD6E@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CCADAD@SHSMSX152.ccr.corp.intel.com> Date: Mon, 23 Nov 2015 15:50:22 -0500 Message-ID: Subject: Re: KDC is rejecting my TGS From: Marc Boorshtein To: kerby@directory.apache.org Content-Type: multipart/alternative; boundary=001a1134ef90b38ed605253b5f39 --001a1134ef90b38ed605253b5f39 Content-Type: text/plain; charset=UTF-8 OK, so that DOES get me an SGT! now I just need to figure out how to convert that into a SPNEGO negotiate header. Any thoughts? On Mon, Nov 23, 2015 at 9:16 AM, Marc Boorshtein wrote: > Interesting. I'll give that a try > On Nov 23, 2015 9:02 AM, "Zheng, Kai" wrote: > >> Maybe we can be back to this issue some time later after I fix the >> sessionkey/subkey issue. >> For now, we can try and also should the approach used by Steve (actually >> aligned with MIT kinit -S behavior): request the service ticket directly >> using the AS-REQ. So your codes may be as follows. >> >> KrbClient kerb = new KrbClient(new File("/Users/mlb/Documents/testkerb")); >> kerb.init(); >> kerb.setKdcRealm("RHELENT.LAN"); >> KOptions requestOptions = new KOptions(); >> requestOptions.add(KrbOption.CLIENT_PRINCIPAL, >> "HTTP/s4u.rhelent.lan@RHELENT.LAN"); >> requestOptions.add(KrbOption.SERVER_PRINCIPAL, new >> PrincipalName("HTTP/freeipa.rhelent.lan@RHELENT.LAN >> ",NameType.NT_UNKNOWN)); >> requestOptions.add(KrbOption.USE_KEYTAB, true); >> requestOptions.add(KrbOption.KEYTAB_FILE, new >> File("/Users/mlb/Documents/localdev.keytab")); >> requestOptions.add(KrbOption.FORWARDABLE,true); >> requestOptions.add(KrbOption.PROXIABLE,false); >> requestOptions.add(KrbOption.RENEWABLE_OK,false); >> >> TgtTicket tgt = kerb.requestTgtWithOptions(requestOptions); >> Then the tgt should be actually the service ticket you desired. >> >> -----Original Message----- >> From: Marc Boorshtein [mailto:mboorshtein@gmail.com] >> Sent: Monday, November 23, 2015 9:53 PM >> To: kerby@directory.apache.org >> Subject: Re: KDC is rejecting my TGS >> >> Yes, I did. I also have several minor changes to get it to line up with >> the way java's libraries are working so i wonder if the merge missed >> something. i'll try debugging it tonight. >> >> On Mon, Nov 23, 2015 at 8:19 AM, Zheng, Kai wrote: >> >> > OK. Did you make the following change as I told in my last email, in >> > addition to checking out the latest commits? >> > ==== >> > if you'd just go on with your case, please make the following change >> > and try. >> > In client side TgsRequest.java: processResponse(), use >> > KeyUsage.TGS_REP_ENCPART_SUBKEY. >> > ==== >> > >> > -----Original Message----- >> > From: Marc Boorshtein [mailto:mboorshtein@gmail.com] >> > Sent: Monday, November 23, 2015 9:05 PM >> > To: kerby@directory.apache.org >> > Subject: Re: KDC is rejecting my TGS >> > >> > New error: >> > >> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 >> > etypes >> > {17}) 192.168.2.129: ISSUE: authtime 1448283454, etypes {rep=17 tkt=18 >> > ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for >> > krbtgt/RHELENT.LAN@RHELENT.LAN >> > >> > Nov 23 07:57:34 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 >> > etypes >> > {17}) 192.168.2.129: PROCESS_TGS: authtime 0, >> > HTTP/s4u.rhelent.lan@RHELENT.LAN for >> > HTTP/freeipa.rhelent.lan@RHELENT.LAN, >> > Decrypt integrity check failed >> > >> > Here's the packet trace : >> > >> > https://s3.amazonaws.com/ts-public-downloads/captures/kerb-bad_integri >> > ty.pcapng >> > >> > On Mon, Nov 23, 2015 at 4:22 AM, Zheng, Kai >> wrote: >> > >> > > With above fixup, I hit another issue that Kerby client failed to >> > > decrypt the TGS-REP. >> > > >> > > I got it work in my setup but I can't commit the codes because >> > > there're more cases to be investigated. Ref. the issue >> > > https://issues.apache.org/jira/browse/DIRKRB-472 >> > > >> > > Marc, >> > > if you'd just go on with your case, please make the following change >> > > and try. >> > > In client side TgsRequest.java: processResponse(), use >> > > KeyUsage.TGS_REP_ENCPART_SUBKEY. >> > > >> > > -----Original Message----- >> > > From: Zheng, Kai [mailto:kai.zheng@intel.com] >> > > Sent: Monday, November 23, 2015 2:21 PM >> > > To: kerby@directory.apache.org >> > > Subject: RE: KDC is rejecting my TGS >> > > >> > > Fired and resolved the following issue to track the authenticator >> > > issue we're handling. >> > > Will setup a box to test: Kerby client -> MIT KDC (in service ticket >> > > path) >> > > >> > > commit df6ba15d4f990b104efcf36ede913f4eeb09a872 >> > > Author: Drankye >> > > Date: Tue Nov 24 14:16:32 2015 +0800 >> > > >> > > DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making >> > > authenticator >> > > >> > > -----Original Message----- >> > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com] >> > > Sent: Monday, November 23, 2015 11:30 AM >> > > To: kerby@directory.apache.org >> > > Subject: RE: KDC is rejecting my TGS >> > > >> > > ah. That would do it :) sounds like we are getting close! >> > > >> > > Thanks >> > > Marc >> > > On Nov 22, 2015 10:27 PM, "Zheng, Kai" wrote: >> > > >> > > > OK, forget it. I just checked the codes, and found the checksum >> > > > isn't done and filled in authenticator. I will get it fixed ASAP. >> > > > >> > > > Regards, >> > > > Kai >> > > > >> > > > -----Original Message----- >> > > > From: Marc Boorshtein [mailto:mboorshtein@gmail.com] >> > > > Sent: Monday, November 23, 2015 11:24 AM >> > > > To: kerby@directory.apache.org >> > > > Subject: RE: KDC is rejecting my TGS >> > > > >> > > > > >> > > > > Cool!! Thanks a lot for getting the hard issue figured out. >> > > > > >> > > > >> > > > My pleasure. I'm glad I'm making progress. >> > > > >> > > > > I'm looking at the checksum issue, and trying to go into the >> context. >> > > > > Did >> > > > you try the usage value of 10 or 6? Could you give me a snapshot >> > > > of the stacktrace (or call stack) so I can know sooner about the >> context? >> > > Thanks. >> > > > >> > > > I haven't yet. I've shutdown for the night but the there really >> > > > isn't a stack trace because MIT is returning a kerberos generic >> > > > error (with the accompanying log messages I sent over). I wanted >> > > > to make sure I was reading the code properly before I started >> > > > trying things since MIT isn't giving me the best error messages. >> > > > I'll give >> > it a go tomorrow. >> > > > >> > > > Thanks >> > > > Marc >> > > > >> > > >> > >> > --001a1134ef90b38ed605253b5f39--