On 27/10/15 13:11, Marc Boorshtein wrote:
All,
I'm trying to create an S4u2self/proxy that will give me a ticket to
log into ipa web. I have ipa installed on centos 7 and the client
installed on centos 6. The client is written in Java (Java 8). When
I try the following impersonation code:
GSSManager manager = GSSManager.getInstance();
GSSCredential self =
manager.createCredential(GSSCredential.INITIATE_ONLY);
GSSName user = manager.createName("mmosley", GSSName.NT_USER_NAME);
GSSCredential impCred =
((ExtendedGSSCredential)self).impersonate(user);
I get the following output from Java:
[tremoloadmin@unison-freeipa ~]$ java
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -jar
tests4u-1.0-SNAPSHOT-jar-with-dependencies.jar
Hello World!
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
KinitOptions cache name is /tmp/krb5cc_500
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
DEBUG <CCacheInputStream> server principal is krbtgt/rhelent....@rhelent.lan
DEBUG <CCacheInputStream> key type: 18
DEBUG <CCacheInputStream> auth time: Mon Oct 26 21:11:17 EDT 2015
DEBUG <CCacheInputStream> start time: Mon Oct 26 21:11:17 EDT 2015
DEBUG <CCacheInputStream> end time: Tue Oct 27 21:11:17 EDT 2015
DEBUG <CCacheInputStream> renew_till time: Tue Oct 27 21:11:18 EDT 2015
CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
DEBUG <CCacheInputStream> server principal is
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN
DEBUG <CCacheInputStream> key type: 0
DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> start time: null
DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> renew_till time: null
CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to
krbtgt/rhelent....@rhelent.lan expiring on Tue Oct 27 21:11:17 EDT
2015
Search Subject for SPNEGO INIT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
No Subject
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
KinitOptions cache name is /tmp/krb5cc_500
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
DEBUG <CCacheInputStream> server principal is krbtgt/rhelent....@rhelent.lan
DEBUG <CCacheInputStream> key type: 18
DEBUG <CCacheInputStream> auth time: Mon Oct 26 21:11:17 EDT 2015
DEBUG <CCacheInputStream> start time: Mon Oct 26 21:11:17 EDT 2015
DEBUG <CCacheInputStream> end time: Tue Oct 27 21:11:17 EDT 2015
DEBUG <CCacheInputStream> renew_till time: Tue Oct 27 21:11:18 EDT 2015
CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
DEBUG <CCacheInputStream> client principal is
HTTP/unison-freeipa.rhelent....@rhelent.lan
DEBUG <CCacheInputStream> server principal is
X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN
DEBUG <CCacheInputStream> key type: 0
DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> start time: null
DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
DEBUG <CCacheInputStream> renew_till time: null
CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to
krbtgt/rhelent....@rhelent.lan expiring on Tue Oct 27 21:11:17 EDT
2015
CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KdcAccessibility: reset
getKDCFromDNS using UDP
KrbKdcReq send: kdc=freeipa.rhelent.lan. UDP:88, timeout=30000, number of
retries =3, #bytes=825
KDCCommunication: kdc=freeipa.rhelent.lan. UDP:88, timeout=30000,Attempt =1,
#bytes=825
KrbKdcReq send: #bytes read=680
KdcAccessibility: remove freeipa.rhelent.lan.:88
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KrbKdcRep.check: at #1. request for true, received false
Exception in thread "main" GSSException: Failure unspecified at
GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
failed!)
at
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at
sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
at io.tremolo.App.main(App.java:27)
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:73)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
at
sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:67)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at
sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 3 more
Looking at KrbKdcRep.java:73 it looks like the failure is happening
because java is setting the forwardable flag to true on the request
but the response has no options in it. Should the forwardable option
be false in the request?
That's a fair guess.
the whole point of constrained delegation (including protocol
impersonation) is that you do not want to forward tickets, so you
shouldn't ask for forwardable tickets methinks.
Simo.
I setup my client with:
ipa - freeipa.rhelent.lan
sp - freeipa.rhelent.lan
proxy - unison-freeipa.rhelent.lan
$ ipa service-add HTTP/unison-freeipa.rhelent....@rhelent.lan
--ok-as-delegate=true
Added the following to 389:
dn: cn=ipaweb-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
objectClass: groupOfPrincipals
objectClass: top
cn: ipaweb-http-delegation-targets
memberPrincipal: HTTP/freeipa.rhelent....@rhelent.lan
dn: cn=unison-http-delegation,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: unison-http-delegation
memberPrincipal: HTTP/unison-freeipa.rhelent....@rhelent.lan
ipaAllowedTarget:
cn=ipaweb-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
then created a keytab and was able to kinit with it:
ipa-getkeytab -s freeipa.rhelent.lan -p
HTTP/unison-freeipa.rhelent....@rhelent.lan -k unison-freeipa.keytab
Finally, when I look at the packets I see one request and one response:
request:
Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 2 items
PA-DATA PA-FOR-USER
padata-type: kRB5-PADATA-S4U2SELF (129)
padata-value:
304fa0143012a003020101a10b30091b076d6d6f736c6579...
name
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 1 item
KerberosString: mmosley
realm: RHELENT.LAN
cksum
cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
checksum: fdd3addace7f48fe263bfcc1a4dbec72
auth: Kerberos
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
padata-value:
6e82023730820233a003020105a10302010ea20703050000...
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 00000000
0... .... = reserved: False
.0.. .... = use-session-key: False
..0. .... = mutual-required: False
ticket
tkt-vno: 5
realm: RHELENT.LAN
sname
name-type: kRB5-NT-SRV-INST (2)
name-string: 2 items
KerberosString: krbtgt
KerberosString: RHELENT.LAN
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 1
cipher:
a07df35b253755d20a234bb8f5ce573e06e27d95f9e4c996...
authenticator
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher:
fe25dc900c05901a5b1c778f0d0410fd245e58507dc4ac40...
req-body
Padding: 0
kdc-options: 40000000 (forwardable)
0... .... = reserved: False
.1.. .... = forwardable: True
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
0... .... = renewable: False
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... ..0. = request-anonymous: False
.... ...0 = canonicalize: False
0... .... = constrained-delegation: False
..0. .... = disable-transited-check: False
...0 .... = renewable-ok: False
.... 0... = enc-tkt-in-skey: False
.... ..0. = renew: False
.... ...0 = validate: False
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: unison-freeipa.rhelent.lan
till: 1970-01-01 00:00:00 (UTC)
nonce: 1950860413
etype: 4 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
And the response:
Kerberos
tgs-rep
pvno: 5
msg-type: krb-tgs-rep (13)
crealm: RHELENT.LAN
cname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 1 item
KerberosString: mmosley
ticket
tkt-vno: 5
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: unison-freeipa.rhelent.lan
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 1
cipher: d5ba7253ac30a63034ac5985fa0c782dc86cb0a9dd859127...
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: 7c6f2034caddf129d1550b91f4ef0157b2f9ac4c351023d3...
On the IPA server I get:
Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.2.167: ISSUE: authtime 1445908277,
etypes {rep=18 tkt=18 ses=18},
HTTP/unison-freeipa.rhelent....@rhelent.lan for
HTTP/unison-freeipa.rhelent....@rhelent.lan
Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): ...
PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan
It looks like everything is working, right? If either Java didn't
send the forwardable to "true" or if IPA sent the options back in the
response I'd be in business? Any thoughts?
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
