>> >> Looking at KrbKdcRep.java:73 it looks like the failure is happening >> because java is setting the forwardable flag to true on the request >> but the response has no options in it. Should the forwardable option >> be false in the request? > > > That's a fair guess. > the whole point of constrained delegation (including protocol impersonation) > is that you do not want to forward tickets, so you shouldn't ask for > forwardable tickets methinks. > > Simo. >
Thanks Simio. I tried running kinit with forwarding disabled: $ kinit HTTP/unison-freeipa.rhelent....@rhelent.lan -k -t ./unison-freeipa.keytab -F $ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent....@rhelent.lan Valid starting Expires Service principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent....@rhelent.lan Flags: IA But when I try again Java refuses to generate the ticket: tremoloadmin@unison-freeipa ~]$ klist -f Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/unison-freeipa.rhelent....@rhelent.lan Valid starting Expires Service principal 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/rhelent....@rhelent.lan Flags: IA Hello World! Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential) No Subject >>>KinitOptions cache name is /tmp/krb5cc_500 >>>DEBUG <CCacheInputStream> client principal is >>>HTTP/unison-freeipa.rhelent....@rhelent.lan >>>DEBUG <CCacheInputStream> server principal is krbtgt/rhelent....@rhelent.lan >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>DEBUG <CCacheInputStream> client principal is >>>HTTP/unison-freeipa.rhelent....@rhelent.lan Java config name: /home/tremoloadmin/krb5.conf Loaded from Java config >>>DEBUG <CCacheInputStream> server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN >>>DEBUG <CCacheInputStream> key type: 0 >>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG <CCacheInputStream> start time: null >>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to krbtgt/rhelent....@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 Search Subject for SPNEGO INIT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) No Subject Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential) No Subject >>>KinitOptions cache name is /tmp/krb5cc_500 >>>DEBUG <CCacheInputStream> client principal is >>>HTTP/unison-freeipa.rhelent....@rhelent.lan >>>DEBUG <CCacheInputStream> server principal is krbtgt/rhelent....@rhelent.lan >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015 >>>DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>DEBUG <CCacheInputStream> client principal is >>>HTTP/unison-freeipa.rhelent....@rhelent.lan >>>DEBUG <CCacheInputStream> server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/rhelent....@rhelent.lan@RHELENT.LAN >>>DEBUG <CCacheInputStream> key type: 0 >>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG <CCacheInputStream> start time: null >>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() Found ticket for HTTP/unison-freeipa.rhelent....@rhelent.lan to go to krbtgt/rhelent....@rhelent.lan expiring on Wed Oct 28 15:32:52 EDT 2015 >>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType Exception in thread "main" GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) at io.tremolo.App.main(App.java:27) Caused by: KrbException: Invalid option setting in ticket request. (101) at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:165) at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:100) at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66) at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) ... 3 more Looking at KrbTgsReq line 165: if (options.get(KDCOptions.FORWARDABLE) && (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) { throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); } If I read this correctly it has to be forwardable? If thats the case is Java wrong for requiring the options to be there or is ipa wrong for not sending the options with the response ticket? Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project