>
> How do you acquire the user ticket ?
>
Using a keytab. Here's a link to the example code I'm using:
https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to
use IPA as the DNS server and I'm passing in mmosley as the user to
impersonate and HTTP/freeipa.rhelent.lan as the service that will
consume the impersonated user's ticket.
> Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> server has been requested and what it released ?
>
Sure:
Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
HTTP/s4u.rhelent....@rhelent.lan for krbtgt/rhelent....@rhelent.lan,
Additional pre-authentication required
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
{rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for
krbtgt/rhelent....@rhelent.lan
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
{rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for
HTTP/s4u.rhelent....@rhelent.lan
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan
Thanks
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
