I can now get a ticket! This is how I originally created the user: $ kinit admin $ ipa service-add HTTP/s4u.rhelent....@rhelent.lan --ok-as-delegate=true
Here's the object in the directory: dn: krbprincipalname=HTTP/s4u.rhelent....@rhelent.lan,cn=services,cn=accounts, dc=rhelent,dc=lan ipaKrbPrincipalAlias: HTTP/s4u.rhelent....@rhelent.lan objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top krbTicketFlags: 1048704 managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan krbPrincipalName: HTTP/s4u.rhelent....@rhelent.lan ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa krbLastPwdChange: 20151112021359Z krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A krbLastSuccessfulAuth: 20151201165518Z Just now, I ran: [root@freeipa ~]# kadmin.local Authenticating as principal admin/ad...@rhelent.lan with password. kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan Principal "HTTP/s4u.rhelent....@rhelent.lan" modified. and now the directory object is dn: krbprincipalname=HTTP/s4u.rhelent....@rhelent.lan,cn=services,cn=accounts, dc=rhelent,dc=lan ipaKrbPrincipalAlias: HTTP/s4u.rhelent....@rhelent.lan objectClass: ipaobject objectClass: ipaservice objectClass: krbticketpolicyaux objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: pkiuser objectClass: top krbTicketFlags: 3145856 managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan krbPrincipalName: HTTP/s4u.rhelent....@rhelent.lan ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa krbLastPwdChange: 20151112021359Z krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A krbLastSuccessfulAuth: 20151201175200Z Ticket flags clearly changed. Now to see if this works with ipa-web. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <s...@redhat.com> wrote: > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: >> > >> > How do you acquire the user ticket ? >> > >> >> Using a keytab. Here's a link to the example code I'm using: >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to >> use IPA as the DNS server and I'm passing in mmosley as the user to >> impersonate and HTTP/freeipa.rhelent.lan as the service that will >> consume the impersonated user's ticket. >> >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the >> > server has been requested and what it released ? >> > >> >> Sure: >> >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: >> HTTP/s4u.rhelent....@rhelent.lan for krbtgt/rhelent....@rhelent.lan, >> Additional pre-authentication required >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for >> krbtgt/rhelent....@rhelent.lan >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent....@rhelent.lan for >> HTTP/s4u.rhelent....@rhelent.lan >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... >> PROTOCOL-TRANSITION s4u-client=mmos...@rhelent.lan >> >> Thanks > > I think for s4u2self you may have missed a conf step (we primarily use > s4u2proxy in the product *without* any s4u2self step). > > Can you check that you followed the procedure described here: > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 > > I think they key part is setting the +ok_to_auth_as_delegate flag which > we do not provide an official higher level interface for yet. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project