All,
I'm trying to create an S4u2self/proxy that will give me a ticket to
log into ipa web. I have ipa installed on centos 7 and the client
installed on centos 6. The client is written in Java (Java 8). When
I try the following impersonation code:
GSSManager manager = GSSManager.getInstance();
Simo & Team,
After talking to the OpenJDK security list it turned out there is a
bug in JDK8. The issue is fixed in JDK9 and after testing I'm running
into a new issue. Same scenario described earlier in this email
chain, but now it looks like the TGS-REP is not being marked as
forwardable which
On Tue, 2015-12-01 at 11:34 -0500, Marc Boorshtein wrote:
> Simo & Team,
>
> After talking to the OpenJDK security list it turned out there is a
> bug in JDK8. The issue is fixed in JDK9 and after testing I'm running
> into a new issue. Same scenario described earlier in this email
> chain, but
>
> How do you acquire the user ticket ?
>
Using a keytab. Here's a link to the example code I'm using:
https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to
use IPA as the DNS server and I'm passing in mmosley as the user to
impersonate and HTTP/freeipa.rhelent.lan as the servic
On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
> >
> > How do you acquire the user ticket ?
> >
>
> Using a keytab. Here's a link to the example code I'm using:
> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to
> use IPA as the DNS server and I'm passing in mmosl
I can now get a ticket! This is how I originally created the user:
$ kinit admin
$ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true
Here's the object in the directory:
dn: krbprincipalname=HTTP/s4u.rhelent@rhelent.lan,cn=services,cn=accounts,
dc=rhelent,dc=lan
ipaKrbP
On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> I can now get a ticket! This is how I originally created the user:
>
> $ kinit admin
> $ ipa service-add HTTP/s4u.rhelent@rhelent.lan --ok-as-delegate=true
ok-as-delegate != ok_to_auth_as_delegate ...
I know, it is a little confusi
Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!
Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 1, 2015 1:14 PM, "Simo Sorce" wrote:
> On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> > I can now get a ticket! This is how I originally created the user:
On Tue, 2015-12-01 at 13:28 -0500, Marc Boorshtein wrote:
> Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!
Glad it works, and sorry it took so long to figure out.
We definitely need some better docs around this point.
Simo.
> Marc Boorshtein
> CTO, Tremolo Security
What projects (including my own) doesn't need better docs? :-) Once I
publish the work I'm doing part of that will have a step-by-step on
getting this setup. It was pretty easy really if you are comfortable
with LDAP.
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703)
On 27/10/15 13:11, Marc Boorshtein wrote:
All,
I'm trying to create an S4u2self/proxy that will give me a ticket to
log into ipa web. I have ipa installed on centos 7 and the client
installed on centos 6. The client is written in Java (Java 8). When
I try the following impersonation code:
GS
>>
>> Looking at KrbKdcRep.java:73 it looks like the failure is happening
>> because java is setting the forwardable flag to true on the request
>> but the response has no options in it. Should the forwardable option
>> be false in the request?
>
>
> That's a fair guess.
> the whole point of const
On 27/10/15 15:43, Marc Boorshtein wrote:
Looking at KrbKdcRep.java:73 it looks like the failure is happening
because java is setting the forwardable flag to true on the request
but the response has no options in it. Should the forwardable option
be false in the request?
That's a fair guess.
Thanks Simo. It wouldn't surprise me that java's implementation is
wrong. The comments in the source even ask if its necessary to check.
Thanks
Marc
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce wrote:
> On
14 matches
Mail list logo
