Thanks Simo. It wouldn't surprise me that java's implementation is wrong. The comments in the source even ask if its necessary to check.
Thanks Marc Marc Boorshtein CTO Tremolo Security [email protected] (703) 828-4902 On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce <[email protected]> wrote: > On 27/10/15 15:43, Marc Boorshtein wrote: >>>> >>>> >>>> Looking at KrbKdcRep.java:73 it looks like the failure is happening >>>> because java is setting the forwardable flag to true on the request >>>> but the response has no options in it. Should the forwardable option >>>> be false in the request? >>> >>> >>> >>> That's a fair guess. >>> the whole point of constrained delegation (including protocol >>> impersonation) >>> is that you do not want to forward tickets, so you shouldn't ask for >>> forwardable tickets methinks. >>> >>> Simo. >>> >> >> Thanks Simio. I tried running kinit with forwarding disabled: >> >> $ kinit HTTP/[email protected] -k -t >> ./unison-freeipa.keytab -F >> >> $ klist -f >> >> Ticket cache: FILE:/tmp/krb5cc_500 >> >> Default principal: HTTP/[email protected] >> >> >> Valid starting Expires Service principal >> >> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/[email protected] >> >> Flags: IA >> >> But when I try again Java refuses to generate the ticket: >> >> tremoloadmin@unison-freeipa ~]$ klist -f >> Ticket cache: FILE:/tmp/krb5cc_500 >> Default principal: HTTP/[email protected] >> >> Valid starting Expires Service principal >> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/[email protected] >> Flags: IA >> >> Hello World! >> Search Subject for Kerberos V5 INIT cred (<<DEF>>, >> sun.security.jgss.krb5.Krb5InitCredential) >> No Subject >>>>> >>>>> KinitOptions cache name is /tmp/krb5cc_500 >>>>> DEBUG <CCacheInputStream> client principal is >>>>> HTTP/[email protected] >>>>> DEBUG <CCacheInputStream> server principal is >>>>> krbtgt/[email protected] >>>>> DEBUG <CCacheInputStream> key type: 18 >>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015 >>>>> DEBUG <CCacheInputStream> renew_till time: null >>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>>> DEBUG <CCacheInputStream> client principal is >>>>> HTTP/[email protected] >> >> Java config name: /home/tremoloadmin/krb5.conf >> Loaded from Java config >>>>> >>>>> DEBUG <CCacheInputStream> server principal is >>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]@RHELENT.LAN >>>>> DEBUG <CCacheInputStream> key type: 0 >>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969 >>>>> DEBUG <CCacheInputStream> start time: null >>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969 >>>>> DEBUG <CCacheInputStream> renew_till time: null >>>>> CCacheInputStream: readFlags() >> >> Found ticket for HTTP/[email protected] to go to >> krbtgt/[email protected] expiring on Wed Oct 28 15:32:52 EDT >> 2015 >> Search Subject for SPNEGO INIT cred (<<DEF>>, >> sun.security.jgss.spnego.SpNegoCredElement) >> No Subject >> Search Subject for Kerberos V5 INIT cred (<<DEF>>, >> sun.security.jgss.krb5.Krb5InitCredential) >> No Subject >>>>> >>>>> KinitOptions cache name is /tmp/krb5cc_500 >>>>> DEBUG <CCacheInputStream> client principal is >>>>> HTTP/[email protected] >>>>> DEBUG <CCacheInputStream> server principal is >>>>> krbtgt/[email protected] >>>>> DEBUG <CCacheInputStream> key type: 18 >>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015 >>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015 >>>>> DEBUG <CCacheInputStream> renew_till time: null >>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; >>>>> DEBUG <CCacheInputStream> client principal is >>>>> HTTP/[email protected] >>>>> DEBUG <CCacheInputStream> server principal is >>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]@RHELENT.LAN >>>>> DEBUG <CCacheInputStream> key type: 0 >>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969 >>>>> DEBUG <CCacheInputStream> start time: null >>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969 >>>>> DEBUG <CCacheInputStream> renew_till time: null >>>>> CCacheInputStream: readFlags() >> >> Found ticket for HTTP/[email protected] to go to >> krbtgt/[email protected] expiring on Wed Oct 28 15:32:52 EDT >> 2015 >>>>> >>>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType >> >> Exception in thread "main" GSSException: Failure unspecified at >> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials >> failed!) >> at >> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) >> at >> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) >> at >> sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) >> at io.tremolo.App.main(App.java:27) >> Caused by: KrbException: Invalid option setting in ticket request. (101) >> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:165) >> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:100) >> at >> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66) >> at >> sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) >> at >> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) >> ... 3 more >> >> Looking at KrbTgsReq line 165: >> >> if (options.get(KDCOptions.FORWARDABLE) && >> (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) { >> throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); >> } >> >> If I read this correctly it has to be forwardable? If thats the case >> is Java wrong for requiring the options to be there or is ipa wrong >> for not sending the options with the response ticket? > > > I think the best answer would be to look at what the MIT test program does > and make sure Java does the same. > This stuff works with the native libraries and is interoperable with Windows > AD KDCs where the specification was born. > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
