On Tue, 2015-12-01 at 11:34 -0500, Marc Boorshtein wrote: > Simo & Team, > > After talking to the OpenJDK security list it turned out there is a > bug in JDK8. The issue is fixed in JDK9 and after testing I'm running > into a new issue. Same scenario described earlier in this email > chain, but now it looks like the TGS-REP is not being marked as > forwardable which is required for an s4u2self ticket is used in > s4u2proxy (https://msdn.microsoft.com/en-us/library/cc246079.aspx) : > "The S4U2proxy extension requires that the service ticket to the first > service has the forwardable flag set (see Service 1 in the figure > specifying Kerberos delegation with forwarded TGT, section 1.3.3). > This ticket can be obtained through an S4U2self protocol exchange.". > The TGS-REQ is asking for a forwardable ticket, but it doesn't look > like the response is setting it as forwardable. Here's the exception: > > GSSException: Failure unspecified at GSS-API level (Mechanism level: > Attempt to obtain S4U2self credentials failed!) > at > sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) > at > sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92) > at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153) > at test24u2.KerberosDemo$1.run(KerberosDemo.java:128) > at test24u2.KerberosDemo$1.run(KerberosDemo.java:1) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121) > at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179) > at test24u2.KerberosDemo.main(KerberosDemo.java:215) > Caused by: KrbException: S4U2self ticket must be FORWARDABLE > at > sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75) > at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) > at > sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) > ... 9 more > > Here's the entire debug output: > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 83; type: 18 > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 67; type: 17 > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 75; type: 16 > >>> KeyTabInputStream, readName(): RHELENT.LAN > >>> KeyTabInputStream, readName(): HTTP > >>> KeyTabInputStream, readName(): s4u.rhelent.lan > >>> KeyTab: load() entry length: 67; type: 23 > Looking for keys for: HTTP/[email protected] > Java config name: null > Native config name: /etc/krb5.conf > Loading krb5 profile at /etc/krb5.conf > Loaded from native config > Added key: 23version: 1 > Added key: 16version: 1 > Added key: 17version: 1 > Found unsupported keytype (18) for HTTP/[email protected] > >>> KdcAccessibility: reset > Looking for keys for: HTTP/[email protected] > Added key: 23version: 1 > Added key: 16version: 1 > Added key: 17version: 1 > Found unsupported keytype (18) for HTTP/[email protected] > default etypes for default_tkt_enctypes: 17 23 16. > >>> KrbAsReq creating message > >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of > >>> retries =3, #bytes=175 > >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt > >>> =1, #bytes=175 > >>> KrbKdcReq send: #bytes read=327 > >>>Pre-Authentication Data: > PA-DATA type = 136 > > >>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null > PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB<CQ#Vq,Ls&, s2kparams = null > PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9)&A{.`Y;1k, s2kparams = null > > >>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP > >>>Pre-Authentication Data: > PA-DATA type = 133 > > >>> KdcAccessibility: remove freeipa.rhelent.lan > >>> KDCRep: init() encoding tag is 126 req type is 11 > >>>KRBError: > cTime is Sat Jan 20 19:00:57 EST 1996 822182457000 > sTime is Mon Nov 30 21:35:51 EST 2015 1448937351000 > suSec is 558140 > error code is 25 > error Message is Additional pre-authentication required > cname is HTTP/[email protected] > sname is krbtgt/[email protected] > eData provided. > msgType is 30 > >>>Pre-Authentication Data: > PA-DATA type = 136 > > >>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 17, salt = 4k@PqWo9iUZZ$[r", s2kparams = null > PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB<CQ#Vq,Ls&, s2kparams = null > PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9)&A{.`Y;1k, s2kparams = null > > >>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP > >>>Pre-Authentication Data: > PA-DATA type = 133 > > KRBError received: NEEDED_PREAUTH > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ > default etypes for default_tkt_enctypes: 17 23 16. > Looking for keys for: HTTP/[email protected] > Added key: 23version: 1 > Added key: 16version: 1 > Added key: 17version: 1 > Found unsupported keytype (18) for HTTP/[email protected] > Looking for keys for: HTTP/[email protected] > Added key: 23version: 1 > Added key: 16version: 1 > Added key: 17version: 1 > Found unsupported keytype (18) for HTTP/[email protected] > default etypes for default_tkt_enctypes: 17 23 16. > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType > >>> KrbAsReq creating message > >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of > >>> retries =3, #bytes=264 > >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt > >>> =1, #bytes=264 > >>> KrbKdcReq send: #bytes read=691 > >>> KdcAccessibility: remove freeipa.rhelent.lan > Looking for keys for: HTTP/[email protected] > Added key: 23version: 1 > Added key: 16version: 1 > Added key: 17version: 1 > Found unsupported keytype (18) for HTTP/[email protected] > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType > >>> KrbAsRep cons in KrbAsReq.getReply HTTP/s4u.rhelent.lan > Service subject: Subject: > Principal: HTTP/[email protected] > Private Credential: Ticket (hex) = > 0000: 61 82 01 51 30 82 01 4D A0 03 02 01 05 A1 0D 1B a..Q0..M........ > 0010: 0B 52 48 45 4C 45 4E 54 2E 4C 41 4E A2 20 30 1E .RHELENT.LAN. 0. > 0020: A0 03 02 01 02 A1 17 30 15 1B 06 6B 72 62 74 67 .......0...krbtg > 0030: 74 1B 0B 52 48 45 4C 45 4E 54 2E 4C 41 4E A3 82 t..RHELENT.LAN.. > 0040: 01 13 30 82 01 0F A0 03 02 01 12 A1 03 02 01 01 ..0............. > 0050: A2 82 01 01 04 81 FE 04 0B 24 5B A6 36 2A 4B C7 .........$[.6*K. > 0060: 0D 58 1A EB 79 20 62 BE 16 44 28 93 5D 87 5B FD .X..y b..D(.].[. > 0070: DE 20 7D CF 79 4C 0E CC 77 90 40 06 10 11 9F 70 . [email protected] > 0080: 9E B4 7E B5 CA 14 27 23 DD CD D6 6E 31 1F FC CA ......'#...n1... > 0090: 65 CB 98 47 2B F0 C8 3B 96 C3 D6 AF EB DB 91 2F e..G+..;......./ > 00A0: 1D 88 66 53 4F 03 7B 47 3C 32 E8 F2 CE 3E B1 E7 ..fSO..G<2...>.. > 00B0: 78 80 B3 37 6F 5E 18 76 68 F4 AE C6 C7 C2 B8 99 x..7o^.vh....... > 00C0: 61 A3 42 A1 5D 32 69 BB 0D 42 C5 98 46 B8 8A C6 a.B.]2i..B..F... > 00D0: 4A 68 88 E3 79 D0 E2 F7 DD 62 0F DD E6 6A 97 7B Jh..y....b...j.. > 00E0: 4B A1 A0 1C 45 17 97 E4 CC 71 D2 86 61 52 40 34 K...E....q..aR@4 > 00F0: DE EF 45 5E 21 94 AB 5C 76 91 CE 68 DB A1 94 5F ..E^!..\v..h..._ > 0100: 14 CC 54 BB 35 85 EB 56 F0 FC 83 B5 CB 41 48 A1 ..T.5..V.....AH. > 0110: AE C8 2F 22 C6 48 B9 14 CD 5F 9B B5 14 2B CC D5 ../".H..._...+.. > 0120: B7 DC C3 74 4C 98 19 10 72 83 5D F6 BC A0 A1 9F ...tL...r.]..... > 0130: 19 1F 63 07 AF C1 35 EE 1A 82 FE A5 88 CE 7A DF ..c...5.......z. > 0140: 0F 43 E4 55 EC CC 0C 34 47 B4 B8 E1 C2 90 AC 63 .C.U...4G......c > 0150: 19 01 A1 87 A5 ..... > > Client Principal = HTTP/[email protected] > Server Principal = krbtgt/[email protected] > Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)= > 0000: D9 D2 7F 9D 3F 5F 32 1A 41 10 4D 9F 0C 7D C5 D8 ....?_2.A.M..... > > > Forwardable Ticket true > Forwarded Ticket false > Proxiable Ticket false > Proxy Ticket false > Postdated Ticket false > Renewable Ticket true > Initial Ticket true > Auth Time = Mon Nov 30 21:35:51 EST 2015 > Start Time = Mon Nov 30 21:35:51 EST 2015 > End Time = Tue Dec 01 21:35:51 EST 2015 > Renew Till = Mon Dec 07 21:35:51 EST 2015 > Client Addresses Null > Private Credential: /Users/mlb/Documents/localdev.keytab for > HTTP/[email protected] > > Search Subject for Kerberos V5 INIT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5InitCredential) > Found ticket for HTTP/[email protected] to go to > krbtgt/[email protected] expiring on Tue Dec 01 21:35:51 EST > 2015 > Search Subject for SPNEGO INIT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 INIT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5InitCredential) > Found ticket for HTTP/[email protected] to go to > krbtgt/[email protected] expiring on Tue Dec 01 21:35:51 EST > 2015 > >>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType > default etypes for default_tgs_enctypes: 17 23 16. > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType > >>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of > >>> retries =3, #bytes=772 > >>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt > >>> =1, #bytes=772 > >>> KrbKdcReq send: #bytes read=582 > >>> KdcAccessibility: remove freeipa.rhelent.lan > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType > GSSException: Failure unspecified at GSS-API level (Mechanism level: > Attempt to obtain S4U2self credentials failed!) > at > sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) > at > sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92) > at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153) > at test24u2.KerberosDemo$1.run(KerberosDemo.java:128) > at test24u2.KerberosDemo$1.run(KerberosDemo.java:1) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121) > at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179) > at test24u2.KerberosDemo.main(KerberosDemo.java:215) > Caused by: KrbException: S4U2self ticket must be FORWARDABLE > at > sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75) > at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) > at > sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) > ... 9 more > > Here's the wireshark capture of the entire transaction: > https://s3.amazonaws.com/ts-public-downloads/captures/java9-s4u2self.pcapng > > Is there something I need to configure in ipa? I've shown the steps I > took to make s4u.rhelent.lan setup for delegation in the beginning of > this chain.
How do you acquire the user ticket ? Do you have the kdc log (/var/log/krb5kdc.log) that shows what the server has been requested and what it released ? Simo. > Thanks > Marc Boorshtein > CTO Tremolo Security > [email protected] > (703) 828-4902 > > > On Tue, Oct 27, 2015 at 8:27 PM, Marc Boorshtein > <[email protected]> wrote: > > Thanks Simo. It wouldn't surprise me that java's implementation is > > wrong. The comments in the source even ask if its necessary to check. > > > > Thanks > > Marc > > Marc Boorshtein > > CTO Tremolo Security > > [email protected] > > (703) 828-4902 > > > > > > On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce <[email protected]> wrote: > >> On 27/10/15 15:43, Marc Boorshtein wrote: > >>>>> > >>>>> > >>>>> Looking at KrbKdcRep.java:73 it looks like the failure is happening > >>>>> because java is setting the forwardable flag to true on the request > >>>>> but the response has no options in it. Should the forwardable option > >>>>> be false in the request? > >>>> > >>>> > >>>> > >>>> That's a fair guess. > >>>> the whole point of constrained delegation (including protocol > >>>> impersonation) > >>>> is that you do not want to forward tickets, so you shouldn't ask for > >>>> forwardable tickets methinks. > >>>> > >>>> Simo. > >>>> > >>> > >>> Thanks Simio. I tried running kinit with forwarding disabled: > >>> > >>> $ kinit HTTP/[email protected] -k -t > >>> ./unison-freeipa.keytab -F > >>> > >>> $ klist -f > >>> > >>> Ticket cache: FILE:/tmp/krb5cc_500 > >>> > >>> Default principal: HTTP/[email protected] > >>> > >>> > >>> Valid starting Expires Service principal > >>> > >>> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/[email protected] > >>> > >>> Flags: IA > >>> > >>> But when I try again Java refuses to generate the ticket: > >>> > >>> tremoloadmin@unison-freeipa ~]$ klist -f > >>> Ticket cache: FILE:/tmp/krb5cc_500 > >>> Default principal: HTTP/[email protected] > >>> > >>> Valid starting Expires Service principal > >>> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/[email protected] > >>> Flags: IA > >>> > >>> Hello World! > >>> Search Subject for Kerberos V5 INIT cred (<<DEF>>, > >>> sun.security.jgss.krb5.Krb5InitCredential) > >>> No Subject > >>>>>> > >>>>>> KinitOptions cache name is /tmp/krb5cc_500 > >>>>>> DEBUG <CCacheInputStream> client principal is > >>>>>> HTTP/[email protected] > >>>>>> DEBUG <CCacheInputStream> server principal is > >>>>>> krbtgt/[email protected] > >>>>>> DEBUG <CCacheInputStream> key type: 18 > >>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015 > >>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015 > >>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015 > >>>>>> DEBUG <CCacheInputStream> renew_till time: null > >>>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; > >>>>>> DEBUG <CCacheInputStream> client principal is > >>>>>> HTTP/[email protected] > >>> > >>> Java config name: /home/tremoloadmin/krb5.conf > >>> Loaded from Java config > >>>>>> > >>>>>> DEBUG <CCacheInputStream> server principal is > >>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]@RHELENT.LAN > >>>>>> DEBUG <CCacheInputStream> key type: 0 > >>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969 > >>>>>> DEBUG <CCacheInputStream> start time: null > >>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969 > >>>>>> DEBUG <CCacheInputStream> renew_till time: null > >>>>>> CCacheInputStream: readFlags() > >>> > >>> Found ticket for HTTP/[email protected] to go to > >>> krbtgt/[email protected] expiring on Wed Oct 28 15:32:52 EDT > >>> 2015 > >>> Search Subject for SPNEGO INIT cred (<<DEF>>, > >>> sun.security.jgss.spnego.SpNegoCredElement) > >>> No Subject > >>> Search Subject for Kerberos V5 INIT cred (<<DEF>>, > >>> sun.security.jgss.krb5.Krb5InitCredential) > >>> No Subject > >>>>>> > >>>>>> KinitOptions cache name is /tmp/krb5cc_500 > >>>>>> DEBUG <CCacheInputStream> client principal is > >>>>>> HTTP/[email protected] > >>>>>> DEBUG <CCacheInputStream> server principal is > >>>>>> krbtgt/[email protected] > >>>>>> DEBUG <CCacheInputStream> key type: 18 > >>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015 > >>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015 > >>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015 > >>>>>> DEBUG <CCacheInputStream> renew_till time: null > >>>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; > >>>>>> DEBUG <CCacheInputStream> client principal is > >>>>>> HTTP/[email protected] > >>>>>> DEBUG <CCacheInputStream> server principal is > >>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]@RHELENT.LAN > >>>>>> DEBUG <CCacheInputStream> key type: 0 > >>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969 > >>>>>> DEBUG <CCacheInputStream> start time: null > >>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969 > >>>>>> DEBUG <CCacheInputStream> renew_till time: null > >>>>>> CCacheInputStream: readFlags() > >>> > >>> Found ticket for HTTP/[email protected] to go to > >>> krbtgt/[email protected] expiring on Wed Oct 28 15:32:52 EDT > >>> 2015 > >>>>>> > >>>>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType > >>> > >>> Exception in thread "main" GSSException: Failure unspecified at > >>> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials > >>> failed!) > >>> at > >>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) > >>> at > >>> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) > >>> at > >>> sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) > >>> at io.tremolo.App.main(App.java:27) > >>> Caused by: KrbException: Invalid option setting in ticket request. (101) > >>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:165) > >>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:100) > >>> at > >>> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66) > >>> at > >>> sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) > >>> at > >>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353) > >>> ... 3 more > >>> > >>> Looking at KrbTgsReq line 165: > >>> > >>> if (options.get(KDCOptions.FORWARDABLE) && > >>> (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) { > >>> throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); > >>> } > >>> > >>> If I read this correctly it has to be forwardable? If thats the case > >>> is Java wrong for requiring the options to be there or is ipa wrong > >>> for not sending the options with the response ticket? > >> > >> > >> I think the best answer would be to look at what the MIT test program does > >> and make sure Java does the same. > >> This stuff works with the native libraries and is interoperable with > >> Windows > >> AD KDCs where the specification was born. > >> > >> Simo. > >> > >> > >> -- > >> Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
