What projects (including my own) doesn't need better docs? :-) Once I publish the work I'm doing part of that will have a step-by-step on getting this setup. It was pretty easy really if you are comfortable with LDAP. Marc Boorshtein CTO Tremolo Security [email protected] (703) 828-4902
On Tue, Dec 1, 2015 at 1:46 PM, Simo Sorce <[email protected]> wrote: > On Tue, 2015-12-01 at 13:28 -0500, Marc Boorshtein wrote: >> Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help! > > Glad it works, and sorry it took so long to figure out. > > We definitely need some better docs around this point. > > Simo. > >> Marc Boorshtein >> CTO, Tremolo Security, Inc. >> On Dec 1, 2015 1:14 PM, "Simo Sorce" <[email protected]> wrote: >> >> > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote: >> > > I can now get a ticket! This is how I originally created the user: >> > > >> > > $ kinit admin >> > > $ ipa service-add HTTP/[email protected] --ok-as-delegate=true >> > >> > ok-as-delegate != ok_to_auth_as_delegate ... >> > >> > I know, it is a little confusing :-/ but these are the upstream flag >> > names, and they both exist and do different things. >> > >> > Simo. >> > >> > > Here's the object in the directory: >> > > >> > > dn: krbprincipalname=HTTP/[email protected] >> > ,cn=services,cn=accounts, >> > > dc=rhelent,dc=lan >> > > ipaKrbPrincipalAlias: HTTP/[email protected] >> > > objectClass: ipaobject >> > > objectClass: ipaservice >> > > objectClass: krbticketpolicyaux >> > > objectClass: ipakrbprincipal >> > > objectClass: krbprincipal >> > > objectClass: krbprincipalaux >> > > objectClass: pkiuser >> > > objectClass: top >> > > krbTicketFlags: 1048704 >> > > managedBy: >> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan >> > > krbPrincipalName: HTTP/[email protected] >> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa >> > > krbLastPwdChange: 20151112021359Z >> > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A >> > > krbLastSuccessfulAuth: 20151201165518Z >> > > >> > > Just now, I ran: >> > > [root@freeipa ~]# kadmin.local >> > > Authenticating as principal admin/[email protected] with password. >> > > kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan >> > > Principal "HTTP/[email protected]" modified. >> > > >> > > and now the directory object is >> > > dn: krbprincipalname=HTTP/[email protected] >> > ,cn=services,cn=accounts, >> > > dc=rhelent,dc=lan >> > > ipaKrbPrincipalAlias: HTTP/[email protected] >> > > objectClass: ipaobject >> > > objectClass: ipaservice >> > > objectClass: krbticketpolicyaux >> > > objectClass: ipakrbprincipal >> > > objectClass: krbprincipal >> > > objectClass: krbprincipalaux >> > > objectClass: pkiuser >> > > objectClass: top >> > > krbTicketFlags: 3145856 >> > > managedBy: >> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan >> > > krbPrincipalName: HTTP/[email protected] >> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa >> > > krbLastPwdChange: 20151112021359Z >> > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A >> > > krbLastSuccessfulAuth: 20151201175200Z >> > > >> > > Ticket flags clearly changed. Now to see if this works with ipa-web. >> > >> > >> > >> > > Thanks >> > > >> > > Marc Boorshtein >> > > CTO Tremolo Security >> > > [email protected] >> > > (703) 828-4902 >> > > >> > > >> > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <[email protected]> wrote: >> > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote: >> > > >> > >> > > >> > How do you acquire the user ticket ? >> > > >> > >> > > >> >> > > >> Using a keytab. Here's a link to the example code I'm using: >> > > >> https://github.com/ymartin59/java-kerberos-sfudemo I have Java set >> > to >> > > >> use IPA as the DNS server and I'm passing in mmosley as the user to >> > > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will >> > > >> consume the impersonated user's ticket. >> > > >> >> > > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the >> > > >> > server has been requested and what it released ? >> > > >> > >> > > >> >> > > >> Sure: >> > > >> >> > > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> > > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH: >> > > >> HTTP/[email protected] for krbtgt/[email protected], >> > > >> Additional pre-authentication required >> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 >> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> > > >> {rep=17 tkt=18 ses=17}, HTTP/[email protected] for >> > > >> krbtgt/[email protected] >> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 >> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes >> > > >> {rep=17 tkt=18 ses=17}, HTTP/[email protected] for >> > > >> HTTP/[email protected] >> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ... >> > > >> PROTOCOL-TRANSITION [email protected] >> > > >> >> > > >> Thanks >> > > > >> > > > I think for s4u2self you may have missed a conf step (we primarily use >> > > > s4u2proxy in the product *without* any s4u2self step). >> > > > >> > > > Can you check that you followed the procedure described here: >> > > > >> > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90 >> > > > >> > > > I think they key part is setting the +ok_to_auth_as_delegate flag which >> > > > we do not provide an official higher level interface for yet. >> > > > >> > > > Simo. >> > > > >> > > > -- >> > > > Simo Sorce * Red Hat, Inc * New York >> > > > >> > >> > >> > -- >> > Simo Sorce * Red Hat, Inc * New York >> > >> > > > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
