[Freeipa-devel] Talking json/rpc with java client

Massimiliano Perrone (tirasa.net) massimiliano.perrone at tirasa.net
Tue Mar 18 16:03:17 UTC 2014 

On 03/18/2014 11:26 AM, Alexander Bokovoy wrote:
> On Tue, 18 Mar 2014, Massimiliano Perrone (tirasa.net) wrote:
>> On 03/18/2014 10:10 AM, Jan Pazdziora wrote:
>>> On Tue, Mar 18, 2014 at 09:02:13AM +0100, Marco Di Sabatino Di 
>>> Diodoro wrote:
>>>> what are the requirements or packages that a client must have to 
>>>> call JSON/RPC with java? We have a 401 error.
>>> What packages / code do you attempt to use when you get that 401?
>>>
>>
>> Hi guys, first of all thanks for your replies.
>>
>> Summarizing...
>>
>> 1) On FreeIPA server I created a keytab executing following commands:
>>        *) ipa host-add ebano.example.com
>>        *) ipa service-add HTTP/ebano.example.com
>>        *) ipa-getkeytab -s olmo.example.com -p HTTP/ebano.example.com 
>> -k /tmp/ebano.keytab
>>        *) scp /tmp/ebano.keytab root at ebano:/var/tmp
>>
>> 2) On ebano (the client machine) I have a Java client based on 
>> HttpClient 3.1 that uses this java.security.auth.login.config file:
>> #########################################
>> un.security.jgss.login {
>>    com.sun.security.auth.module.Krb5LoginModule required
>>    client=TRUE
>>    refreshKrb5Config=true
>>    useKeyTab=true
>>    keyTab="/var/tmp/ebano.keytab"
>>    principal="HTTP/ebano.example.com";
>> };
>>
>> com.sun.security.jgss.initiate {
>>    com.sun.security.auth.module.Krb5LoginModule required
>>    client=TRUE
>>    refreshKrb5Config=true
>>    useKeyTab=true
>>    keyTab="/var/tmp/ebano.keytab"
>>    principal="HTTP/ebano.example.com";
>>
>> };
>>
>> com.sun.security.jgss.accept {
>>    com.sun.security.auth.module.Krb5LoginModule required
>>    client=TRUE
>>    refreshKrb5Config=true
>>    useKeyTab=true
>>    keyTab="/var/tmp/ebano.keytab"
>>    principal="HTTP/ebano.example.com";
>> };
>> #########################################
>>
>> As you can see in attached log file, I can negotiate authentication 
>> on FreeIPA server and final response from it is a 401
>>
>> 10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "{"
>> 10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "[\n]"
>> 10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "    "error": {[\n]"
>> 10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "        "code": 1101, [\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "        "message": "did not receive 
>> Kerberos credentials", [\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "        "name": {[\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "            "__base64__": 
>> "Q0NhY2hlRXJyb3I="[\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "        }[\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "    }, [\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "    "id": null, [\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "    "principal": "UNKNOWN", [\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "    "result": null, [\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "    "version": "3.3.4"[\n]"
>> 10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>> org.apache.http.wire - << "}"
>>
>> But...
>>
>> Reading Kerberos server log I noticed that a right curl based call 
>> generates a
>> mar 18 08:20:12 olmo.example.com krb5kdc[1423](info): TGS_REQ (1 
>> etypes {18}) 192.168.0.105: ISSUE: authtime 1395072185, etypes 
>> {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for 
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> mar 18 08:20:13 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 
>> etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 
>> 1395072185, etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for 
>> ldap/olmo.example.com at EXAMPLE.COM
>>
>> whereas Java client generates a
>>
>> mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 
>> etypes {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH: 
>> HTTP/ebano.example.com at EXAMPLE.COM for 
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
>> mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 
>> etypes {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395082101, 
>> etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for 
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 
>> etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395082101, 
>> etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for 
>> HTTP/olmo.example.com at EXAMPLE.COM
>>
>> The difference between the two calls is on the last TGS_REQ; because 
>> the first one is on ldap/olmo.example.com at EXAMPLE.COM and it's OK 
>> whereas the second one is on HTTP/olmo.example.com at EXAMPLE.COM that 
>> returns a 401 (I suppose).
>>
>> Where's the error?
> Am I correct that you have a user connecting to HTTP/ebano.example.com
> and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
> using credentials of the user?
>
> FreeIPA uses constraint delegation of the credentials, with the help of
> S4U2Proxy extension. You need to allow HTTP/ebano.example.com to delegate
> credentials to HTTP/olmo.example.com.
>
> I have written an article how to do that:
> https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html 
>
>
Hi Alexander, thanks for your reply.
I read carefully your interesting post and I follow it to delegate 
HTTP/ebano.example.com credentials to HTTP/olmo.example.com.

Now, two questions:
1) How can I check that my configuration, now is ok? Because this 
ldapsearch returns result: 0

ldapsearch -Y GSSAPI -H ldap://olmo.tirasa.net -b 
"cn=s4u2proxy,cn=etc,dc=example,dc=com" "cn=ipa-http-delegation-targets" dn

2) This time however I read also /var/log/httpd/error_log and I noticed 
this:
#############
[Tue Mar 18 16:38:14.117207 2014] [:error] [pid 11268] ipa: ERROR: 500 
Internal Server Error:
jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment
#############
whereas LDAP logs are OK.
In your opinion, I have this error because of wrong environment 
configuration or other cause?

Thanks in advance
Massi

-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~massi/

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

More information about the Freeipa-devel mailing list