[Freeipa-devel] Talking json/rpc with java client

Thu Mar 20 13:32:57 UTC 2014

On 03/20/2014 01:29 PM, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Thu, 20 Mar 2014, Massimiliano Perrone (tirasa.net) wrote:
>>> On 03/18/2014 05:26 PM, Alexander Bokovoy wrote:
>>>> On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote:
>>>>>>> The difference between the two calls is on the last TGS_REQ;
>>>>>>> because the first one is on ldap/olmo.example.com at EXAMPLE.COM and
>>>>>>> it's OK whereas the second one is on
>>>>>>> HTTP/olmo.example.com at EXAMPLE.COM that returns a 401 (I suppose).
>>>>>>>
>>>>>>> Where's the error?
>>>>>> Am I correct that you have a user connecting to 
>>>>>> HTTP/ebano.example.com
>>>>>> and then HTTP/ebano.example.com wants to talk to 
>>>>>> HTTP/olmo.example.com
>>>>>> using credentials of the user?
>>>>>>
>>>>>> FreeIPA uses constraint delegation of the credentials, with the
>>>>>> help of
>>>>>> S4U2Proxy extension. You need to allow HTTP/ebano.example.com to
>>>>>> delegate
>>>>>> credentials to HTTP/olmo.example.com.
>>>>>>
>>>>>> I have written an article how to do that:
>>>>>> https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html 
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Hi Alexander, thanks for your reply.
>>>>> I read carefully your interesting post and I follow it to delegate
>>>>> HTTP/ebano.example.com credentials to HTTP/olmo.example.com.
>>>>>
>>>>> Now, two questions:
>>>>> 1) How can I check that my configuration, now is ok? Because this
>>>>> ldapsearch returns result: 0
>>>>>
>>>>> ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b
>>>>> "cn=s4u2proxy,cn=etc,dc=example,dc=com"
>>>>> "cn=ipa-http-delegation-targets" dn
>>>> You need to create these delegation entries yourself, like the article
>>>> says. Note that your app talks to IPA server's HTTP service, so create
>>>>
>>>> dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>> objectClass: ipaKrb5DelegationACL
>>>> objectClass: groupOfPrincipals
>>>> objectClass: top
>>>> cn: ebano-http-delegation
>>>> memberPrincipal: HTTP/ebano.example.com at EXAMPLE.COM
>>>> ipaAllowedTarget:
>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>
>>>> This entry says: "HTTP/ebano.example.com is allowed to delegate users'
>>>> credentials to whatever Kerberos principal is a member of
>>>> cn=ebano-http-delegation-targets group"
>>>>
>>>> Now, this is the group:
>>>> dn:
>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>> objectClass: groupOfPrincipals
>>>> objectClass: top
>>>> cn: ebano-http-delegation-targets
>>>> memberPrincipal: HTTP/olomo.example.com at EXAMPLE.COM
>>>>
>>>> With these two entries we would have HTTP/ebano.example.com allowed to
>>>> delegate users' credentials to HTTP/olomo.example.com
>>>
>>> Hi Alexander, thanks for your patience.
>>> I followed your suggestions but the result is always the same.
>>>
>>> Trying with curl, of course, it works.
>>>
>>> My doubt now is why curl generates this log on kerberos server
>>>
>>> mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1
>>> etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes {rep=18
>>> tkt=18 ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>> mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>> etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395301975,
>>> etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for
>>> ldap/olmo.example.com at EXAMPLE.COM
>> This is effect of S4U extension working correctly.
>>
>>> whereas java generates this other one
>>>
>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes
>>> {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
>>> HTTP/ebano.example.com at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>>> Additional pre-authentication required
>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes
>>> {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes
>>> {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>> etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395307449,
>>> etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>>> HTTP/olmo.example.com at EXAMPLE.COM
>>>
>>> As you can see, the first one uses admin on ldap service, the second
>>> one uses HTTP/ebano.example.com on HTTP service.
>> This means your Java application doesn't use S4U extension or doesn't
>> know about that.
>>
>>> Can I do the same call with Java?
>> At this point we need to set clear what Java are you using.
>>
>> http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html 
>>
>>
>> tells that S4U extensions (we use S4U2Proxy here) was added in Java 
>> SE 8.
>>
>
> The client doesn't do the S4U2Proxy work though, so this shouldn't 
> matter, right?
>
> I think what I'd suggest is to use the keytab you're using in java in 
> the curl test:
>
> $ kinit -kt /path/to/keytab HTTP/ebano.example.com
> $ curl ...
>

Curl call is OK also with ebano keytab.
Kerberos server log:

mar 20 14:29:56 olmo.tirasa.net krb5kdc[5091](info): TGS_REQ (1 etypes 
{18}) 192.168.0.105: ISSUE: authtime 1395321990, etypes {rep=18 tkt=18 
ses=18}, HTTP/ebano.tirasa.net at TIRASA.NET for krbtgt/TIRASA.NET at TIRASA.NET
mar 20 14:29:56 olmo.tirasa.net krb5kdc[5091](info): TGS_REQ (6 etypes 
{18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395321990, etypes 
{rep=18 tkt=18 ses=18}, HTTP/ebano.tirasa.net at TIRASA.NET for 
ldap/olmo.tirasa.net at TIRASA.NET

------------------> HTTP/ebano.tirasa.net at TIRASA.NET for 
ldap/olmo.tirasa.net at TIRASA.NET

> Then you'll be comparing apples to apples.
>
> rob

-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~massi/

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)