[Freeipa-devel] Talking json/rpc with java client
Massimiliano Perrone (tirasa.net)
massimiliano.perrone at tirasa.net
Mon Mar 24 11:35:48 UTC 2014
On 03/21/2014 04:52 PM, Massimiliano Perrone (tirasa.net) wrote:
> On 03/20/2014 02:09 PM, Simo Sorce wrote:
>> On Thu, 2014-03-20 at 14:47 +0200, Alexander Bokovoy wrote:
>>> On Thu, 20 Mar 2014, Rob Crittenden wrote:
>>>> Alexander Bokovoy wrote:
>>>>> On Thu, 20 Mar 2014, Massimiliano Perrone (example.com) wrote:
>>>>>> On 03/18/2014 05:26 PM, Alexander Bokovoy wrote:
>>>>>>> On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote:
>>>>>>>>>> The difference between the two calls is on the last TGS_REQ;
>>>>>>>>>> because the first one is on ldap/olmo.example.com at EXAMPLE.COM
>>>>>>>>>> and
>>>>>>>>>> it's OK whereas the second one is on
>>>>>>>>>> HTTP/olmo.example.com at EXAMPLE.COM that returns a 401 (I
>>>>>>>>>> suppose).
>>>>>>>>>>
>>>>>>>>>> Where's the error?
>>>>>>>>> Am I correct that you have a user connecting to
>>>>>>>>> HTTP/ebano.example.com
>>>>>>>>> and then HTTP/ebano.example.com wants to talk to
>>>>>>>>> HTTP/olmo.example.com
>>>>>>>>> using credentials of the user?
>>>>>>>>>
>>>>>>>>> FreeIPA uses constraint delegation of the credentials, with the
>>>>>>>>> help of
>>>>>>>>> S4U2Proxy extension. You need to allow HTTP/ebano.example.com to
>>>>>>>>> delegate
>>>>>>>>> credentials to HTTP/olmo.example.com.
>>>>>>>>>
>>>>>>>>> I have written an article how to do that:
>>>>>>>>> https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Hi Alexander, thanks for your reply.
>>>>>>>> I read carefully your interesting post and I follow it to delegate
>>>>>>>> HTTP/ebano.example.com credentials to HTTP/olmo.example.com.
>>>>>>>>
>>>>>>>> Now, two questions:
>>>>>>>> 1) How can I check that my configuration, now is ok? Because this
>>>>>>>> ldapsearch returns result: 0
>>>>>>>>
>>>>>>>> ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b
>>>>>>>> "cn=s4u2proxy,cn=etc,dc=example,dc=com"
>>>>>>>> "cn=ipa-http-delegation-targets" dn
>>>>>>> You need to create these delegation entries yourself, like the
>>>>>>> article
>>>>>>> says. Note that your app talks to IPA server's HTTP service, so
>>>>>>> create
>>>>>>>
>>>>>>> dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>>>> objectClass: ipaKrb5DelegationACL
>>>>>>> objectClass: groupOfPrincipals
>>>>>>> objectClass: top
>>>>>>> cn: ebano-http-delegation
>>>>>>> memberPrincipal: HTTP/ebano.example.com at EXAMPLE.COM
>>>>>>> ipaAllowedTarget:
>>>>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>>>>
>>>>>>>
>>>>>>> This entry says: "HTTP/ebano.example.com is allowed to delegate
>>>>>>> users'
>>>>>>> credentials to whatever Kerberos principal is a member of
>>>>>>> cn=ebano-http-delegation-targets group"
>>>>>>>
>>>>>>> Now, this is the group:
>>>>>>> dn:
>>>>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>>>>
>>>>>>> objectClass: groupOfPrincipals
>>>>>>> objectClass: top
>>>>>>> cn: ebano-http-delegation-targets
>>>>>>> memberPrincipal: HTTP/olomo.example.com at EXAMPLE.COM
>>>>>>>
>>>>>>> With these two entries we would have HTTP/ebano.example.com
>>>>>>> allowed to
>>>>>>> delegate users' credentials to HTTP/olomo.example.com
>>>>>> Hi Alexander, thanks for your patience.
>>>>>> I followed your suggestions but the result is always the same.
>>>>>>
>>>>>> Trying with curl, of course, it works.
>>>>>>
>>>>>> My doubt now is why curl generates this log on kerberos server
>>>>>>
>>>>>> mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1
>>>>>> etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes
>>>>>> {rep=18
>>>>>> tkt=18 ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>> mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>>>>> etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime
>>>>>> 1395301975,
>>>>>> etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for
>>>>>> ldap/olmo.example.com at EXAMPLE.COM
>>>>> This is effect of S4U extension working correctly.
>>>>>
>>>>>> whereas java generates this other one
>>>>>>
>>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
>>>>>> HTTP/ebano.example.com at EXAMPLE.COM for
>>>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>>>>>> Additional pre-authentication required
>>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes
>>>>>> {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>>>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>>>>> etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395307449,
>>>>>> etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM
>>>>>> for
>>>>>> HTTP/olmo.example.com at EXAMPLE.COM
>>>>>>
>>>>>> As you can see, the first one uses admin on ldap service, the second
>>>>>> one uses HTTP/ebano.example.com on HTTP service.
>>>>> This means your Java application doesn't use S4U extension or doesn't
>>>>> know about that.
>>>>>
>>>>>> Can I do the same call with Java?
>>>>> At this point we need to set clear what Java are you using.
>>>>>
>>>>> http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html
>>>>>
>>>>>
>>>>> tells that S4U extensions (we use S4U2Proxy here) was added in
>>>>> Java SE 8.
>>>>>
>>>> The client doesn't do the S4U2Proxy work though, so this shouldn't
>>>> matter, right?
>>> My point is that the client will not do what he expects unless
>>> S4U2Proxy
>>> is used in Java and that requires Java 8 platform, released on March
>>> 18th 2014.
>> I think you can use earlier Java versions but tell them to use the
>> native GSSAPI library (and perhaps sprinkle a little bit of GSS-Proxy in
>> the back for fun.
>
> Here I'm again :)
>
> I wrote a GSSClient [1] obtaining:
> ###################################################
> java.io.IOException: Server returned HTTP response code: 401 for URL:
> https://olmo.example.com/ipa/json
> ###################################################
>
> Other info from kerberos client:
> ###################################################
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>> KrbAsRep cons in KrbAsReq.getReply HTTP/ebano.example.com
> principal is HTTP/ebano.example.com at EXAMPLE.COM
> Will use keytab
> Commit Succeeded
>
> Found ticket for HTTP/ebano.example.com at EXAMPLE.COM to go to
> krbtgt/EXAMPLE.COM at EXAMPLE.COM expiring on Sat Mar 22 16:38:37 CET 2014
> Entered Krb5Context.initSecContext with state=STATE_NEW
> Service ticket not found in the subject
> <---------------------------------------------------------------
> >>> Credentials acquireServiceCreds: same realm
> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>> KrbKdcReq send: kdc=olmo.example.com UDP:88, timeout=30000, number
> of retries =3, #bytes=681
> >>> KDCCommunication: kdc=olmo.example.com UDP:88,
> timeout=30000,Attempt =1, #bytes=681
> >>> KrbKdcReq send: #bytes read=642
> >>> KdcAccessibility: remove olmo.example.com
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> Krb5Context setting mySeqNumber to: 1042307601
> Created InitSecContextToken:
> 0000: 01 00 6E 82 02 4E 30 82 02 4A A0 03 02 01 05 A1 ..n..N0..J......
> 0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ......
> 0020: 52 61 82 01 4E 30 82 01 4A A0 03 02 01 05 A1 0C Ra..N0..J.......
> 0030: 1B 0A 54 49 52 41 53 41 2E 4E 45 54 A2 22 30 20 ..EXAMPLE.COM."0
> 0040: A0 03 02 01 01 A1 19 30 17 1B 04 6C 64 61 70 1B .......0...ldap.
> 0050: 0F 6F 6C 6D 6F 2E 74 69 72 61 73 61 2E 6E 65 74 .olmo.example.com
> 0060: A3 82 01 0F 30 82 01 0B A0 03 02 01 12 A1 03 02 ....0...........
> 0070: 01 02 A2 81 FE 04 81 FB F9 8C FE 4F A0 4E 4B 34 ...........O.NK4
> 0080: BC 3D A7 E4 05 4E AC 91 58 58 9B 7C 18 72 7E 16 .=...N..XX...r..
> 0090: DA 4B 29 1F 52 D7 30 7A 9E FF 18 4C 68 9A 18 DF .K).R.0z...Lh...
> 00A0: 66 03 F7 55 75 40 DC 38 AC 21 5B 7F C0 70 DB DD f..Uu at .8.![..p..
> 00B0: 37 63 7A E2 C4 89 E1 6A B9 29 6D 30 62 1E F1 3E 7cz....j.)m0b..>
> 00C0: 18 B0 A7 FB 1C 43 F9 33 D6 61 57 D0 26 DA 9E AB .....C.3.aW.&...
> 00D0: C7 04 3F D0 DC 36 0F 95 B9 AD 5B 1B 64 A8 59 21 ..?..6....[.d.Y!
> 00E0: E6 32 47 43 49 EA F8 61 38 D6 52 0A 92 A9 78 5F .2GCI..a8.R...x_
> 00F0: F7 BE B6 AE B9 0A 47 51 31 44 0D 67 74 D6 E5 71 ......GQ1D.gt..q
> 0100: CA 85 46 09 FE F1 4D 90 E5 7C 7A 26 22 7D 39 41 ..F...M...z&".9A
> 0110: 03 2D AB 5A E5 48 26 E7 D5 4A 20 0B 67 54 91 15 .-.Z.H&..J .gT..
> 0120: 37 23 A3 68 4D 67 88 0D 9A 4D 01 FA 8A 30 B0 2F 7#.hMg...M...0./
> 0130: 57 6A 64 8E A5 7B 2E DB C1 93 07 0B 02 8A FC B7 Wjd.............
> 0140: BB 6B FD BD 83 DA F7 72 E6 D6 F8 4B BA 06 E4 ED .k.....r...K....
> 0150: 20 C2 EA 53 F6 6F F8 BB 0F E4 EF B4 51 15 BB 13 ..S.o......Q...
> 0160: EB 57 A4 10 F2 C1 36 0B B1 45 6C FA 38 36 9C F9 .W....6..El.86..
> 0170: E2 75 BC A4 81 DE 30 81 DB A0 03 02 01 12 A2 81 .u....0.........
> 0180: D3 04 81 D0 D6 75 77 89 A0 B7 F9 26 64 04 D4 51 .....uw....&d..Q
> 0190: DD 27 10 A3 B7 8F 1B 88 8C 20 4D A2 25 BF 3D 11 .'....... M.%.=.
> 01A0: 36 B1 EA 3B C7 BF FE C4 20 42 12 3C 1D 60 CD DB 6..;.... B.<.`..
> 01B0: D7 CB 5B 58 25 6D B9 68 6D 32 9F 8C 90 D1 0B 18 ..[X%m.hm2......
> 01C0: 90 4D B4 90 8B 17 2A F5 C5 B2 17 AD A7 6A 1F 2C .M....*......j.,
> 01D0: FD BF 2E EA 9C 27 CC 73 68 9B E7 D1 59 99 9D 64 .....'.sh...Y..d
> 01E0: 08 53 8F 03 88 3B DF 36 5B 24 DC A0 78 F6 DF 6C .S...;.6[$..x..l
> 01F0: 3C CB FC 84 C9 6B 24 1B DD F0 6F E3 1F 01 CC 94 <....k$...o.....
> 0200: 2B 40 F7 6C 8D 9A E8 20 05 0A 44 16 64 55 29 B2 + at .l... ..D.dU).
> 0210: 48 CC 1E C7 B0 99 AE B0 91 87 B1 EB BC 6B F3 8D H............k..
> 0220: A9 1B 3C A1 65 97 91 8A B1 9A 25 CB 7B D8 11 99 ..<.e.....%.....
> 0230: 91 E6 F0 2A AB 5D 21 DA C7 A5 CC AD FA 79 76 33 ...*.]!......yv3
> 0240: B8 7E ED 1C FE C0 3B 2E C5 9E 71 51 42 9C 0B 47 ......;...qQB..G
> 0250: 5A 4F 05 DE ZO..
> ###################################################
>
> As you can see in the row indicated by the arrow there's:
> Entered Krb5Context.initSecContext with state=STATE_NEW
> Service ticket not found in the subject
> <---------------------------------------------------------------
> Is this right?
Hi guys, sorry for the noise...
Maybe this informations can help us to understand the root cause of our
problem.
httpd access_log
192.168.0.176 - HTTP/ebano.tirasa.net at TIRASA.NET [24/Mar/2014:12:21:57
+0100] "POST /ipa/json HTTP/1.1" 500 272
httpd error_log
[Mon Mar 24 12:21:57.971182 2014] [:error] [pid 24462] ipa: ERROR: 500
Internal Server Error: jsonserver_kerb.__call__: KRB5CCNAME not defined
in HTTP request environment
>
> PS: next step is JAVA_8 installation to follow Alexander suggestions.
>
> [1]
> https://github.com/massx1/KerberosExample/blob/master/src/main/java/net/tirasa/kerberosexample/GSSClient.java
>>
>>> That is, if there is a user talking to the Java client and
>>> then Java client turning to IPA LDAP or web server with constraint
>>> delegation.
>>>
>>> This is something I tried to get clarification for in the original
>>> discussion.
>>>
>>>
>>
>
>
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~massi/
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)
More information about the Freeipa-devel
mailing list