[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Tue Oct 27 17:11:25 UTC 2015


All,

I'm trying to create an S4u2self/proxy that will give me a ticket to
log into ipa web.  I have ipa installed on centos 7 and the client
installed on centos 6.  The client is written in Java (Java 8).  When
I try the following impersonation code:

GSSManager manager = GSSManager.getInstance();

        GSSCredential self  =
manager.createCredential(GSSCredential.INITIATE_ONLY);

        GSSName user = manager.createName("mmosley", GSSName.NT_USER_NAME);

        GSSCredential impCred = ((ExtendedGSSCredential)self).impersonate(user);

I get the following output from Java:

[tremoloadmin at unison-freeipa ~]$ java
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true    -jar
tests4u-1.0-SNAPSHOT-jar-with-dependencies.jar
Hello World!
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
>>>KinitOptions cache name is /tmp/krb5cc_500
>>>DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>DEBUG <CCacheInputStream> server principal is krbtgt/RHELENT.LAN at RHELENT.LAN
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Mon Oct 26 21:11:17 EDT 2015
>>>DEBUG <CCacheInputStream> start time: Mon Oct 26 21:11:17 EDT 2015
>>>DEBUG <CCacheInputStream> end time: Tue Oct 27 21:11:17 EDT 2015
>>>DEBUG <CCacheInputStream> renew_till time: Tue Oct 27 21:11:18 EDT 2015
>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
>>>DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> start time: null
>>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Tue Oct 27 21:11:17 EDT
2015
Search Subject for SPNEGO INIT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
No Subject
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
No Subject
>>>KinitOptions cache name is /tmp/krb5cc_500
>>>DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>DEBUG <CCacheInputStream> server principal is krbtgt/RHELENT.LAN at RHELENT.LAN
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Mon Oct 26 21:11:17 EDT 2015
>>>DEBUG <CCacheInputStream> start time: Mon Oct 26 21:11:17 EDT 2015
>>>DEBUG <CCacheInputStream> end time: Tue Oct 27 21:11:17 EDT 2015
>>>DEBUG <CCacheInputStream> renew_till time: Tue Oct 27 21:11:18 EDT 2015
>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
>>>DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> start time: null
>>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()
Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Tue Oct 27 21:11:17 EDT
2015
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=freeipa.rhelent.lan. UDP:88, timeout=30000, number of retries =3, #bytes=825
>>> KDCCommunication: kdc=freeipa.rhelent.lan. UDP:88, timeout=30000,Attempt =1, #bytes=825
>>> KrbKdcReq send: #bytes read=680
>>> KdcAccessibility: remove freeipa.rhelent.lan.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> KrbKdcRep.check: at #1. request for true, received false
Exception in thread "main" GSSException: Failure unspecified at
GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
failed!)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
at io.tremolo.App.main(App.java:27)
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:73)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:67)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 3 more

Looking at KrbKdcRep.java:73 it looks like the failure is happening
because java is setting the forwardable flag to true on the request
but the response has no options in it.  Should the forwardable option
be false in the request?



I setup my client with:

ipa - freeipa.rhelent.lan
sp - freeipa.rhelent.lan
proxy - unison-freeipa.rhelent.lan

$ ipa service-add HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
--ok-as-delegate=true
Added the following to 389:

dn: cn=ipaweb-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
objectClass: groupOfPrincipals
objectClass: top
cn: ipaweb-http-delegation-targets
memberPrincipal: HTTP/freeipa.rhelent.lan at RHELENT.LAN

dn: cn=unison-http-delegation,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: unison-http-delegation
memberPrincipal: HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
ipaAllowedTarget:
cn=ipaweb-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan

then created a keytab and was able to kinit with it:

ipa-getkeytab -s freeipa.rhelent.lan -p
HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN -k unison-freeipa.keytab

Finally, when I look at the packets I see one request and one response:

request:

Kerberos
    tgs-req
        pvno: 5
        msg-type: krb-tgs-req (12)
        padata: 2 items
            PA-DATA PA-FOR-USER
                padata-type: kRB5-PADATA-S4U2SELF (129)
                    padata-value:
304fa0143012a003020101a10b30091b076d6d6f736c6579...
                        name
                            name-type: kRB5-NT-PRINCIPAL (1)
                            name-string: 1 item
                                KerberosString: mmosley
                        realm: RHELENT.LAN
                        cksum
                            cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
                            checksum: fdd3addace7f48fe263bfcc1a4dbec72
                        auth: Kerberos
            PA-DATA PA-TGS-REQ
                padata-type: kRB5-PADATA-TGS-REQ (1)
                    padata-value:
6e82023730820233a003020105a10302010ea20703050000...
                        ap-req
                            pvno: 5
                            msg-type: krb-ap-req (14)
                            Padding: 0
                            ap-options: 00000000
                                0... .... = reserved: False
                                .0.. .... = use-session-key: False
                                ..0. .... = mutual-required: False
                            ticket
                                tkt-vno: 5
                                realm: RHELENT.LAN
                                sname
                                    name-type: kRB5-NT-SRV-INST (2)
                                    name-string: 2 items
                                        KerberosString: krbtgt
                                        KerberosString: RHELENT.LAN
                                enc-part
                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                    kvno: 1
                                    cipher:
a07df35b253755d20a234bb8f5ce573e06e27d95f9e4c996...
                            authenticator
                                etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                cipher:
fe25dc900c05901a5b1c778f0d0410fd245e58507dc4ac40...
        req-body
            Padding: 0
            kdc-options: 40000000 (forwardable)
                0... .... = reserved: False
                .1.. .... = forwardable: True
                ..0. .... = forwarded: False
                ...0 .... = proxiable: False
                .... 0... = proxy: False
                .... .0.. = allow-postdate: False
                .... ..0. = postdated: False
                .... ...0 = unused7: False
                0... .... = renewable: False
                .0.. .... = unused9: False
                ..0. .... = unused10: False
                ...0 .... = opt-hardware-auth: False
                .... ..0. = request-anonymous: False
                .... ...0 = canonicalize: False
                0... .... = constrained-delegation: False
                ..0. .... = disable-transited-check: False
                ...0 .... = renewable-ok: False
                .... 0... = enc-tkt-in-skey: False
                .... ..0. = renew: False
                .... ...0 = validate: False
            realm: RHELENT.LAN
            sname
                name-type: kRB5-NT-PRINCIPAL (1)
                name-string: 2 items
                    KerberosString: HTTP
                    KerberosString: unison-freeipa.rhelent.lan
            till: 1970-01-01 00:00:00 (UTC)
            nonce: 1950860413
            etype: 4 items
                ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
                ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)
                ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)

And the response:
Kerberos
    tgs-rep
        pvno: 5
        msg-type: krb-tgs-rep (13)
        crealm: RHELENT.LAN
        cname
            name-type: kRB5-NT-PRINCIPAL (1)
            name-string: 1 item
                KerberosString: mmosley
        ticket
            tkt-vno: 5
            realm: RHELENT.LAN
            sname
                name-type: kRB5-NT-PRINCIPAL (1)
                name-string: 2 items
                    KerberosString: HTTP
                    KerberosString: unison-freeipa.rhelent.lan
            enc-part
                etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                kvno: 1
                cipher: d5ba7253ac30a63034ac5985fa0c782dc86cb0a9dd859127...
        enc-part
            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
            cipher: 7c6f2034caddf129d1550b91f4ef0157b2f9ac4c351023d3...

On the IPA server I get:

Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.2.167: ISSUE: authtime 1445908277,
etypes {rep=18 tkt=18 ses=18},
HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN for
HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN

Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): ...
PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN

It looks like everything is working, right?  If either Java didn't
send the forwardable to "true" or if IPA sent the options back in the
response I'd be in business? Any thoughts?

Thanks

Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902




More information about the Freeipa-users mailing list