[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Simo Sorce simo at redhat.com
Tue Oct 27 19:15:32 UTC 2015


On 27/10/15 13:11, Marc Boorshtein wrote:
> All,
>
> I'm trying to create an S4u2self/proxy that will give me a ticket to
> log into ipa web.  I have ipa installed on centos 7 and the client
> installed on centos 6.  The client is written in Java (Java 8).  When
> I try the following impersonation code:
>
> GSSManager manager = GSSManager.getInstance();
>
>          GSSCredential self  =
> manager.createCredential(GSSCredential.INITIATE_ONLY);
>
>          GSSName user = manager.createName("mmosley", GSSName.NT_USER_NAME);
>
>          GSSCredential impCred = ((ExtendedGSSCredential)self).impersonate(user);
>
> I get the following output from Java:
>
> [tremoloadmin at unison-freeipa ~]$ java
> -Djavax.security.auth.useSubjectCredsOnly=false
> -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true    -jar
> tests4u-1.0-SNAPSHOT-jar-with-dependencies.jar
> Hello World!
> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5InitCredential)
> No Subject
>>>> KinitOptions cache name is /tmp/krb5cc_500
>>>> DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>> DEBUG <CCacheInputStream> server principal is krbtgt/RHELENT.LAN at RHELENT.LAN
>>>> DEBUG <CCacheInputStream> key type: 18
>>>> DEBUG <CCacheInputStream> auth time: Mon Oct 26 21:11:17 EDT 2015
>>>> DEBUG <CCacheInputStream> start time: Mon Oct 26 21:11:17 EDT 2015
>>>> DEBUG <CCacheInputStream> end time: Tue Oct 27 21:11:17 EDT 2015
>>>> DEBUG <CCacheInputStream> renew_till time: Tue Oct 27 21:11:18 EDT 2015
>>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
>>>> DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
> Java config name: null
> Native config name: /etc/krb5.conf
> Loaded from native config
>>>> DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>> DEBUG <CCacheInputStream> key type: 0
>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>> DEBUG <CCacheInputStream> start time: null
>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>> CCacheInputStream: readFlags()
> Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
> krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Tue Oct 27 21:11:17 EDT
> 2015
> Search Subject for SPNEGO INIT cred (<<DEF>>,
> sun.security.jgss.spnego.SpNegoCredElement)
> No Subject
> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5InitCredential)
> No Subject
>>>> KinitOptions cache name is /tmp/krb5cc_500
>>>> DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>> DEBUG <CCacheInputStream> server principal is krbtgt/RHELENT.LAN at RHELENT.LAN
>>>> DEBUG <CCacheInputStream> key type: 18
>>>> DEBUG <CCacheInputStream> auth time: Mon Oct 26 21:11:17 EDT 2015
>>>> DEBUG <CCacheInputStream> start time: Mon Oct 26 21:11:17 EDT 2015
>>>> DEBUG <CCacheInputStream> end time: Tue Oct 27 21:11:17 EDT 2015
>>>> DEBUG <CCacheInputStream> renew_till time: Tue Oct 27 21:11:18 EDT 2015
>>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
>>>> DEBUG <CCacheInputStream>  client principal is HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>> DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>> DEBUG <CCacheInputStream> key type: 0
>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>> DEBUG <CCacheInputStream> start time: null
>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>> CCacheInputStream: readFlags()
> Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
> krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Tue Oct 27 21:11:17 EDT
> 2015
>>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: 18 17 16 23.
>>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KdcAccessibility: reset
> getKDCFromDNS using UDP
>>>> KrbKdcReq send: kdc=freeipa.rhelent.lan. UDP:88, timeout=30000, number of retries =3, #bytes=825
>>>> KDCCommunication: kdc=freeipa.rhelent.lan. UDP:88, timeout=30000,Attempt =1, #bytes=825
>>>> KrbKdcReq send: #bytes read=680
>>>> KdcAccessibility: remove freeipa.rhelent.lan.:88
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>> KrbKdcRep.check: at #1. request for true, received false
> Exception in thread "main" GSSException: Failure unspecified at
> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
> failed!)
> at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
> at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
> at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
> at io.tremolo.App.main(App.java:27)
> Caused by: KrbException: Message stream modified (41)
> at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:73)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
> at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
> at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:67)
> at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
> at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
> ... 3 more
>
> Looking at KrbKdcRep.java:73 it looks like the failure is happening
> because java is setting the forwardable flag to true on the request
> but the response has no options in it.  Should the forwardable option
> be false in the request?

That's a fair guess.
the whole point of constrained delegation (including protocol 
impersonation) is that you do not want to forward tickets, so you 
shouldn't ask for forwardable tickets methinks.

Simo.


>
>
> I setup my client with:
>
> ipa - freeipa.rhelent.lan
> sp - freeipa.rhelent.lan
> proxy - unison-freeipa.rhelent.lan
>
> $ ipa service-add HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
> --ok-as-delegate=true
> Added the following to 389:
>
> dn: cn=ipaweb-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
> objectClass: groupOfPrincipals
> objectClass: top
> cn: ipaweb-http-delegation-targets
> memberPrincipal: HTTP/freeipa.rhelent.lan at RHELENT.LAN
>
> dn: cn=unison-http-delegation,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
> objectClass: ipaKrb5DelegationACL
> objectClass: groupOfPrincipals
> objectClass: top
> cn: unison-http-delegation
> memberPrincipal: HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
> ipaAllowedTarget:
> cn=ipaweb-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
>
> then created a keytab and was able to kinit with it:
>
> ipa-getkeytab -s freeipa.rhelent.lan -p
> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN -k unison-freeipa.keytab
>
> Finally, when I look at the packets I see one request and one response:
>
> request:
>
> Kerberos
>      tgs-req
>          pvno: 5
>          msg-type: krb-tgs-req (12)
>          padata: 2 items
>              PA-DATA PA-FOR-USER
>                  padata-type: kRB5-PADATA-S4U2SELF (129)
>                      padata-value:
> 304fa0143012a003020101a10b30091b076d6d6f736c6579...
>                          name
>                              name-type: kRB5-NT-PRINCIPAL (1)
>                              name-string: 1 item
>                                  KerberosString: mmosley
>                          realm: RHELENT.LAN
>                          cksum
>                              cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
>                              checksum: fdd3addace7f48fe263bfcc1a4dbec72
>                          auth: Kerberos
>              PA-DATA PA-TGS-REQ
>                  padata-type: kRB5-PADATA-TGS-REQ (1)
>                      padata-value:
> 6e82023730820233a003020105a10302010ea20703050000...
>                          ap-req
>                              pvno: 5
>                              msg-type: krb-ap-req (14)
>                              Padding: 0
>                              ap-options: 00000000
>                                  0... .... = reserved: False
>                                  .0.. .... = use-session-key: False
>                                  ..0. .... = mutual-required: False
>                              ticket
>                                  tkt-vno: 5
>                                  realm: RHELENT.LAN
>                                  sname
>                                      name-type: kRB5-NT-SRV-INST (2)
>                                      name-string: 2 items
>                                          KerberosString: krbtgt
>                                          KerberosString: RHELENT.LAN
>                                  enc-part
>                                      etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>                                      kvno: 1
>                                      cipher:
> a07df35b253755d20a234bb8f5ce573e06e27d95f9e4c996...
>                              authenticator
>                                  etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>                                  cipher:
> fe25dc900c05901a5b1c778f0d0410fd245e58507dc4ac40...
>          req-body
>              Padding: 0
>              kdc-options: 40000000 (forwardable)
>                  0... .... = reserved: False
>                  .1.. .... = forwardable: True
>                  ..0. .... = forwarded: False
>                  ...0 .... = proxiable: False
>                  .... 0... = proxy: False
>                  .... .0.. = allow-postdate: False
>                  .... ..0. = postdated: False
>                  .... ...0 = unused7: False
>                  0... .... = renewable: False
>                  .0.. .... = unused9: False
>                  ..0. .... = unused10: False
>                  ...0 .... = opt-hardware-auth: False
>                  .... ..0. = request-anonymous: False
>                  .... ...0 = canonicalize: False
>                  0... .... = constrained-delegation: False
>                  ..0. .... = disable-transited-check: False
>                  ...0 .... = renewable-ok: False
>                  .... 0... = enc-tkt-in-skey: False
>                  .... ..0. = renew: False
>                  .... ...0 = validate: False
>              realm: RHELENT.LAN
>              sname
>                  name-type: kRB5-NT-PRINCIPAL (1)
>                  name-string: 2 items
>                      KerberosString: HTTP
>                      KerberosString: unison-freeipa.rhelent.lan
>              till: 1970-01-01 00:00:00 (UTC)
>              nonce: 1950860413
>              etype: 4 items
>                  ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>                  ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>                  ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)
>                  ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
>
> And the response:
> Kerberos
>      tgs-rep
>          pvno: 5
>          msg-type: krb-tgs-rep (13)
>          crealm: RHELENT.LAN
>          cname
>              name-type: kRB5-NT-PRINCIPAL (1)
>              name-string: 1 item
>                  KerberosString: mmosley
>          ticket
>              tkt-vno: 5
>              realm: RHELENT.LAN
>              sname
>                  name-type: kRB5-NT-PRINCIPAL (1)
>                  name-string: 2 items
>                      KerberosString: HTTP
>                      KerberosString: unison-freeipa.rhelent.lan
>              enc-part
>                  etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>                  kvno: 1
>                  cipher: d5ba7253ac30a63034ac5985fa0c782dc86cb0a9dd859127...
>          enc-part
>              etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>              cipher: 7c6f2034caddf129d1550b91f4ef0157b2f9ac4c351023d3...
>
> On the IPA server I get:
>
> Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (4
> etypes {18 17 16 23}) 192.168.2.167: ISSUE: authtime 1445908277,
> etypes {rep=18 tkt=18 ses=18},
> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN for
> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>
> Oct 26 23:29:40 freeipa.rhelent.lan krb5kdc[7507](info): ...
> PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN
>
> It looks like everything is working, right?  If either Java didn't
> send the forwardable to "true" or if IPA sent the options back in the
> response I'd be in business? Any thoughts?
>
> Thanks
>
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> (703) 828-4902
>


-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-users mailing list