[Freeipa-devel] Talking json/rpc with java client
Massimiliano Perrone (tirasa.net)
massimiliano.perrone at tirasa.net
Tue Mar 18 09:48:18 UTC 2014
On 03/18/2014 10:10 AM, Jan Pazdziora wrote:
> On Tue, Mar 18, 2014 at 09:02:13AM +0100, Marco Di Sabatino Di Diodoro wrote:
>> what are the requirements or packages that a client must have to call JSON/RPC with java? We have a 401 error.
> What packages / code do you attempt to use when you get that 401?
>
Hi guys, first of all thanks for your replies.
Summarizing...
1) On FreeIPA server I created a keytab executing following commands:
*) ipa host-add ebano.example.com
*) ipa service-add HTTP/ebano.example.com
*) ipa-getkeytab -s olmo.example.com -p HTTP/ebano.example.com
-k /tmp/ebano.keytab
*) scp /tmp/ebano.keytab root at ebano:/var/tmp
2) On ebano (the client machine) I have a Java client based on
HttpClient 3.1 that uses this java.security.auth.login.config file:
#########################################
un.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
client=TRUE
refreshKrb5Config=true
useKeyTab=true
keyTab="/var/tmp/ebano.keytab"
principal="HTTP/ebano.example.com";
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
client=TRUE
refreshKrb5Config=true
useKeyTab=true
keyTab="/var/tmp/ebano.keytab"
principal="HTTP/ebano.example.com";
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
client=TRUE
refreshKrb5Config=true
useKeyTab=true
keyTab="/var/tmp/ebano.keytab"
principal="HTTP/ebano.example.com";
};
#########################################
As you can see in attached log file, I can negotiate authentication on
FreeIPA server and final response from it is a 401
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << "{"
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << "[\n]"
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "error": {[\n]"
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "code": 1101, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "message": "did not receive Kerberos
credentials", [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "name": {[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "__base64__": "Q0NhY2hlRXJyb3I="[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " }[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " }, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "id": null, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "principal": "UNKNOWN", [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "result": null, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << " "version": "3.3.4"[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
org.apache.http.wire - << "}"
But...
Reading Kerberos server log I noticed that a right curl based call
generates a
mar 18 08:20:12 olmo.example.com krb5kdc[1423](info): TGS_REQ (1 etypes
{18}) 192.168.0.105: ISSUE: authtime 1395072185, etypes {rep=18 tkt=18
ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM
mar 18 08:20:13 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 etypes
{18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395072185, etypes
{rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for
ldap/olmo.example.com at EXAMPLE.COM
whereas Java client generates a
mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
HTTP/ebano.example.com at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
Additional pre-authentication required
mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395082101, etypes {rep=18
tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
krbtgt/EXAMPLE.COM at EXAMPLE.COM
mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 etypes
{18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395082101, etypes
{rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
HTTP/olmo.example.com at EXAMPLE.COM
The difference between the two calls is on the last TGS_REQ; because the
first one is on ldap/olmo.example.com at EXAMPLE.COM and it's OK whereas
the second one is on HTTP/olmo.example.com at EXAMPLE.COM that returns a
401 (I suppose).
Where's the error?
Thanks for your help.
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.example.com
Apache Syncope PMC Member
http://people.apache.org/~massi/
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpclient.log
Type: text/x-log
Size: 33784 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140318/444e5f62/attachment.bin>
More information about the Freeipa-devel
mailing list