[Freeipa-devel] Talking json/rpc with java client

Massimiliano Perrone (tirasa.net) massimiliano.perrone at tirasa.net
Tue Mar 18 09:48:18 UTC 2014 

On 03/18/2014 10:10 AM, Jan Pazdziora wrote:
> On Tue, Mar 18, 2014 at 09:02:13AM +0100, Marco Di Sabatino Di Diodoro wrote:
>> what are the requirements or packages that a client must have to call JSON/RPC with java? We have a 401 error.
> What packages / code do you attempt to use when you get that 401?
>

Hi guys, first of all thanks for your replies.

Summarizing...

1) On FreeIPA server I created a keytab executing following commands:
         *) ipa host-add ebano.example.com
         *) ipa service-add HTTP/ebano.example.com
         *) ipa-getkeytab -s olmo.example.com -p HTTP/ebano.example.com 
-k /tmp/ebano.keytab
         *) scp /tmp/ebano.keytab root at ebano:/var/tmp

2) On ebano (the client machine) I have a Java client based on 
HttpClient 3.1 that uses this java.security.auth.login.config file:
#########################################
un.security.jgss.login {
     com.sun.security.auth.module.Krb5LoginModule required
     client=TRUE
     refreshKrb5Config=true
     useKeyTab=true
     keyTab="/var/tmp/ebano.keytab"
     principal="HTTP/ebano.example.com";
};

com.sun.security.jgss.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     client=TRUE
     refreshKrb5Config=true
     useKeyTab=true
     keyTab="/var/tmp/ebano.keytab"
     principal="HTTP/ebano.example.com";

};

com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     client=TRUE
     refreshKrb5Config=true
     useKeyTab=true
     keyTab="/var/tmp/ebano.keytab"
     principal="HTTP/ebano.example.com";
};
#########################################

As you can see in attached log file, I can negotiate authentication on 
FreeIPA server and final response from it is a 401

10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "{"
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "[\n]"
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "    "error": {[\n]"
10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "        "code": 1101, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "        "message": "did not receive Kerberos 
credentials", [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "        "name": {[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "            "__base64__": "Q0NhY2hlRXJyb3I="[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "        }[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "    }, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "    "id": null, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "    "principal": "UNKNOWN", [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "    "result": null, [\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "    "version": "3.3.4"[\n]"
10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
org.apache.http.wire - << "}"

But...

Reading Kerberos server log I noticed that a right curl based call 
generates a
mar 18 08:20:12 olmo.example.com krb5kdc[1423](info): TGS_REQ (1 etypes 
{18}) 192.168.0.105: ISSUE: authtime 1395072185, etypes {rep=18 tkt=18 
ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM
mar 18 08:20:13 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 etypes 
{18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395072185, etypes 
{rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for 
ldap/olmo.example.com at EXAMPLE.COM

whereas Java client generates a

mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 etypes 
{18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH: 
HTTP/ebano.example.com at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, 
Additional pre-authentication required
mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 etypes 
{18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395082101, etypes {rep=18 
tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for 
krbtgt/EXAMPLE.COM at EXAMPLE.COM
mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 etypes 
{18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395082101, etypes 
{rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for 
HTTP/olmo.example.com at EXAMPLE.COM

The difference between the two calls is on the last TGS_REQ; because the 
first one is on ldap/olmo.example.com at EXAMPLE.COM and it's OK whereas 
the second one is on HTTP/olmo.example.com at EXAMPLE.COM that returns a 
401 (I suppose).

Where's the error?

Thanks for your help.

-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.example.com

Apache Syncope PMC Member
http://people.apache.org/~massi/

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpclient.log
Type: text/x-log
Size: 33784 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140318/444e5f62/attachment.bin>

More information about the Freeipa-devel mailing list