[Freeipa-devel] Talking json/rpc with java client

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 18 10:26:43 UTC 2014 

On Tue, 18 Mar 2014, Massimiliano Perrone (tirasa.net) wrote:
>On 03/18/2014 10:10 AM, Jan Pazdziora wrote:
>>On Tue, Mar 18, 2014 at 09:02:13AM +0100, Marco Di Sabatino Di Diodoro wrote:
>>>what are the requirements or packages that a client must have to call JSON/RPC with java? We have a 401 error.
>>What packages / code do you attempt to use when you get that 401?
>>
>
>Hi guys, first of all thanks for your replies.
>
>Summarizing...
>
>1) On FreeIPA server I created a keytab executing following commands:
>        *) ipa host-add ebano.example.com
>        *) ipa service-add HTTP/ebano.example.com
>        *) ipa-getkeytab -s olmo.example.com -p 
>HTTP/ebano.example.com -k /tmp/ebano.keytab
>        *) scp /tmp/ebano.keytab root at ebano:/var/tmp
>
>2) On ebano (the client machine) I have a Java client based on 
>HttpClient 3.1 that uses this java.security.auth.login.config file:
>#########################################
>un.security.jgss.login {
>    com.sun.security.auth.module.Krb5LoginModule required
>    client=TRUE
>    refreshKrb5Config=true
>    useKeyTab=true
>    keyTab="/var/tmp/ebano.keytab"
>    principal="HTTP/ebano.example.com";
>};
>
>com.sun.security.jgss.initiate {
>    com.sun.security.auth.module.Krb5LoginModule required
>    client=TRUE
>    refreshKrb5Config=true
>    useKeyTab=true
>    keyTab="/var/tmp/ebano.keytab"
>    principal="HTTP/ebano.example.com";
>
>};
>
>com.sun.security.jgss.accept {
>    com.sun.security.auth.module.Krb5LoginModule required
>    client=TRUE
>    refreshKrb5Config=true
>    useKeyTab=true
>    keyTab="/var/tmp/ebano.keytab"
>    principal="HTTP/ebano.example.com";
>};
>#########################################
>
>As you can see in attached log file, I can negotiate authentication 
>on FreeIPA server and final response from it is a 401
>
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "{"
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "[\n]"
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "    "error": {[\n]"
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "        "code": 1101, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "        "message": "did not receive 
>Kerberos credentials", [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "        "name": {[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "            "__base64__": 
>"Q0NhY2hlRXJyb3I="[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "        }[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "    }, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "    "id": null, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "    "principal": "UNKNOWN", [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "    "result": null, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "    "version": "3.3.4"[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG 
>org.apache.http.wire - << "}"
>
>But...
>
>Reading Kerberos server log I noticed that a right curl based call 
>generates a
>mar 18 08:20:12 olmo.example.com krb5kdc[1423](info): TGS_REQ (1 
>etypes {18}) 192.168.0.105: ISSUE: authtime 1395072185, etypes 
>{rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for 
>krbtgt/EXAMPLE.COM at EXAMPLE.COM
>mar 18 08:20:13 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 
>etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 
>1395072185, etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for 
>ldap/olmo.example.com at EXAMPLE.COM
>
>whereas Java client generates a
>
>mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 
>etypes {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH: 
>HTTP/ebano.example.com at EXAMPLE.COM for 
>krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication 
>required
>mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4 
>etypes {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395082101, 
>etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for 
>krbtgt/EXAMPLE.COM at EXAMPLE.COM
>mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): TGS_REQ (6 
>etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395082101, 
>etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for 
>HTTP/olmo.example.com at EXAMPLE.COM
>
>The difference between the two calls is on the last TGS_REQ; because 
>the first one is on ldap/olmo.example.com at EXAMPLE.COM and it's OK 
>whereas the second one is on HTTP/olmo.example.com at EXAMPLE.COM that 
>returns a 401 (I suppose).
>
>Where's the error?
Am I correct that you have a user connecting to HTTP/ebano.example.com
and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
using credentials of the user?

FreeIPA uses constraint delegation of the credentials, with the help of
S4U2Proxy extension. You need to allow HTTP/ebano.example.com to delegate
credentials to HTTP/olmo.example.com.

I have written an article how to do that:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list