[Freeipa-devel] Talking json/rpc with java client

Massimiliano Perrone (tirasa.net) massimiliano.perrone at tirasa.net
Fri Mar 21 15:52:57 UTC 2014 

On 03/20/2014 02:09 PM, Simo Sorce wrote:
> On Thu, 2014-03-20 at 14:47 +0200, Alexander Bokovoy wrote:
>> On Thu, 20 Mar 2014, Rob Crittenden wrote:
>>> Alexander Bokovoy wrote:
>>>> On Thu, 20 Mar 2014, Massimiliano Perrone (example.com) wrote:
>>>>> On 03/18/2014 05:26 PM, Alexander Bokovoy wrote:
>>>>>> On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote:
>>>>>>>>> The difference between the two calls is on the last TGS_REQ;
>>>>>>>>> because the first one is on ldap/olmo.example.com at EXAMPLE.COM and
>>>>>>>>> it's OK whereas the second one is on
>>>>>>>>> HTTP/olmo.example.com at EXAMPLE.COM that returns a 401 (I suppose).
>>>>>>>>>
>>>>>>>>> Where's the error?
>>>>>>>> Am I correct that you have a user connecting to HTTP/ebano.example.com
>>>>>>>> and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
>>>>>>>> using credentials of the user?
>>>>>>>>
>>>>>>>> FreeIPA uses constraint delegation of the credentials, with the
>>>>>>>> help of
>>>>>>>> S4U2Proxy extension. You need to allow HTTP/ebano.example.com to
>>>>>>>> delegate
>>>>>>>> credentials to HTTP/olmo.example.com.
>>>>>>>>
>>>>>>>> I have written an article how to do that:
>>>>>>>> https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Hi Alexander, thanks for your reply.
>>>>>>> I read carefully your interesting post and I follow it to delegate
>>>>>>> HTTP/ebano.example.com credentials to HTTP/olmo.example.com.
>>>>>>>
>>>>>>> Now, two questions:
>>>>>>> 1) How can I check that my configuration, now is ok? Because this
>>>>>>> ldapsearch returns result: 0
>>>>>>>
>>>>>>> ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b
>>>>>>> "cn=s4u2proxy,cn=etc,dc=example,dc=com"
>>>>>>> "cn=ipa-http-delegation-targets" dn
>>>>>> You need to create these delegation entries yourself, like the article
>>>>>> says. Note that your app talks to IPA server's HTTP service, so create
>>>>>>
>>>>>> dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>>> objectClass: ipaKrb5DelegationACL
>>>>>> objectClass: groupOfPrincipals
>>>>>> objectClass: top
>>>>>> cn: ebano-http-delegation
>>>>>> memberPrincipal: HTTP/ebano.example.com at EXAMPLE.COM
>>>>>> ipaAllowedTarget:
>>>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>>>
>>>>>> This entry says: "HTTP/ebano.example.com is allowed to delegate users'
>>>>>> credentials to whatever Kerberos principal is a member of
>>>>>> cn=ebano-http-delegation-targets group"
>>>>>>
>>>>>> Now, this is the group:
>>>>>> dn:
>>>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>>> objectClass: groupOfPrincipals
>>>>>> objectClass: top
>>>>>> cn: ebano-http-delegation-targets
>>>>>> memberPrincipal: HTTP/olomo.example.com at EXAMPLE.COM
>>>>>>
>>>>>> With these two entries we would have HTTP/ebano.example.com allowed to
>>>>>> delegate users' credentials to HTTP/olomo.example.com
>>>>> Hi Alexander, thanks for your patience.
>>>>> I followed your suggestions but the result is always the same.
>>>>>
>>>>> Trying with curl, of course, it works.
>>>>>
>>>>> My doubt now is why curl generates this log on kerberos server
>>>>>
>>>>> mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1
>>>>> etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes {rep=18
>>>>> tkt=18 ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>> mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>>>> etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395301975,
>>>>> etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for
>>>>> ldap/olmo.example.com at EXAMPLE.COM
>>>> This is effect of S4U extension working correctly.
>>>>
>>>>> whereas java generates this other one
>>>>>
>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes
>>>>> {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
>>>>> HTTP/ebano.example.com at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>>>>> Additional pre-authentication required
>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes
>>>>> {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes
>>>>> {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>>>> etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395307449,
>>>>> etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>>>>> HTTP/olmo.example.com at EXAMPLE.COM
>>>>>
>>>>> As you can see, the first one uses admin on ldap service, the second
>>>>> one uses HTTP/ebano.example.com on HTTP service.
>>>> This means your Java application doesn't use S4U extension or doesn't
>>>> know about that.
>>>>
>>>>> Can I do the same call with Java?
>>>> At this point we need to set clear what Java are you using.
>>>>
>>>> http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html
>>>>
>>>> tells that S4U extensions (we use S4U2Proxy here) was added in Java SE 8.
>>>>
>>> The client doesn't do the S4U2Proxy work though, so this shouldn't
>>> matter, right?
>> My point is that the client will not do what he expects unless S4U2Proxy
>> is used in Java and that requires Java 8 platform, released on March
>> 18th 2014.
> I think you can use earlier Java versions but tell them to use the
> native GSSAPI library (and perhaps sprinkle a little bit of GSS-Proxy in
> the back for fun.

Here I'm again :)

I wrote a GSSClient [1] obtaining:
###################################################
java.io.IOException: Server returned HTTP response code: 401 for URL: 
https://olmo.example.com/ipa/json
###################################################

Other info from kerberos client:
###################################################
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/ebano.example.com
principal is HTTP/ebano.example.com at EXAMPLE.COM
Will use keytab
Commit Succeeded

Found ticket for HTTP/ebano.example.com at EXAMPLE.COM to go to 
krbtgt/EXAMPLE.COM at EXAMPLE.COM expiring on Sat Mar 22 16:38:37 CET 2014
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject 
<---------------------------------------------------------------
 >>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
 >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 >>> KrbKdcReq send: kdc=olmo.example.com UDP:88, timeout=30000, number 
of retries =3, #bytes=681
 >>> KDCCommunication: kdc=olmo.example.com UDP:88, 
timeout=30000,Attempt =1, #bytes=681
 >>> KrbKdcReq send: #bytes read=642
 >>> KdcAccessibility: remove olmo.example.com
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 1042307601
Created InitSecContextToken:
0000: 01 00 6E 82 02 4E 30 82   02 4A A0 03 02 01 05 A1 ..n..N0..J......
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 01  ......... ......
0020: 52 61 82 01 4E 30 82 01   4A A0 03 02 01 05 A1 0C Ra..N0..J.......
0030: 1B 0A 54 49 52 41 53 41   2E 4E 45 54 A2 22 30 20 ..EXAMPLE.COM."0
0040: A0 03 02 01 01 A1 19 30   17 1B 04 6C 64 61 70 1B .......0...ldap.
0050: 0F 6F 6C 6D 6F 2E 74 69   72 61 73 61 2E 6E 65 74 .olmo.example.com
0060: A3 82 01 0F 30 82 01 0B   A0 03 02 01 12 A1 03 02 ....0...........
0070: 01 02 A2 81 FE 04 81 FB   F9 8C FE 4F A0 4E 4B 34 ...........O.NK4
0080: BC 3D A7 E4 05 4E AC 91   58 58 9B 7C 18 72 7E 16 .=...N..XX...r..
0090: DA 4B 29 1F 52 D7 30 7A   9E FF 18 4C 68 9A 18 DF .K).R.0z...Lh...
00A0: 66 03 F7 55 75 40 DC 38   AC 21 5B 7F C0 70 DB DD f..Uu at .8.![..p..
00B0: 37 63 7A E2 C4 89 E1 6A   B9 29 6D 30 62 1E F1 3E 7cz....j.)m0b..>
00C0: 18 B0 A7 FB 1C 43 F9 33   D6 61 57 D0 26 DA 9E AB .....C.3.aW.&...
00D0: C7 04 3F D0 DC 36 0F 95   B9 AD 5B 1B 64 A8 59 21 ..?..6....[.d.Y!
00E0: E6 32 47 43 49 EA F8 61   38 D6 52 0A 92 A9 78 5F .2GCI..a8.R...x_
00F0: F7 BE B6 AE B9 0A 47 51   31 44 0D 67 74 D6 E5 71 ......GQ1D.gt..q
0100: CA 85 46 09 FE F1 4D 90   E5 7C 7A 26 22 7D 39 41 ..F...M...z&".9A
0110: 03 2D AB 5A E5 48 26 E7   D5 4A 20 0B 67 54 91 15 .-.Z.H&..J .gT..
0120: 37 23 A3 68 4D 67 88 0D   9A 4D 01 FA 8A 30 B0 2F 7#.hMg...M...0./
0130: 57 6A 64 8E A5 7B 2E DB   C1 93 07 0B 02 8A FC B7 Wjd.............
0140: BB 6B FD BD 83 DA F7 72   E6 D6 F8 4B BA 06 E4 ED .k.....r...K....
0150: 20 C2 EA 53 F6 6F F8 BB   0F E4 EF B4 51 15 BB 13 ..S.o......Q...
0160: EB 57 A4 10 F2 C1 36 0B   B1 45 6C FA 38 36 9C F9 .W....6..El.86..
0170: E2 75 BC A4 81 DE 30 81   DB A0 03 02 01 12 A2 81 .u....0.........
0180: D3 04 81 D0 D6 75 77 89   A0 B7 F9 26 64 04 D4 51 .....uw....&d..Q
0190: DD 27 10 A3 B7 8F 1B 88   8C 20 4D A2 25 BF 3D 11  .'....... M.%.=.
01A0: 36 B1 EA 3B C7 BF FE C4   20 42 12 3C 1D 60 CD DB  6..;.... B.<.`..
01B0: D7 CB 5B 58 25 6D B9 68   6D 32 9F 8C 90 D1 0B 18 ..[X%m.hm2......
01C0: 90 4D B4 90 8B 17 2A F5   C5 B2 17 AD A7 6A 1F 2C .M....*......j.,
01D0: FD BF 2E EA 9C 27 CC 73   68 9B E7 D1 59 99 9D 64 .....'.sh...Y..d
01E0: 08 53 8F 03 88 3B DF 36   5B 24 DC A0 78 F6 DF 6C .S...;.6[$..x..l
01F0: 3C CB FC 84 C9 6B 24 1B   DD F0 6F E3 1F 01 CC 94 <....k$...o.....
0200: 2B 40 F7 6C 8D 9A E8 20   05 0A 44 16 64 55 29 B2  + at .l... ..D.dU).
0210: 48 CC 1E C7 B0 99 AE B0   91 87 B1 EB BC 6B F3 8D H............k..
0220: A9 1B 3C A1 65 97 91 8A   B1 9A 25 CB 7B D8 11 99 ..<.e.....%.....
0230: 91 E6 F0 2A AB 5D 21 DA   C7 A5 CC AD FA 79 76 33 ...*.]!......yv3
0240: B8 7E ED 1C FE C0 3B 2E   C5 9E 71 51 42 9C 0B 47 ......;...qQB..G
0250: 5A 4F 05 DE                                        ZO..
###################################################

As you can see in the row indicated by the arrow there's:
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject 
<---------------------------------------------------------------
Is this right?

PS: next step is JAVA_8 installation to follow Alexander suggestions.

[1] 
https://github.com/massx1/KerberosExample/blob/master/src/main/java/net/tirasa/kerberosexample/GSSClient.java
>
>> That is, if there is a user talking to the Java client and
>> then Java client turning to IPA LDAP or web server with constraint
>> delegation.
>>
>> This is something I tried to get clarification for in the original
>> discussion.
>>
>>
>


-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.example.com

Apache Syncope PMC Member
http://people.apache.org/~massi/

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

More information about the Freeipa-devel mailing list