[Freeipa-devel] Talking json/rpc with java client

Massimiliano Perrone (tirasa.net) massimiliano.perrone at tirasa.net
Mon Mar 24 12:14:38 UTC 2014 

On 03/24/2014 12:35 PM, Massimiliano Perrone (tirasa.net) wrote:
> On 03/21/2014 04:52 PM, Massimiliano Perrone (tirasa.net) wrote:
>> On 03/20/2014 02:09 PM, Simo Sorce wrote:
>>> On Thu, 2014-03-20 at 14:47 +0200, Alexander Bokovoy wrote:
>>>> On Thu, 20 Mar 2014, Rob Crittenden wrote:
>>>>> Alexander Bokovoy wrote:
>>>>>> On Thu, 20 Mar 2014, Massimiliano Perrone (example.com) wrote:
>>>>>>> On 03/18/2014 05:26 PM, Alexander Bokovoy wrote:
>>>>>>>> On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote:
>>>>>>>>>>> The difference between the two calls is on the last TGS_REQ;
>>>>>>>>>>> because the first one is on 
>>>>>>>>>>> ldap/olmo.example.com at EXAMPLE.COM and
>>>>>>>>>>> it's OK whereas the second one is on
>>>>>>>>>>> HTTP/olmo.example.com at EXAMPLE.COM that returns a 401 (I 
>>>>>>>>>>> suppose).
>>>>>>>>>>>
>>>>>>>>>>> Where's the error?
>>>>>>>>>> Am I correct that you have a user connecting to 
>>>>>>>>>> HTTP/ebano.example.com
>>>>>>>>>> and then HTTP/ebano.example.com wants to talk to 
>>>>>>>>>> HTTP/olmo.example.com
>>>>>>>>>> using credentials of the user?
>>>>>>>>>>
>>>>>>>>>> FreeIPA uses constraint delegation of the credentials, with the
>>>>>>>>>> help of
>>>>>>>>>> S4U2Proxy extension. You need to allow HTTP/ebano.example.com to
>>>>>>>>>> delegate
>>>>>>>>>> credentials to HTTP/olmo.example.com.
>>>>>>>>>>
>>>>>>>>>> I have written an article how to do that:
>>>>>>>>>> https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Hi Alexander, thanks for your reply.
>>>>>>>>> I read carefully your interesting post and I follow it to 
>>>>>>>>> delegate
>>>>>>>>> HTTP/ebano.example.com credentials to HTTP/olmo.example.com.
>>>>>>>>>
>>>>>>>>> Now, two questions:
>>>>>>>>> 1) How can I check that my configuration, now is ok? Because this
>>>>>>>>> ldapsearch returns result: 0
>>>>>>>>>
>>>>>>>>> ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b
>>>>>>>>> "cn=s4u2proxy,cn=etc,dc=example,dc=com"
>>>>>>>>> "cn=ipa-http-delegation-targets" dn
>>>>>>>> You need to create these delegation entries yourself, like the 
>>>>>>>> article
>>>>>>>> says. Note that your app talks to IPA server's HTTP service, so 
>>>>>>>> create
>>>>>>>>
>>>>>>>> dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
>>>>>>>> objectClass: ipaKrb5DelegationACL
>>>>>>>> objectClass: groupOfPrincipals
>>>>>>>> objectClass: top
>>>>>>>> cn: ebano-http-delegation
>>>>>>>> memberPrincipal: HTTP/ebano.example.com at EXAMPLE.COM
>>>>>>>> ipaAllowedTarget:
>>>>>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com 
>>>>>>>>
>>>>>>>>
>>>>>>>> This entry says: "HTTP/ebano.example.com is allowed to delegate 
>>>>>>>> users'
>>>>>>>> credentials to whatever Kerberos principal is a member of
>>>>>>>> cn=ebano-http-delegation-targets group"
>>>>>>>>
>>>>>>>> Now, this is the group:
>>>>>>>> dn:
>>>>>>>> cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com 
>>>>>>>>
>>>>>>>> objectClass: groupOfPrincipals
>>>>>>>> objectClass: top
>>>>>>>> cn: ebano-http-delegation-targets
>>>>>>>> memberPrincipal: HTTP/olomo.example.com at EXAMPLE.COM
>>>>>>>>
>>>>>>>> With these two entries we would have HTTP/ebano.example.com 
>>>>>>>> allowed to
>>>>>>>> delegate users' credentials to HTTP/olomo.example.com
>>>>>>> Hi Alexander, thanks for your patience.
>>>>>>> I followed your suggestions but the result is always the same.
>>>>>>>
>>>>>>> Trying with curl, of course, it works.
>>>>>>>
>>>>>>> My doubt now is why curl generates this log on kerberos server
>>>>>>>
>>>>>>> mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1
>>>>>>> etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes 
>>>>>>> {rep=18
>>>>>>> tkt=18 ses=18}, admin at EXAMPLE.COM for 
>>>>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>>> mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>>>>>> etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 
>>>>>>> 1395301975,
>>>>>>> etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for
>>>>>>> ldap/olmo.example.com at EXAMPLE.COM
>>>>>> This is effect of S4U extension working correctly.
>>>>>>
>>>>>>> whereas java generates this other one
>>>>>>>
>>>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 
>>>>>>> etypes
>>>>>>> {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
>>>>>>> HTTP/ebano.example.com at EXAMPLE.COM for 
>>>>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>>>>>>> Additional pre-authentication required
>>>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 
>>>>>>> etypes
>>>>>>> {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes
>>>>>>> {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>>>>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>>> mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6
>>>>>>> etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 
>>>>>>> 1395307449,
>>>>>>> etypes {rep=18 tkt=18 ses=18}, 
>>>>>>> HTTP/ebano.example.com at EXAMPLE.COM for
>>>>>>> HTTP/olmo.example.com at EXAMPLE.COM
>>>>>>>
>>>>>>> As you can see, the first one uses admin on ldap service, the 
>>>>>>> second
>>>>>>> one uses HTTP/ebano.example.com on HTTP service.
>>>>>> This means your Java application doesn't use S4U extension or 
>>>>>> doesn't
>>>>>> know about that.
>>>>>>
>>>>>>> Can I do the same call with Java?
>>>>>> At this point we need to set clear what Java are you using.
>>>>>>
>>>>>> http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html 
>>>>>>
>>>>>>
>>>>>> tells that S4U extensions (we use S4U2Proxy here) was added in 
>>>>>> Java SE 8.
>>>>>>
>>>>> The client doesn't do the S4U2Proxy work though, so this shouldn't
>>>>> matter, right?
>>>> My point is that the client will not do what he expects unless 
>>>> S4U2Proxy
>>>> is used in Java and that requires Java 8 platform, released on March
>>>> 18th 2014.
>>> I think you can use earlier Java versions but tell them to use the
>>> native GSSAPI library (and perhaps sprinkle a little bit of 
>>> GSS-Proxy in
>>> the back for fun.
>>
>> Here I'm again :)
>>
>> I wrote a GSSClient [1] obtaining:
>> ###################################################
>> java.io.IOException: Server returned HTTP response code: 401 for URL: 
>> https://olmo.example.com/ipa/json
>> ###################################################
>>
>> Other info from kerberos client:
>> ###################################################
>> Ordering keys wrt default_tkt_enctypes list
>> Using builtin default etypes for default_tkt_enctypes
>> default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>> >>> KrbAsRep cons in KrbAsReq.getReply HTTP/ebano.example.com
>> principal is HTTP/ebano.example.com at EXAMPLE.COM
>> Will use keytab
>> Commit Succeeded
>>
>> Found ticket for HTTP/ebano.example.com at EXAMPLE.COM to go to 
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM expiring on Sat Mar 22 16:38:37 CET 2014
>> Entered Krb5Context.initSecContext with state=STATE_NEW
>> Service ticket not found in the subject 
>> <---------------------------------------------------------------
>> >>> Credentials acquireServiceCreds: same realm
>> Using builtin default etypes for default_tgs_enctypes
>> default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>> >>> KrbKdcReq send: kdc=olmo.example.com UDP:88, timeout=30000, 
>> number of retries =3, #bytes=681
>> >>> KDCCommunication: kdc=olmo.example.com UDP:88, 
>> timeout=30000,Attempt =1, #bytes=681
>> >>> KrbKdcReq send: #bytes read=642
>> >>> KdcAccessibility: remove olmo.example.com
>> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>> >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>> Krb5Context setting mySeqNumber to: 1042307601
>> Created InitSecContextToken:
>> 0000: 01 00 6E 82 02 4E 30 82   02 4A A0 03 02 01 05 A1 ..n..N0..J......
>> 0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 01 ......... ......
>> 0020: 52 61 82 01 4E 30 82 01   4A A0 03 02 01 05 A1 0C Ra..N0..J.......
>> 0030: 1B 0A 54 49 52 41 53 41   2E 4E 45 54 A2 22 30 20 ..EXAMPLE.COM."0
>> 0040: A0 03 02 01 01 A1 19 30   17 1B 04 6C 64 61 70 1B .......0...ldap.
>> 0050: 0F 6F 6C 6D 6F 2E 74 69   72 61 73 61 2E 6E 65 74 
>> .olmo.example.com
>> 0060: A3 82 01 0F 30 82 01 0B   A0 03 02 01 12 A1 03 02 ....0...........
>> 0070: 01 02 A2 81 FE 04 81 FB   F9 8C FE 4F A0 4E 4B 34 ...........O.NK4
>> 0080: BC 3D A7 E4 05 4E AC 91   58 58 9B 7C 18 72 7E 16 .=...N..XX...r..
>> 0090: DA 4B 29 1F 52 D7 30 7A   9E FF 18 4C 68 9A 18 DF .K).R.0z...Lh...
>> 00A0: 66 03 F7 55 75 40 DC 38   AC 21 5B 7F C0 70 DB DD f..Uu at .8.![..p..
>> 00B0: 37 63 7A E2 C4 89 E1 6A   B9 29 6D 30 62 1E F1 3E 7cz....j.)m0b..>
>> 00C0: 18 B0 A7 FB 1C 43 F9 33   D6 61 57 D0 26 DA 9E AB .....C.3.aW.&...
>> 00D0: C7 04 3F D0 DC 36 0F 95   B9 AD 5B 1B 64 A8 59 21 ..?..6....[.d.Y!
>> 00E0: E6 32 47 43 49 EA F8 61   38 D6 52 0A 92 A9 78 5F .2GCI..a8.R...x_
>> 00F0: F7 BE B6 AE B9 0A 47 51   31 44 0D 67 74 D6 E5 71 ......GQ1D.gt..q
>> 0100: CA 85 46 09 FE F1 4D 90   E5 7C 7A 26 22 7D 39 41 ..F...M...z&".9A
>> 0110: 03 2D AB 5A E5 48 26 E7   D5 4A 20 0B 67 54 91 15 .-.Z.H&..J .gT..
>> 0120: 37 23 A3 68 4D 67 88 0D   9A 4D 01 FA 8A 30 B0 2F 7#.hMg...M...0./
>> 0130: 57 6A 64 8E A5 7B 2E DB   C1 93 07 0B 02 8A FC B7 Wjd.............
>> 0140: BB 6B FD BD 83 DA F7 72   E6 D6 F8 4B BA 06 E4 ED .k.....r...K....
>> 0150: 20 C2 EA 53 F6 6F F8 BB   0F E4 EF B4 51 15 BB 13 ..S.o......Q...
>> 0160: EB 57 A4 10 F2 C1 36 0B   B1 45 6C FA 38 36 9C F9 .W....6..El.86..
>> 0170: E2 75 BC A4 81 DE 30 81   DB A0 03 02 01 12 A2 81 .u....0.........
>> 0180: D3 04 81 D0 D6 75 77 89   A0 B7 F9 26 64 04 D4 51 .....uw....&d..Q
>> 0190: DD 27 10 A3 B7 8F 1B 88   8C 20 4D A2 25 BF 3D 11 .'....... M.%.=.
>> 01A0: 36 B1 EA 3B C7 BF FE C4   20 42 12 3C 1D 60 CD DB 6..;.... B.<.`..
>> 01B0: D7 CB 5B 58 25 6D B9 68   6D 32 9F 8C 90 D1 0B 18 ..[X%m.hm2......
>> 01C0: 90 4D B4 90 8B 17 2A F5   C5 B2 17 AD A7 6A 1F 2C .M....*......j.,
>> 01D0: FD BF 2E EA 9C 27 CC 73   68 9B E7 D1 59 99 9D 64 .....'.sh...Y..d
>> 01E0: 08 53 8F 03 88 3B DF 36   5B 24 DC A0 78 F6 DF 6C .S...;.6[$..x..l
>> 01F0: 3C CB FC 84 C9 6B 24 1B   DD F0 6F E3 1F 01 CC 94 <....k$...o.....
>> 0200: 2B 40 F7 6C 8D 9A E8 20   05 0A 44 16 64 55 29 B2  + at .l... 
>> ..D.dU).
>> 0210: 48 CC 1E C7 B0 99 AE B0   91 87 B1 EB BC 6B F3 8D H............k..
>> 0220: A9 1B 3C A1 65 97 91 8A   B1 9A 25 CB 7B D8 11 99 ..<.e.....%.....
>> 0230: 91 E6 F0 2A AB 5D 21 DA   C7 A5 CC AD FA 79 76 33 ...*.]!......yv3
>> 0240: B8 7E ED 1C FE C0 3B 2E   C5 9E 71 51 42 9C 0B 47 ......;...qQB..G
>> 0250: 5A 4F 05 DE                                        ZO..
>> ###################################################
>>
>> As you can see in the row indicated by the arrow there's:
>> Entered Krb5Context.initSecContext with state=STATE_NEW
>> Service ticket not found in the subject 
>> <---------------------------------------------------------------
>> Is this right?
>
> Hi guys, sorry for the noise...
> Maybe this informations can help us to understand the root cause of 
> our problem.
>
> httpd access_log
> 192.168.0.176 - HTTP/ebano.tirasa.net at TIRASA.NET [24/Mar/2014:12:21:57 
> +0100] "POST /ipa/json HTTP/1.1" 500 272
> httpd error_log
> [Mon Mar 24 12:21:57.971182 2014] [:error] [pid 24462] ipa: ERROR: 500 
> Internal Server Error: jsonserver_kerb.__call__: KRB5CCNAME not 
> defined in HTTP request environment

Other question/information...
I don't know if I'm saying something wrong but......
Reading [1] at line 980 I noticed that kinit method sets KRB5CCNAME variable

def kinit 
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver.login_password-class.html#kinit>(self, 
user, realm, password, ccache_name):
981 # Format the user as a kerberos principal 982 principal = 
krb5_format_principal_name 
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(user 
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>, 
realm) 983 984 (stdout, stderr, returncode) = ipautil.run 
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(['/usr/bin/kinit', 
principal], 985 env 
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>={'KRB5CCNAME':ccache_name}, 
986 stdin=password, raiseonerr=False) 987 self.debug('kinit: 
principal=%s returncode=%s, stderr="%s"', 988 principal, returncode, 
stderr) 989 990 if returncode != 0: 991 raise InvalidSessionPassword 
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(principal=principal, 
message=unicode 
<http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#>(stderr)) 


Is possible that LoginContext method of Java Kerberos libraries doesn't 
do the same thing?

[1] http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html
>
>
>>
>> PS: next step is JAVA_8 installation to follow Alexander suggestions.
>>
>> [1] 
>> https://github.com/massx1/KerberosExample/blob/master/src/main/java/net/tirasa/kerberosexample/GSSClient.java
>>>
>>>> That is, if there is a user talking to the Java client and
>>>> then Java client turning to IPA LDAP or web server with constraint
>>>> delegation.
>>>>
>>>> This is something I tried to get clarification for in the original
>>>> discussion.
>>>>
>>>>
>>>
>>
>>
>
>


-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~massi/

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140324/3977c92f/attachment.htm>

More information about the Freeipa-devel mailing list