[Freeipa-devel] Talking json/rpc with java client
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 18 10:26:43 UTC 2014
On Tue, 18 Mar 2014, Massimiliano Perrone (tirasa.net) wrote:
>On 03/18/2014 10:10 AM, Jan Pazdziora wrote:
>>On Tue, Mar 18, 2014 at 09:02:13AM +0100, Marco Di Sabatino Di Diodoro wrote:
>>>what are the requirements or packages that a client must have to call JSON/RPC with java? We have a 401 error.
>>What packages / code do you attempt to use when you get that 401?
>>
>
>Hi guys, first of all thanks for your replies.
>
>Summarizing...
>
>1) On FreeIPA server I created a keytab executing following commands:
> *) ipa host-add ebano.example.com
> *) ipa service-add HTTP/ebano.example.com
> *) ipa-getkeytab -s olmo.example.com -p
>HTTP/ebano.example.com -k /tmp/ebano.keytab
> *) scp /tmp/ebano.keytab root at ebano:/var/tmp
>
>2) On ebano (the client machine) I have a Java client based on
>HttpClient 3.1 that uses this java.security.auth.login.config file:
>#########################################
>un.security.jgss.login {
> com.sun.security.auth.module.Krb5LoginModule required
> client=TRUE
> refreshKrb5Config=true
> useKeyTab=true
> keyTab="/var/tmp/ebano.keytab"
> principal="HTTP/ebano.example.com";
>};
>
>com.sun.security.jgss.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> client=TRUE
> refreshKrb5Config=true
> useKeyTab=true
> keyTab="/var/tmp/ebano.keytab"
> principal="HTTP/ebano.example.com";
>
>};
>
>com.sun.security.jgss.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> client=TRUE
> refreshKrb5Config=true
> useKeyTab=true
> keyTab="/var/tmp/ebano.keytab"
> principal="HTTP/ebano.example.com";
>};
>#########################################
>
>As you can see in attached log file, I can negotiate authentication
>on FreeIPA server and final response from it is a 401
>
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << "{"
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << "[\n]"
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "error": {[\n]"
>10:16:36.407 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "code": 1101, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "message": "did not receive
>Kerberos credentials", [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "name": {[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "__base64__":
>"Q0NhY2hlRXJyb3I="[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " }[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " }, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "id": null, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "principal": "UNKNOWN", [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "result": null, [\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << " "version": "3.3.4"[\n]"
>10:16:36.408 [net.tirasa.freeipa.FreeIPA.main()] DEBUG
>org.apache.http.wire - << "}"
>
>But...
>
>Reading Kerberos server log I noticed that a right curl based call
>generates a
>mar 18 08:20:12 olmo.example.com krb5kdc[1423](info): TGS_REQ (1
>etypes {18}) 192.168.0.105: ISSUE: authtime 1395072185, etypes
>{rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for
>krbtgt/EXAMPLE.COM at EXAMPLE.COM
>mar 18 08:20:13 olmo.example.com krb5kdc[1423](info): TGS_REQ (6
>etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime
>1395072185, etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for
>ldap/olmo.example.com at EXAMPLE.COM
>
>whereas Java client generates a
>
>mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4
>etypes {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
>HTTP/ebano.example.com at EXAMPLE.COM for
>krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication
>required
>mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): AS_REQ (4
>etypes {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395082101,
>etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>krbtgt/EXAMPLE.COM at EXAMPLE.COM
>mar 17 19:48:21 olmo.example.com krb5kdc[1423](info): TGS_REQ (6
>etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395082101,
>etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example.com at EXAMPLE.COM for
>HTTP/olmo.example.com at EXAMPLE.COM
>
>The difference between the two calls is on the last TGS_REQ; because
>the first one is on ldap/olmo.example.com at EXAMPLE.COM and it's OK
>whereas the second one is on HTTP/olmo.example.com at EXAMPLE.COM that
>returns a 401 (I suppose).
>
>Where's the error?
Am I correct that you have a user connecting to HTTP/ebano.example.com
and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
using credentials of the user?
FreeIPA uses constraint delegation of the credentials, with the help of
S4U2Proxy extension. You need to allow HTTP/ebano.example.com to delegate
credentials to HTTP/olmo.example.com.
I have written an article how to do that:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list