<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/24/2014 12:35 PM, Massimiliano
Perrone (tirasa.net) wrote:<br>
</div>
<blockquote cite="mid:53301894.6050403@tirasa.net" type="cite">On
03/21/2014 04:52 PM, Massimiliano Perrone (tirasa.net) wrote:
<br>
<blockquote type="cite">On 03/20/2014 02:09 PM, Simo Sorce wrote:
<br>
<blockquote type="cite">On Thu, 2014-03-20 at 14:47 +0200,
Alexander Bokovoy wrote:
<br>
<blockquote type="cite">On Thu, 20 Mar 2014, Rob Crittenden
wrote:
<br>
<blockquote type="cite">Alexander Bokovoy wrote:
<br>
<blockquote type="cite">On Thu, 20 Mar 2014, Massimiliano
Perrone (example.com) wrote:
<br>
<blockquote type="cite">On 03/18/2014 05:26 PM,
Alexander Bokovoy wrote:
<br>
<blockquote type="cite">On Tue, 18 Mar 2014,
Massimiliano Perrone (example.com) wrote:
<br>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">The difference between
the two calls is on the last TGS_REQ;
<br>
because the first one is on
<a class="moz-txt-link-abbreviated" href="mailto:ldap/olmo.example.com@EXAMPLE.COM">ldap/olmo.example.com@EXAMPLE.COM</a> and
<br>
it's OK whereas the second one is on
<br>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/olmo.example.com@EXAMPLE.COM">HTTP/olmo.example.com@EXAMPLE.COM</a> that returns
a 401 (I suppose).
<br>
<br>
Where's the error?
<br>
</blockquote>
Am I correct that you have a user connecting to
HTTP/ebano.example.com
<br>
and then HTTP/ebano.example.com wants to talk to
HTTP/olmo.example.com
<br>
using credentials of the user?
<br>
<br>
FreeIPA uses constraint delegation of the
credentials, with the
<br>
help of
<br>
S4U2Proxy extension. You need to allow
HTTP/ebano.example.com to
<br>
delegate
<br>
credentials to HTTP/olmo.example.com.
<br>
<br>
I have written an article how to do that:
<br>
<a class="moz-txt-link-freetext" href="https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html">https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html</a>
<br>
<br>
<br>
<br>
<br>
</blockquote>
Hi Alexander, thanks for your reply.
<br>
I read carefully your interesting post and I
follow it to delegate
<br>
HTTP/ebano.example.com credentials to
HTTP/olmo.example.com.
<br>
<br>
Now, two questions:
<br>
1) How can I check that my configuration, now is
ok? Because this
<br>
ldapsearch returns result: 0
<br>
<br>
ldapsearch -Y GSSAPI -H <a class="moz-txt-link-freetext" href="ldap://olmo.example.com">ldap://olmo.example.com</a> -b
<br>
"cn=s4u2proxy,cn=etc,dc=example,dc=com"
<br>
"cn=ipa-http-delegation-targets" dn
<br>
</blockquote>
You need to create these delegation entries
yourself, like the article
<br>
says. Note that your app talks to IPA server's HTTP
service, so create
<br>
<br>
dn:
cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
<br>
objectClass: ipaKrb5DelegationACL
<br>
objectClass: groupOfPrincipals
<br>
objectClass: top
<br>
cn: ebano-http-delegation
<br>
memberPrincipal: <a class="moz-txt-link-abbreviated" href="mailto:HTTP/ebano.example.com@EXAMPLE.COM">HTTP/ebano.example.com@EXAMPLE.COM</a>
<br>
ipaAllowedTarget:
<br>
cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
<br>
<br>
This entry says: "HTTP/ebano.example.com is allowed
to delegate users'
<br>
credentials to whatever Kerberos principal is a
member of
<br>
cn=ebano-http-delegation-targets group"
<br>
<br>
Now, this is the group:
<br>
dn:
<br>
cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
<br>
objectClass: groupOfPrincipals
<br>
objectClass: top
<br>
cn: ebano-http-delegation-targets
<br>
memberPrincipal: <a class="moz-txt-link-abbreviated" href="mailto:HTTP/olomo.example.com@EXAMPLE.COM">HTTP/olomo.example.com@EXAMPLE.COM</a>
<br>
<br>
With these two entries we would have
HTTP/ebano.example.com allowed to
<br>
delegate users' credentials to
HTTP/olomo.example.com
<br>
</blockquote>
Hi Alexander, thanks for your patience.
<br>
I followed your suggestions but the result is always
the same.
<br>
<br>
Trying with curl, of course, it works.
<br>
<br>
My doubt now is why curl generates this log on
kerberos server
<br>
<br>
mar 20 10:22:20 olmo.example.com krb5kdc[5091](info):
TGS_REQ (1
<br>
etypes {18}) 192.168.0.105: ISSUE: authtime
1395301975, etypes {rep=18
<br>
tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a>
<br>
mar 20 10:22:21 olmo.example.com krb5kdc[5091](info):
TGS_REQ (6
<br>
etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE:
authtime 1395301975,
<br>
etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> for
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ldap/olmo.example.com@EXAMPLE.COM">ldap/olmo.example.com@EXAMPLE.COM</a>
<br>
</blockquote>
This is effect of S4U extension working correctly.
<br>
<br>
<blockquote type="cite">whereas java generates this
other one
<br>
<br>
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info):
AS_REQ (4 etypes
<br>
{18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH:
<br>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/ebano.example.com@EXAMPLE.COM">HTTP/ebano.example.com@EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a>,
<br>
Additional pre-authentication required
<br>
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info):
AS_REQ (4 etypes
<br>
{18 17 16 23}) 192.168.0.105: ISSUE: authtime
1395307449, etypes
<br>
{rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/ebano.example.com@EXAMPLE.COM">HTTP/ebano.example.com@EXAMPLE.COM</a> for
<br>
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a>
<br>
mar 20 10:24:09 olmo.example.com krb5kdc[5091](info):
TGS_REQ (6
<br>
etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE:
authtime 1395307449,
<br>
etypes {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/ebano.example.com@EXAMPLE.COM">HTTP/ebano.example.com@EXAMPLE.COM</a> for
<br>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/olmo.example.com@EXAMPLE.COM">HTTP/olmo.example.com@EXAMPLE.COM</a>
<br>
<br>
As you can see, the first one uses admin on ldap
service, the second
<br>
one uses HTTP/ebano.example.com on HTTP service.
<br>
</blockquote>
This means your Java application doesn't use S4U
extension or doesn't
<br>
know about that.
<br>
<br>
<blockquote type="cite">Can I do the same call with
Java?
<br>
</blockquote>
At this point we need to set clear what Java are you
using.
<br>
<br>
<a class="moz-txt-link-freetext" href="http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html">http://download.java.net/jdk8/docs/technotes/guides/security/jgss/jgss-features.html</a>
<br>
<br>
tells that S4U extensions (we use S4U2Proxy here) was
added in Java SE 8.
<br>
<br>
</blockquote>
The client doesn't do the S4U2Proxy work though, so this
shouldn't
<br>
matter, right?
<br>
</blockquote>
My point is that the client will not do what he expects
unless S4U2Proxy
<br>
is used in Java and that requires Java 8 platform, released
on March
<br>
18th 2014.
<br>
</blockquote>
I think you can use earlier Java versions but tell them to use
the
<br>
native GSSAPI library (and perhaps sprinkle a little bit of
GSS-Proxy in
<br>
the back for fun.
<br>
</blockquote>
<br>
Here I'm again :)
<br>
<br>
I wrote a GSSClient [1] obtaining:
<br>
###################################################
<br>
java.io.IOException: Server returned HTTP response code: 401 for
URL: <a class="moz-txt-link-freetext" href="https://olmo.example.com/ipa/json">https://olmo.example.com/ipa/json</a>
<br>
###################################################
<br>
<br>
Other info from kerberos client:
<br>
###################################################
<br>
Ordering keys wrt default_tkt_enctypes list
<br>
Using builtin default etypes for default_tkt_enctypes
<br>
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
<br>
>>> EType:
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
<br>
>>> KrbAsRep cons in KrbAsReq.getReply
HTTP/ebano.example.com
<br>
principal is <a class="moz-txt-link-abbreviated" href="mailto:HTTP/ebano.example.com@EXAMPLE.COM">HTTP/ebano.example.com@EXAMPLE.COM</a>
<br>
Will use keytab
<br>
Commit Succeeded
<br>
<br>
Found ticket for <a class="moz-txt-link-abbreviated" href="mailto:HTTP/ebano.example.com@EXAMPLE.COM">HTTP/ebano.example.com@EXAMPLE.COM</a> to go to
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a> expiring on Sat Mar 22 16:38:37
CET 2014
<br>
Entered Krb5Context.initSecContext with state=STATE_NEW
<br>
Service ticket not found in the subject
<---------------------------------------------------------------
<br>
>>> Credentials acquireServiceCreds: same realm
<br>
Using builtin default etypes for default_tgs_enctypes
<br>
default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
<br>
>>> CksumType:
sun.security.krb5.internal.crypto.RsaMd5CksumType
<br>
>>> EType:
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
<br>
>>> KrbKdcReq send: kdc=olmo.example.com UDP:88,
timeout=30000, number of retries =3, #bytes=681
<br>
>>> KDCCommunication: kdc=olmo.example.com UDP:88,
timeout=30000,Attempt =1, #bytes=681
<br>
>>> KrbKdcReq send: #bytes read=642
<br>
>>> KdcAccessibility: remove olmo.example.com
<br>
>>> EType:
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
<br>
>>> KrbApReq: APOptions are 00100000 00000000 00000000
00000000
<br>
>>> EType:
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
<br>
Krb5Context setting mySeqNumber to: 1042307601
<br>
Created InitSecContextToken:
<br>
0000: 01 00 6E 82 02 4E 30 82 02 4A A0 03 02 01 05 A1
..n..N0..J......
<br>
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01
......... ......
<br>
0020: 52 61 82 01 4E 30 82 01 4A A0 03 02 01 05 A1 0C
Ra..N0..J.......
<br>
0030: 1B 0A 54 49 52 41 53 41 2E 4E 45 54 A2 22 30 20
..EXAMPLE.COM."0
<br>
0040: A0 03 02 01 01 A1 19 30 17 1B 04 6C 64 61 70 1B
.......0...ldap.
<br>
0050: 0F 6F 6C 6D 6F 2E 74 69 72 61 73 61 2E 6E 65 74
.olmo.example.com
<br>
0060: A3 82 01 0F 30 82 01 0B A0 03 02 01 12 A1 03 02
....0...........
<br>
0070: 01 02 A2 81 FE 04 81 FB F9 8C FE 4F A0 4E 4B 34
...........O.NK4
<br>
0080: BC 3D A7 E4 05 4E AC 91 58 58 9B 7C 18 72 7E 16
.=...N..XX...r..
<br>
0090: DA 4B 29 1F 52 D7 30 7A 9E FF 18 4C 68 9A 18 DF
.K).R.0z...Lh...
<br>
00A0: 66 03 F7 55 75 40 DC 38 AC 21 5B 7F C0 70 DB DD
<a class="moz-txt-link-abbreviated" href="mailto:f..Uu@.8">f..Uu@.8</a>.![..p..
<br>
00B0: 37 63 7A E2 C4 89 E1 6A B9 29 6D 30 62 1E F1 3E
7cz....j.)m0b..>
<br>
00C0: 18 B0 A7 FB 1C 43 F9 33 D6 61 57 D0 26 DA 9E AB
.....C.3.aW.&...
<br>
00D0: C7 04 3F D0 DC 36 0F 95 B9 AD 5B 1B 64 A8 59 21
..?..6....[.d.Y!
<br>
00E0: E6 32 47 43 49 EA F8 61 38 D6 52 0A 92 A9 78 5F
.2GCI..a8.R...x_
<br>
00F0: F7 BE B6 AE B9 0A 47 51 31 44 0D 67 74 D6 E5 71
......GQ1D.gt..q
<br>
0100: CA 85 46 09 FE F1 4D 90 E5 7C 7A 26 22 7D 39 41
..F...M...z&".9A
<br>
0110: 03 2D AB 5A E5 48 26 E7 D5 4A 20 0B 67 54 91 15
.-.Z.H&..J .gT..
<br>
0120: 37 23 A3 68 4D 67 88 0D 9A 4D 01 FA 8A 30 B0 2F
7#.hMg...M...0./
<br>
0130: 57 6A 64 8E A5 7B 2E DB C1 93 07 0B 02 8A FC B7
Wjd.............
<br>
0140: BB 6B FD BD 83 DA F7 72 E6 D6 F8 4B BA 06 E4 ED
.k.....r...K....
<br>
0150: 20 C2 EA 53 F6 6F F8 BB 0F E4 EF B4 51 15 BB 13
..S.o......Q...
<br>
0160: EB 57 A4 10 F2 C1 36 0B B1 45 6C FA 38 36 9C F9
.W....6..El.86..
<br>
0170: E2 75 BC A4 81 DE 30 81 DB A0 03 02 01 12 A2 81
.u....0.........
<br>
0180: D3 04 81 D0 D6 75 77 89 A0 B7 F9 26 64 04 D4 51
.....uw....&d..Q
<br>
0190: DD 27 10 A3 B7 8F 1B 88 8C 20 4D A2 25 BF 3D 11
.'....... M.%.=.
<br>
01A0: 36 B1 EA 3B C7 BF FE C4 20 42 12 3C 1D 60 CD DB
6..;.... B.<.`..
<br>
01B0: D7 CB 5B 58 25 6D B9 68 6D 32 9F 8C 90 D1 0B 18
..[X%m.hm2......
<br>
01C0: 90 4D B4 90 8B 17 2A F5 C5 B2 17 AD A7 6A 1F 2C
.M....*......j.,
<br>
01D0: FD BF 2E EA 9C 27 CC 73 68 9B E7 D1 59 99 9D 64
.....'.sh...Y..d
<br>
01E0: 08 53 8F 03 88 3B DF 36 5B 24 DC A0 78 F6 DF 6C
.S...;.6[$..x..l
<br>
01F0: 3C CB FC 84 C9 6B 24 1B DD F0 6F E3 1F 01 CC 94
<....k$...o.....
<br>
0200: 2B 40 F7 6C 8D 9A E8 20 05 0A 44 16 64 55 29 B2 +@.l...
..D.dU).
<br>
0210: 48 CC 1E C7 B0 99 AE B0 91 87 B1 EB BC 6B F3 8D
H............k..
<br>
0220: A9 1B 3C A1 65 97 91 8A B1 9A 25 CB 7B D8 11 99
..<.e.....%.....
<br>
0230: 91 E6 F0 2A AB 5D 21 DA C7 A5 CC AD FA 79 76 33
...*.]!......yv3
<br>
0240: B8 7E ED 1C FE C0 3B 2E C5 9E 71 51 42 9C 0B 47
......;...qQB..G
<br>
0250: 5A 4F 05 DE ZO..
<br>
###################################################
<br>
<br>
As you can see in the row indicated by the arrow there's:
<br>
Entered Krb5Context.initSecContext with state=STATE_NEW
<br>
Service ticket not found in the subject
<---------------------------------------------------------------
<br>
Is this right?
<br>
</blockquote>
<br>
Hi guys, sorry for the noise...
<br>
Maybe this informations can help us to understand the root cause
of our problem.
<br>
<br>
httpd access_log
<br>
192.168.0.176 - <a class="moz-txt-link-abbreviated" href="mailto:HTTP/ebano.tirasa.net@TIRASA.NET">HTTP/ebano.tirasa.net@TIRASA.NET</a>
[24/Mar/2014:12:21:57 +0100] "POST /ipa/json HTTP/1.1" 500 272
<br>
httpd error_log
<br>
[Mon Mar 24 12:21:57.971182 2014] [:error] [pid 24462] ipa: ERROR:
500 Internal Server Error: jsonserver_kerb.__call__: KRB5CCNAME
not defined in HTTP request environment
<br>
</blockquote>
<br>
Other question/information...<br>
I don't know if I'm saying something wrong but......<br>
Reading [1] at line 980 I noticed that kinit method sets KRB5CCNAME
variable<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<div id="login_password.kinit-def" style="color: rgb(0, 0, 0);
font-family: monospace; font-size: medium; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: pre; widows:
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(240, 240, 240);"><tt class="py-line"
style="border-left-width: 2px; border-left-style: solid;
border-left-color: rgb(0, 0, 0); margin-left: 0.2em;
padding-left: 0.4em;"><tt class="py-keyword" style="color:
rgb(96, 0, 0);">def</tt> <a class="py-def-name"
href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver.login_password-class.html#kinit"
style="color: rgb(32, 64, 128); font-weight: bold;">kinit</a><tt
class="py-op">(</tt><tt class="py-param" style="color: rgb(0,
0, 96);">self</tt><tt class="py-op">,</tt> <tt
class="py-param" style="color: rgb(0, 0, 96);">user</tt><tt
class="py-op">,</tt> <tt class="py-param" style="color:
rgb(0, 0, 96);">realm</tt><tt class="py-op">,</tt> <tt
class="py-param" style="color: rgb(0, 0, 96);">password</tt><tt
class="py-op">,</tt> <tt class="py-param" style="color:
rgb(0, 0, 96);">ccache_name</tt><tt class="py-op">)</tt><tt
class="py-op">:</tt> </tt>
</div>
<div id="login_password.kinit-expanded" style="color: rgb(0, 0, 0);
font-family: monospace; font-size: medium; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: pre; widows:
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(240, 240, 240);"><a name="L981"></a><tt
class="py-lineno" style="font-style: italic; font-size: 12px;
padding-left: 0.5em;"> 981</tt> <tt class="py-line"
style="border-left-width: 2px; border-left-style: solid;
border-left-color: rgb(0, 0, 0); margin-left: 0.2em;
padding-left: 0.4em;"> <tt class="py-comment" style="color:
rgb(0, 48, 96);"># Format the user as a kerberos principal</tt>
</tt>
<a name="L982"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 982</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt class="py-name"
style="color: rgb(0, 0, 80);">principal</tt> <tt
class="py-op">=</tt> <tt id="link-500" class="py-name"
style="color: rgb(0, 0, 80);"><a
title="ipalib.krb_utils.krb5_format_principal_name"
class="py-name"
href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#"
onclick="return doclink('link-500',
'krb5_format_principal_name', 'link-56');" style="color:
rgb(0, 0, 80) !important;">krb5_format_principal_name</a></tt><tt
class="py-op">(</tt><tt id="link-501" class="py-name"
style="color: rgb(0, 0, 80);"><a title="ipalib.plugins.user
ipalib.plugins.user.user
tests.test_xmlrpc.objectclasses.user
tests.test_xmlrpc.test_pwpolicy_plugin.test_pwpolicy.user"
class="py-name"
href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#"
onclick="return doclink('link-501', 'user', 'link-461');"
style="color: rgb(0, 0, 80) !important;">user</a></tt><tt
class="py-op">,</tt> <tt class="py-name" style="color: rgb(0,
0, 80);">realm</tt><tt class="py-op">)</tt> </tt>
<a name="L983"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 983</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> </tt>
<a name="L984"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 984</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt class="py-op">(</tt><tt
class="py-name" style="color: rgb(0, 0, 80);">stdout</tt><tt
class="py-op">,</tt> <tt class="py-name" style="color: rgb(0,
0, 80);">stderr</tt><tt class="py-op">,</tt> <tt
class="py-name" style="color: rgb(0, 0, 80);">returncode</tt><tt
class="py-op">)</tt> <tt class="py-op">=</tt> <tt
class="py-name" style="color: rgb(0, 0, 80);">ipautil</tt><tt
class="py-op">.</tt><tt id="link-502" class="py-name"
targets="Method
ipalib.cli.cli.run()=ipalib.cli.cli-class.html#run,Method
ipalib.cli.console.run()=ipalib.cli.console-class.html#run,Method
ipalib.cli.help.run()=ipalib.cli.help-class.html#run,Function
ipalib.cli.run()=ipalib.cli-module.html#run,Method
ipalib.cli.show_api.run()=ipalib.cli.show_api-class.html#run,Method
ipalib.cli.show_mappings.run()=ipalib.cli.show_mappings-class.html#run,Method
ipalib.frontend.Command.run()=ipalib.frontend.Command-class.html#run,Method
ipalib.frontend.Local.run()=ipalib.frontend.Local-class.html#run,Method
ipalib.frontend.LocalOrRemote.run()=ipalib.frontend.LocalOrRemote-class.html#run,Method
ipaserver.install.ipa_ldap_updater.LDAPUpdater.run()=ipaserver.install.ipa_ldap_updater.LDAPUpdater-class.html#run,Method
ipaserver.install.ipa_ldap_updater.LDAPUpdater_NonUpgrade.run()=ipaserver.install.ipa_ldap_updater.LDAPUpdater_NonUpgrade-class.html#run,Method
ipaserver.install.ipa_ldap_updater.LDAPUpdater_Upgrade.run()=ipaserver.install.ipa_ldap_updater.LDAPUpdater_Upgrade-class.html#run,Method
ipaserver.install.plugins.updateclient.updateclient.run()=ipaserver.install.plugins.updateclient.updateclient-class.html#run"
style="color: rgb(0, 0, 80);"><a title="ipalib.cli.cli.run
ipalib.cli.console.run
ipalib.cli.help.run
ipalib.cli.run
ipalib.cli.show_api.run
ipalib.cli.show_mappings.run
ipalib.frontend.Command.run
ipalib.frontend.Local.run
ipalib.frontend.LocalOrRemote.run
ipaserver.install.ipa_ldap_updater.LDAPUpdater.run
ipaserver.install.ipa_ldap_updater.LDAPUpdater_NonUpgrade.run
ipaserver.install.ipa_ldap_updater.LDAPUpdater_Upgrade.run
ipaserver.install.plugins.updateclient.updateclient.run"
class="py-name"
href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#"
onclick="return doclink('link-502', 'run', 'link-502');"
style="color: rgb(0, 0, 80) !important;">run</a></tt><tt
class="py-op">(</tt><tt class="py-op">[</tt><tt
class="py-string" style="color: rgb(0, 96, 48);">'/usr/bin/kinit'</tt><tt
class="py-op">,</tt> <tt class="py-name" style="color: rgb(0,
0, 80);">principal</tt><tt class="py-op">]</tt><tt
class="py-op">,</tt> </tt>
<a name="L985"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 985</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt id="link-503"
class="py-name" style="color: rgb(0, 0, 80);"><a
title="ipalib.plugins.misc.env" class="py-name"
href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#"
onclick="return doclink('link-503', 'env', 'link-117');"
style="color: rgb(0, 0, 80) !important;">env</a></tt><tt
class="py-op">=</tt><tt class="py-op">{</tt><tt
class="py-string" style="color: rgb(0, 96, 48);">'KRB5CCNAME'</tt><tt
class="py-op">:</tt><tt class="py-name" style="color: rgb(0,
0, 80);">ccache_name</tt><tt class="py-op">}</tt><tt
class="py-op">,</tt> </tt>
<a name="L986"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 986</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt class="py-name"
style="color: rgb(0, 0, 80);">stdin</tt><tt class="py-op">=</tt><tt
class="py-name" style="color: rgb(0, 0, 80);">password</tt><tt
class="py-op">,</tt> <tt class="py-name" style="color: rgb(0,
0, 80);">raiseonerr</tt><tt class="py-op">=</tt><tt
class="py-name" style="color: rgb(0, 0, 80);">False</tt><tt
class="py-op">)</tt> </tt>
<a name="L987"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 987</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt class="py-name"
style="color: rgb(0, 0, 80);">self</tt><tt class="py-op">.</tt><tt
class="py-name" style="color: rgb(0, 0, 80);">debug</tt><tt
class="py-op">(</tt><tt class="py-string" style="color: rgb(0,
96, 48);">'kinit: principal=%s returncode=%s, stderr="%s"'</tt><tt
class="py-op">,</tt> </tt>
<a name="L988"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 988</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt class="py-name"
style="color: rgb(0, 0, 80);">principal</tt><tt class="py-op">,</tt>
<tt class="py-name" style="color: rgb(0, 0, 80);">returncode</tt><tt
class="py-op">,</tt> <tt class="py-name" style="color: rgb(0,
0, 80);">stderr</tt><tt class="py-op">)</tt> </tt>
<a name="L989"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 989</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> </tt>
<a name="L990"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 990</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt
class="py-keyword" style="color: rgb(96, 0, 0);">if</tt> <tt
class="py-name" style="color: rgb(0, 0, 80);">returncode</tt>
<tt class="py-op">!=</tt> <tt class="py-number" style="color:
rgb(0, 80, 0);">0</tt><tt class="py-op">:</tt> </tt>
<a name="L991"></a><tt class="py-lineno" style="font-style:
italic; font-size: 12px; padding-left: 0.5em;"> 991</tt> <tt
class="py-line" style="border-left-width: 2px;
border-left-style: solid; border-left-color: rgb(0, 0, 0);
margin-left: 0.2em; padding-left: 0.4em;"> <tt
class="py-keyword" style="color: rgb(96, 0, 0);">raise</tt> <tt
id="link-504" class="py-name" style="color: rgb(0, 0, 80);"><a
title="ipalib.errors.InvalidSessionPassword" class="py-name"
href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#"
onclick="return doclink('link-504',
'InvalidSessionPassword', 'link-16');" style="color: rgb(0,
0, 80) !important;">InvalidSessionPassword</a></tt><tt
class="py-op">(</tt><tt class="py-name" style="color: rgb(0,
0, 80);">principal</tt><tt class="py-op">=</tt><tt
class="py-name" style="color: rgb(0, 0, 80);">principal</tt><tt
class="py-op">,</tt> <tt class="py-name" style="color: rgb(0,
0, 80);">message</tt><tt class="py-op">=</tt><tt id="link-505"
class="py-name" style="color: rgb(0, 0, 80);"><a
title="unicode" class="py-name"
href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html#"
onclick="return doclink('link-505', 'unicode', 'link-260');"
style="color: rgb(0, 0, 80) !important;">unicode</a></tt><tt
class="py-op">(</tt><tt class="py-name" style="color: rgb(0,
0, 80);">stderr</tt><tt class="py-op">)</tt><tt class="py-op">)</tt>
</tt></div>
<br>
Is possible that LoginContext method of Java Kerberos libraries
doesn't do the same thing?<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html">http://www.freeipa.org/developer-docs/ipaserver.rpcserver-pysrc.html</a><br>
<blockquote cite="mid:53301894.6050403@tirasa.net" type="cite">
<br>
<br>
<blockquote type="cite">
<br>
PS: next step is JAVA_8 installation to follow Alexander
suggestions.
<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="https://github.com/massx1/KerberosExample/blob/master/src/main/java/net/tirasa/kerberosexample/GSSClient.java">https://github.com/massx1/KerberosExample/blob/master/src/main/java/net/tirasa/kerberosexample/GSSClient.java</a><br>
<blockquote type="cite">
<br>
<blockquote type="cite">That is, if there is a user talking to
the Java client and
<br>
then Java client turning to IPA LDAP or web server with
constraint
<br>
delegation.
<br>
<br>
This is something I tried to get clarification for in the
original
<br>
discussion.
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
<a class="moz-txt-link-freetext" href="http://www.tirasa.net">http://www.tirasa.net</a>
Apache Syncope PMC Member
<a class="moz-txt-link-freetext" href="http://people.apache.org/~massi/">http://people.apache.org/~massi/</a>
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)</pre>
</body>
</html>