[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Tue Dec 1 16:34:36 UTC 2015
Simo & Team,
After talking to the OpenJDK security list it turned out there is a
bug in JDK8. The issue is fixed in JDK9 and after testing I'm running
into a new issue. Same scenario described earlier in this email
chain, but now it looks like the TGS-REP is not being marked as
forwardable which is required for an s4u2self ticket is used in
s4u2proxy (https://msdn.microsoft.com/en-us/library/cc246079.aspx) :
"The S4U2proxy extension requires that the service ticket to the first
service has the forwardable flag set (see Service 1 in the figure
specifying Kerberos delegation with forwarded TGT, section 1.3.3).
This ticket can be obtained through an S4U2self protocol exchange.".
The TGS-REQ is asking for a forwardable ticket, but it doesn't look
like the response is setting it as forwardable. Here's the exception:
GSSException: Failure unspecified at GSS-API level (Mechanism level:
Attempt to obtain S4U2self credentials failed!)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153)
at test24u2.KerberosDemo$1.run(KerberosDemo.java:128)
at test24u2.KerberosDemo$1.run(KerberosDemo.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121)
at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
at test24u2.KerberosDemo.main(KerberosDemo.java:215)
Caused by: KrbException: S4U2self ticket must be FORWARDABLE
at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 9 more
Here's the entire debug output:
>>> KeyTabInputStream, readName(): RHELENT.LAN
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): s4u.rhelent.lan
>>> KeyTab: load() entry length: 83; type: 18
>>> KeyTabInputStream, readName(): RHELENT.LAN
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): s4u.rhelent.lan
>>> KeyTab: load() entry length: 67; type: 17
>>> KeyTabInputStream, readName(): RHELENT.LAN
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): s4u.rhelent.lan
>>> KeyTab: load() entry length: 75; type: 16
>>> KeyTabInputStream, readName(): RHELENT.LAN
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): s4u.rhelent.lan
>>> KeyTab: load() entry length: 67; type: 23
Looking for keys for: HTTP/s4u.rhelent.lan at RHELENT.LAN
Java config name: null
Native config name: /etc/krb5.conf
Loading krb5 profile at /etc/krb5.conf
Loaded from native config
Added key: 23version: 1
Added key: 16version: 1
Added key: 17version: 1
Found unsupported keytype (18) for HTTP/s4u.rhelent.lan at RHELENT.LAN
>>> KdcAccessibility: reset
Looking for keys for: HTTP/s4u.rhelent.lan at RHELENT.LAN
Added key: 23version: 1
Added key: 16version: 1
Added key: 17version: 1
Found unsupported keytype (18) for HTTP/s4u.rhelent.lan at RHELENT.LAN
default etypes for default_tkt_enctypes: 17 23 16.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=327
>>>Pre-Authentication Data:
PA-DATA type = 136
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = 4k at PqWo9iUZZ$[r", s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB<CQ#Vq,Ls&, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9)&A{.`Y;1k, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 133
>>> KdcAccessibility: remove freeipa.rhelent.lan
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
cTime is Sat Jan 20 19:00:57 EST 1996 822182457000
sTime is Mon Nov 30 21:35:51 EST 2015 1448937351000
suSec is 558140
error code is 25
error Message is Additional pre-authentication required
cname is HTTP/s4u.rhelent.lan at RHELENT.LAN
sname is krbtgt/RHELENT.LAN at RHELENT.LAN
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 136
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = 4k at PqWo9iUZZ$[r", s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = KaQ|KB<CQ#Vq,Ls&, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = Wl=W>9)&A{.`Y;1k, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 133
KRBError received: NEEDED_PREAUTH
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 17 23 16.
Looking for keys for: HTTP/s4u.rhelent.lan at RHELENT.LAN
Added key: 23version: 1
Added key: 16version: 1
Added key: 17version: 1
Found unsupported keytype (18) for HTTP/s4u.rhelent.lan at RHELENT.LAN
Looking for keys for: HTTP/s4u.rhelent.lan at RHELENT.LAN
Added key: 23version: 1
Added key: 16version: 1
Added key: 17version: 1
Found unsupported keytype (18) for HTTP/s4u.rhelent.lan at RHELENT.LAN
default etypes for default_tkt_enctypes: 17 23 16.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=691
>>> KdcAccessibility: remove freeipa.rhelent.lan
Looking for keys for: HTTP/s4u.rhelent.lan at RHELENT.LAN
Added key: 23version: 1
Added key: 16version: 1
Added key: 17version: 1
Found unsupported keytype (18) for HTTP/s4u.rhelent.lan at RHELENT.LAN
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/s4u.rhelent.lan
Service subject: Subject:
Principal: HTTP/s4u.rhelent.lan at RHELENT.LAN
Private Credential: Ticket (hex) =
0000: 61 82 01 51 30 82 01 4D A0 03 02 01 05 A1 0D 1B a..Q0..M........
0010: 0B 52 48 45 4C 45 4E 54 2E 4C 41 4E A2 20 30 1E .RHELENT.LAN. 0.
0020: A0 03 02 01 02 A1 17 30 15 1B 06 6B 72 62 74 67 .......0...krbtg
0030: 74 1B 0B 52 48 45 4C 45 4E 54 2E 4C 41 4E A3 82 t..RHELENT.LAN..
0040: 01 13 30 82 01 0F A0 03 02 01 12 A1 03 02 01 01 ..0.............
0050: A2 82 01 01 04 81 FE 04 0B 24 5B A6 36 2A 4B C7 .........$[.6*K.
0060: 0D 58 1A EB 79 20 62 BE 16 44 28 93 5D 87 5B FD .X..y b..D(.].[.
0070: DE 20 7D CF 79 4C 0E CC 77 90 40 06 10 11 9F 70 . ..yL..w. at ....p
0080: 9E B4 7E B5 CA 14 27 23 DD CD D6 6E 31 1F FC CA ......'#...n1...
0090: 65 CB 98 47 2B F0 C8 3B 96 C3 D6 AF EB DB 91 2F e..G+..;......./
00A0: 1D 88 66 53 4F 03 7B 47 3C 32 E8 F2 CE 3E B1 E7 ..fSO..G<2...>..
00B0: 78 80 B3 37 6F 5E 18 76 68 F4 AE C6 C7 C2 B8 99 x..7o^.vh.......
00C0: 61 A3 42 A1 5D 32 69 BB 0D 42 C5 98 46 B8 8A C6 a.B.]2i..B..F...
00D0: 4A 68 88 E3 79 D0 E2 F7 DD 62 0F DD E6 6A 97 7B Jh..y....b...j..
00E0: 4B A1 A0 1C 45 17 97 E4 CC 71 D2 86 61 52 40 34 K...E....q..aR at 4
00F0: DE EF 45 5E 21 94 AB 5C 76 91 CE 68 DB A1 94 5F ..E^!..\v..h..._
0100: 14 CC 54 BB 35 85 EB 56 F0 FC 83 B5 CB 41 48 A1 ..T.5..V.....AH.
0110: AE C8 2F 22 C6 48 B9 14 CD 5F 9B B5 14 2B CC D5 ../".H..._...+..
0120: B7 DC C3 74 4C 98 19 10 72 83 5D F6 BC A0 A1 9F ...tL...r.].....
0130: 19 1F 63 07 AF C1 35 EE 1A 82 FE A5 88 CE 7A DF ..c...5.......z.
0140: 0F 43 E4 55 EC CC 0C 34 47 B4 B8 E1 C2 90 AC 63 .C.U...4G......c
0150: 19 01 A1 87 A5 .....
Client Principal = HTTP/s4u.rhelent.lan at RHELENT.LAN
Server Principal = krbtgt/RHELENT.LAN at RHELENT.LAN
Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: D9 D2 7F 9D 3F 5F 32 1A 41 10 4D 9F 0C 7D C5 D8 ....?_2.A.M.....
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Mon Nov 30 21:35:51 EST 2015
Start Time = Mon Nov 30 21:35:51 EST 2015
End Time = Tue Dec 01 21:35:51 EST 2015
Renew Till = Mon Dec 07 21:35:51 EST 2015
Client Addresses Null
Private Credential: /Users/mlb/Documents/localdev.keytab for
HTTP/s4u.rhelent.lan at RHELENT.LAN
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/s4u.rhelent.lan at RHELENT.LAN to go to
krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Tue Dec 01 21:35:51 EST
2015
Search Subject for SPNEGO INIT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/s4u.rhelent.lan at RHELENT.LAN to go to
krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Tue Dec 01 21:35:51 EST
2015
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
default etypes for default_tgs_enctypes: 17 23 16.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbKdcReq send: kdc=freeipa.rhelent.lan UDP:88, timeout=30000, number of retries =3, #bytes=772
>>> KDCCommunication: kdc=freeipa.rhelent.lan UDP:88, timeout=30000,Attempt =1, #bytes=772
>>> KrbKdcReq send: #bytes read=582
>>> KdcAccessibility: remove freeipa.rhelent.lan
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
GSSException: Failure unspecified at GSS-API level (Mechanism level:
Attempt to obtain S4U2self credentials failed!)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:92)
at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:153)
at test24u2.KerberosDemo$1.run(KerberosDemo.java:128)
at test24u2.KerberosDemo$1.run(KerberosDemo.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at test24u2.KerberosDemo.impersonate(KerberosDemo.java:121)
at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
at test24u2.KerberosDemo.main(KerberosDemo.java:215)
Caused by: KrbException: S4U2self ticket must be FORWARDABLE
at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
... 9 more
Here's the wireshark capture of the entire transaction:
https://s3.amazonaws.com/ts-public-downloads/captures/java9-s4u2self.pcapng
Is there something I need to configure in ipa? I've shown the steps I
took to make s4u.rhelent.lan setup for delegation in the beginning of
this chain.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902
On Tue, Oct 27, 2015 at 8:27 PM, Marc Boorshtein
<marc.boorshtein at tremolosecurity.com> wrote:
> Thanks Simo. It wouldn't surprise me that java's implementation is
> wrong. The comments in the source even ask if its necessary to check.
>
> Thanks
> Marc
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> (703) 828-4902
>
>
> On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce <simo at redhat.com> wrote:
>> On 27/10/15 15:43, Marc Boorshtein wrote:
>>>>>
>>>>>
>>>>> Looking at KrbKdcRep.java:73 it looks like the failure is happening
>>>>> because java is setting the forwardable flag to true on the request
>>>>> but the response has no options in it. Should the forwardable option
>>>>> be false in the request?
>>>>
>>>>
>>>>
>>>> That's a fair guess.
>>>> the whole point of constrained delegation (including protocol
>>>> impersonation)
>>>> is that you do not want to forward tickets, so you shouldn't ask for
>>>> forwardable tickets methinks.
>>>>
>>>> Simo.
>>>>
>>>
>>> Thanks Simio. I tried running kinit with forwarding disabled:
>>>
>>> $ kinit HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN -k -t
>>> ./unison-freeipa.keytab -F
>>>
>>> $ klist -f
>>>
>>> Ticket cache: FILE:/tmp/krb5cc_500
>>>
>>> Default principal: HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>
>>>
>>> Valid starting Expires Service principal
>>>
>>> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/RHELENT.LAN at RHELENT.LAN
>>>
>>> Flags: IA
>>>
>>> But when I try again Java refuses to generate the ticket:
>>>
>>> tremoloadmin at unison-freeipa ~]$ klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_500
>>> Default principal: HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>
>>> Valid starting Expires Service principal
>>> 10/27/15 15:32:52 10/28/15 15:32:52 krbtgt/RHELENT.LAN at RHELENT.LAN
>>> Flags: IA
>>>
>>> Hello World!
>>> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
>>> sun.security.jgss.krb5.Krb5InitCredential)
>>> No Subject
>>>>>>
>>>>>> KinitOptions cache name is /tmp/krb5cc_500
>>>>>> DEBUG <CCacheInputStream> client principal is
>>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>>>> DEBUG <CCacheInputStream> server principal is
>>>>>> krbtgt/RHELENT.LAN at RHELENT.LAN
>>>>>> DEBUG <CCacheInputStream> key type: 18
>>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
>>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
>>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
>>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
>>>>>> DEBUG <CCacheInputStream> client principal is
>>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>
>>> Java config name: /home/tremoloadmin/krb5.conf
>>> Loaded from Java config
>>>>>>
>>>>>> DEBUG <CCacheInputStream> server principal is
>>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>>>> DEBUG <CCacheInputStream> key type: 0
>>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>>>> DEBUG <CCacheInputStream> start time: null
>>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>>> CCacheInputStream: readFlags()
>>>
>>> Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
>>> krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Wed Oct 28 15:32:52 EDT
>>> 2015
>>> Search Subject for SPNEGO INIT cred (<<DEF>>,
>>> sun.security.jgss.spnego.SpNegoCredElement)
>>> No Subject
>>> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
>>> sun.security.jgss.krb5.Krb5InitCredential)
>>> No Subject
>>>>>>
>>>>>> KinitOptions cache name is /tmp/krb5cc_500
>>>>>> DEBUG <CCacheInputStream> client principal is
>>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>>>> DEBUG <CCacheInputStream> server principal is
>>>>>> krbtgt/RHELENT.LAN at RHELENT.LAN
>>>>>> DEBUG <CCacheInputStream> key type: 18
>>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
>>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
>>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
>>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
>>>>>> DEBUG <CCacheInputStream> client principal is
>>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>>>> DEBUG <CCacheInputStream> server principal is
>>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>>>> DEBUG <CCacheInputStream> key type: 0
>>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>>>> DEBUG <CCacheInputStream> start time: null
>>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>>> CCacheInputStream: readFlags()
>>>
>>> Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
>>> krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Wed Oct 28 15:32:52 EDT
>>> 2015
>>>>>>
>>>>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
>>>
>>> Exception in thread "main" GSSException: Failure unspecified at
>>> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
>>> failed!)
>>> at
>>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
>>> at
>>> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
>>> at
>>> sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
>>> at io.tremolo.App.main(App.java:27)
>>> Caused by: KrbException: Invalid option setting in ticket request. (101)
>>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:165)
>>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:100)
>>> at
>>> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66)
>>> at
>>> sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
>>> at
>>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
>>> ... 3 more
>>>
>>> Looking at KrbTgsReq line 165:
>>>
>>> if (options.get(KDCOptions.FORWARDABLE) &&
>>> (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {
>>> throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
>>> }
>>>
>>> If I read this correctly it has to be forwardable? If thats the case
>>> is Java wrong for requiring the options to be there or is ipa wrong
>>> for not sending the options with the response ticket?
>>
>>
>> I think the best answer would be to look at what the MIT test program does
>> and make sure Java does the same.
>> This stuff works with the native libraries and is interoperable with Windows
>> AD KDCs where the specification was born.
>>
>> Simo.
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list