[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Tue Dec 1 16:55:54 UTC 2015
>
> How do you acquire the user ticket ?
>
Using a keytab. Here's a link to the example code I'm using:
https://github.com/ymartin59/java-kerberos-sfudemo I have Java set to
use IPA as the DNS server and I'm passing in mmosley as the user to
impersonate and HTTP/freeipa.rhelent.lan as the service that will
consume the impersonated user's ticket.
> Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> server has been requested and what it released ?
>
Sure:
Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
HTTP/s4u.rhelent.lan at RHELENT.LAN for krbtgt/RHELENT.LAN at RHELENT.LAN,
Additional pre-authentication required
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
{rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
krbtgt/RHELENT.LAN at RHELENT.LAN
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
{rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
HTTP/s4u.rhelent.lan at RHELENT.LAN
Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN
Thanks
More information about the Freeipa-users
mailing list