[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Tue Dec 1 17:55:10 UTC 2015

I can now get a ticket!  This is how I originally created the user:

$ kinit admin
$ ipa service-add HTTP/s4u.rhelent.lan at rhelent.lan --ok-as-delegate=true

Here's the object in the directory:

dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN,cn=services,cn=accounts,
 dc=rhelent,dc=lan
ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
krbTicketFlags: 1048704
managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
krbLastPwdChange: 20151112021359Z
krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
krbLastSuccessfulAuth: 20151201165518Z

Just now, I ran:
[root at freeipa ~]# kadmin.local
Authenticating as principal admin/admin at RHELENT.LAN with password.
kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
Principal "HTTP/s4u.rhelent.lan at RHELENT.LAN" modified.

and now the directory object is
dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN,cn=services,cn=accounts,
 dc=rhelent,dc=lan
ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
objectClass: ipaobject
objectClass: ipaservice
objectClass: krbticketpolicyaux
objectClass: ipakrbprincipal
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: pkiuser
objectClass: top
krbTicketFlags: 3145856
managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
krbLastPwdChange: 20151112021359Z
krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
krbLastSuccessfulAuth: 20151201175200Z

Ticket flags clearly changed.  Now to see if this works with ipa-web.

Thanks

Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902

On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <simo at redhat.com> wrote:
> On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
>> >
>> > How do you acquire the user ticket ?
>> >
>>
>> Using a keytab.  Here's a link to the example code I'm using:
>> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set to
>> use IPA as the DNS server and I'm passing in mmosley as the user to
>> impersonate and HTTP/freeipa.rhelent.lan as the service that will
>> consume the impersonated user's ticket.
>>
>> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
>> > server has been requested and what it released ?
>> >
>>
>> Sure:
>>
>> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
>> HTTP/s4u.rhelent.lan at RHELENT.LAN for krbtgt/RHELENT.LAN at RHELENT.LAN,
>> Additional pre-authentication required
>> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
>> krbtgt/RHELENT.LAN at RHELENT.LAN
>> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
>> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
>> HTTP/s4u.rhelent.lan at RHELENT.LAN
>> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
>> PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN
>>
>> Thanks
>
> I think for s4u2self you may have missed a conf step (we primarily use
> s4u2proxy in the product *without* any s4u2self step).
>
> Can you check that you followed the procedure described here:
> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
>
> I think they key part is setting the +ok_to_auth_as_delegate flag which
> we do not provide an official higher level interface for yet.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>