[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Simo Sorce simo at redhat.com
Tue Dec 1 18:14:10 UTC 2015 

On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> I can now get a ticket!  This is how I originally created the user:
> 
> $ kinit admin
> $ ipa service-add HTTP/s4u.rhelent.lan at rhelent.lan --ok-as-delegate=true

ok-as-delegate != ok_to_auth_as_delegate ...

I know, it is a little confusing :-/  but these are the upstream flag
names, and they both exist and do different things.

Simo.

> Here's the object in the directory:
> 
> dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN,cn=services,cn=accounts,
>  dc=rhelent,dc=lan
> ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> krbTicketFlags: 1048704
> managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
> ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> krbLastPwdChange: 20151112021359Z
> krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
> krbLastSuccessfulAuth: 20151201165518Z
> 
> Just now, I ran:
> [root at freeipa ~]# kadmin.local
> Authenticating as principal admin/admin at RHELENT.LAN with password.
> kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
> Principal "HTTP/s4u.rhelent.lan at RHELENT.LAN" modified.
> 
> and now the directory object is
> dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN,cn=services,cn=accounts,
>  dc=rhelent,dc=lan
> ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
> objectClass: ipaobject
> objectClass: ipaservice
> objectClass: krbticketpolicyaux
> objectClass: ipakrbprincipal
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: pkiuser
> objectClass: top
> krbTicketFlags: 3145856
> managedBy: fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
> ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> krbLastPwdChange: 20151112021359Z
> krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
> krbLastSuccessfulAuth: 20151201175200Z
> 
> Ticket flags clearly changed.  Now to see if this works with ipa-web.



> Thanks
> 
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> (703) 828-4902
> 
> 
> On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <simo at redhat.com> wrote:
> > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
> >> >
> >> > How do you acquire the user ticket ?
> >> >
> >>
> >> Using a keytab.  Here's a link to the example code I'm using:
> >> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set to
> >> use IPA as the DNS server and I'm passing in mmosley as the user to
> >> impersonate and HTTP/freeipa.rhelent.lan as the service that will
> >> consume the impersonated user's ticket.
> >>
> >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> >> > server has been requested and what it released ?
> >> >
> >>
> >> Sure:
> >>
> >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
> >> HTTP/s4u.rhelent.lan at RHELENT.LAN for krbtgt/RHELENT.LAN at RHELENT.LAN,
> >> Additional pre-authentication required
> >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> >> krbtgt/RHELENT.LAN at RHELENT.LAN
> >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
> >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> >> HTTP/s4u.rhelent.lan at RHELENT.LAN
> >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
> >> PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN
> >>
> >> Thanks
> >
> > I think for s4u2self you may have missed a conf step (we primarily use
> > s4u2proxy in the product *without* any s4u2self step).
> >
> > Can you check that you followed the procedure described here:
> > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
> >
> > I think they key part is setting the +ok_to_auth_as_delegate flag which
> > we do not provide an official higher level interface for yet.
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list