[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Tue Dec 1 18:28:44 UTC 2015 

Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!

Marc Boorshtein
CTO, Tremolo Security, Inc.
On Dec 1, 2015 1:14 PM, "Simo Sorce" <simo at redhat.com> wrote:

> On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> > I can now get a ticket!  This is how I originally created the user:
> >
> > $ kinit admin
> > $ ipa service-add HTTP/s4u.rhelent.lan at rhelent.lan --ok-as-delegate=true
>
> ok-as-delegate != ok_to_auth_as_delegate ...
>
> I know, it is a little confusing :-/  but these are the upstream flag
> names, and they both exist and do different things.
>
> Simo.
>
> > Here's the object in the directory:
> >
> > dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN
> ,cn=services,cn=accounts,
> >  dc=rhelent,dc=lan
> > ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > objectClass: ipaobject
> > objectClass: ipaservice
> > objectClass: krbticketpolicyaux
> > objectClass: ipakrbprincipal
> > objectClass: krbprincipal
> > objectClass: krbprincipalaux
> > objectClass: pkiuser
> > objectClass: top
> > krbTicketFlags: 1048704
> > managedBy:
> fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> > krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> > krbLastPwdChange: 20151112021359Z
> > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
> > krbLastSuccessfulAuth: 20151201165518Z
> >
> > Just now, I ran:
> > [root at freeipa ~]# kadmin.local
> > Authenticating as principal admin/admin at RHELENT.LAN with password.
> > kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
> > Principal "HTTP/s4u.rhelent.lan at RHELENT.LAN" modified.
> >
> > and now the directory object is
> > dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN
> ,cn=services,cn=accounts,
> >  dc=rhelent,dc=lan
> > ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > objectClass: ipaobject
> > objectClass: ipaservice
> > objectClass: krbticketpolicyaux
> > objectClass: ipakrbprincipal
> > objectClass: krbprincipal
> > objectClass: krbprincipalaux
> > objectClass: pkiuser
> > objectClass: top
> > krbTicketFlags: 3145856
> > managedBy:
> fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> > krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> > krbLastPwdChange: 20151112021359Z
> > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
> > krbLastSuccessfulAuth: 20151201175200Z
> >
> > Ticket flags clearly changed.  Now to see if this works with ipa-web.
>
>
>
> > Thanks
> >
> > Marc Boorshtein
> > CTO Tremolo Security
> > marc.boorshtein at tremolosecurity.com
> > (703) 828-4902
> >
> >
> > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <simo at redhat.com> wrote:
> > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
> > >> >
> > >> > How do you acquire the user ticket ?
> > >> >
> > >>
> > >> Using a keytab.  Here's a link to the example code I'm using:
> > >> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set
> to
> > >> use IPA as the DNS server and I'm passing in mmosley as the user to
> > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will
> > >> consume the impersonated user's ticket.
> > >>
> > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> > >> > server has been requested and what it released ?
> > >> >
> > >>
> > >> Sure:
> > >>
> > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
> > >> HTTP/s4u.rhelent.lan at RHELENT.LAN for krbtgt/RHELENT.LAN at RHELENT.LAN,
> > >> Additional pre-authentication required
> > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> > >> krbtgt/RHELENT.LAN at RHELENT.LAN
> > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
> > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> > >> HTTP/s4u.rhelent.lan at RHELENT.LAN
> > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
> > >> PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN
> > >>
> > >> Thanks
> > >
> > > I think for s4u2self you may have missed a conf step (we primarily use
> > > s4u2proxy in the product *without* any s4u2self step).
> > >
> > > Can you check that you followed the procedure described here:
> > >
> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
> > >
> > > I think they key part is setting the +ok_to_auth_as_delegate flag which
> > > we do not provide an official higher level interface for yet.
> > >
> > > Simo.
> > >
> > > --
> > > Simo Sorce * Red Hat, Inc * New York
> > >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151201/fa8f8a44/attachment.htm>

More information about the Freeipa-users mailing list