[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Simo Sorce simo at redhat.com
Tue Dec 1 18:46:26 UTC 2015 

On Tue, 2015-12-01 at 13:28 -0500, Marc Boorshtein wrote:
> Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!

Glad it works, and sorry it took so long to figure out.

We definitely need some better docs around this point.

Simo.

> Marc Boorshtein
> CTO, Tremolo Security, Inc.
> On Dec 1, 2015 1:14 PM, "Simo Sorce" <simo at redhat.com> wrote:
> 
> > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
> > > I can now get a ticket!  This is how I originally created the user:
> > >
> > > $ kinit admin
> > > $ ipa service-add HTTP/s4u.rhelent.lan at rhelent.lan --ok-as-delegate=true
> >
> > ok-as-delegate != ok_to_auth_as_delegate ...
> >
> > I know, it is a little confusing :-/  but these are the upstream flag
> > names, and they both exist and do different things.
> >
> > Simo.
> >
> > > Here's the object in the directory:
> > >
> > > dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN
> > ,cn=services,cn=accounts,
> > >  dc=rhelent,dc=lan
> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > > objectClass: ipaobject
> > > objectClass: ipaservice
> > > objectClass: krbticketpolicyaux
> > > objectClass: ipakrbprincipal
> > > objectClass: krbprincipal
> > > objectClass: krbprincipalaux
> > > objectClass: pkiuser
> > > objectClass: top
> > > krbTicketFlags: 1048704
> > > managedBy:
> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> > > krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> > > krbLastPwdChange: 20151112021359Z
> > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
> > > krbLastSuccessfulAuth: 20151201165518Z
> > >
> > > Just now, I ran:
> > > [root at freeipa ~]# kadmin.local
> > > Authenticating as principal admin/admin at RHELENT.LAN with password.
> > > kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
> > > Principal "HTTP/s4u.rhelent.lan at RHELENT.LAN" modified.
> > >
> > > and now the directory object is
> > > dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN
> > ,cn=services,cn=accounts,
> > >  dc=rhelent,dc=lan
> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > > objectClass: ipaobject
> > > objectClass: ipaservice
> > > objectClass: krbticketpolicyaux
> > > objectClass: ipakrbprincipal
> > > objectClass: krbprincipal
> > > objectClass: krbprincipalaux
> > > objectClass: pkiuser
> > > objectClass: top
> > > krbTicketFlags: 3145856
> > > managedBy:
> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
> > > krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
> > > krbLastPwdChange: 20151112021359Z
> > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
> > > krbLastSuccessfulAuth: 20151201175200Z
> > >
> > > Ticket flags clearly changed.  Now to see if this works with ipa-web.
> >
> >
> >
> > > Thanks
> > >
> > > Marc Boorshtein
> > > CTO Tremolo Security
> > > marc.boorshtein at tremolosecurity.com
> > > (703) 828-4902
> > >
> > >
> > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <simo at redhat.com> wrote:
> > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
> > > >> >
> > > >> > How do you acquire the user ticket ?
> > > >> >
> > > >>
> > > >> Using a keytab.  Here's a link to the example code I'm using:
> > > >> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set
> > to
> > > >> use IPA as the DNS server and I'm passing in mmosley as the user to
> > > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will
> > > >> consume the impersonated user's ticket.
> > > >>
> > > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
> > > >> > server has been requested and what it released ?
> > > >> >
> > > >>
> > > >> Sure:
> > > >>
> > > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> > > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
> > > >> HTTP/s4u.rhelent.lan at RHELENT.LAN for krbtgt/RHELENT.LAN at RHELENT.LAN,
> > > >> Additional pre-authentication required
> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> > > >> krbtgt/RHELENT.LAN at RHELENT.LAN
> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
> > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> > > >> HTTP/s4u.rhelent.lan at RHELENT.LAN
> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
> > > >> PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN
> > > >>
> > > >> Thanks
> > > >
> > > > I think for s4u2self you may have missed a conf step (we primarily use
> > > > s4u2proxy in the product *without* any s4u2self step).
> > > >
> > > > Can you check that you followed the procedure described here:
> > > >
> > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
> > > >
> > > > I think they key part is setting the +ok_to_auth_as_delegate flag which
> > > > we do not provide an official higher level interface for yet.
> > > >
> > > > Simo.
> > > >
> > > > --
> > > > Simo Sorce * Red Hat, Inc * New York
> > > >
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list