[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Tue Dec 1 18:49:15 UTC 2015

What projects (including my own) doesn't need better docs? :-)  Once I
publish the work I'm doing part of that will have a step-by-step on
getting this setup.  It was pretty easy really if you are comfortable
with LDAP.
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902

On Tue, Dec 1, 2015 at 1:46 PM, Simo Sorce <simo at redhat.com> wrote:
> On Tue, 2015-12-01 at 13:28 -0500, Marc Boorshtein wrote:
>> Got it. BTW, with that java 8 s4u2self works too. Thanks again for the help!
>
> Glad it works, and sorry it took so long to figure out.
>
> We definitely need some better docs around this point.
>
> Simo.
>
>> Marc Boorshtein
>> CTO, Tremolo Security, Inc.
>> On Dec 1, 2015 1:14 PM, "Simo Sorce" <simo at redhat.com> wrote:
>>
>> > On Tue, 2015-12-01 at 12:55 -0500, Marc Boorshtein wrote:
>> > > I can now get a ticket!  This is how I originally created the user:
>> > >
>> > > $ kinit admin
>> > > $ ipa service-add HTTP/s4u.rhelent.lan at rhelent.lan --ok-as-delegate=true
>> >
>> > ok-as-delegate != ok_to_auth_as_delegate ...
>> >
>> > I know, it is a little confusing :-/  but these are the upstream flag
>> > names, and they both exist and do different things.
>> >
>> > Simo.
>> >
>> > > Here's the object in the directory:
>> > >
>> > > dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN
>> > ,cn=services,cn=accounts,
>> > >  dc=rhelent,dc=lan
>> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
>> > > objectClass: ipaobject
>> > > objectClass: ipaservice
>> > > objectClass: krbticketpolicyaux
>> > > objectClass: ipakrbprincipal
>> > > objectClass: krbprincipal
>> > > objectClass: krbprincipalaux
>> > > objectClass: pkiuser
>> > > objectClass: top
>> > > krbTicketFlags: 1048704
>> > > managedBy:
>> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
>> > > krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
>> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
>> > > krbLastPwdChange: 20151112021359Z
>> > > krbExtraData:: AALn9UNWSFRUUC9zNHUucmhlbGVudC5sYW5AUkhFTEVOVC5MQU4A
>> > > krbLastSuccessfulAuth: 20151201165518Z
>> > >
>> > > Just now, I ran:
>> > > [root at freeipa ~]# kadmin.local
>> > > Authenticating as principal admin/admin at RHELENT.LAN with password.
>> > > kadmin.local:  modprinc +ok_to_auth_as_delegate HTTP/s4u.rhelent.lan
>> > > Principal "HTTP/s4u.rhelent.lan at RHELENT.LAN" modified.
>> > >
>> > > and now the directory object is
>> > > dn: krbprincipalname=HTTP/s4u.rhelent.lan at RHELENT.LAN
>> > ,cn=services,cn=accounts,
>> > >  dc=rhelent,dc=lan
>> > > ipaKrbPrincipalAlias: HTTP/s4u.rhelent.lan at RHELENT.LAN
>> > > objectClass: ipaobject
>> > > objectClass: ipaservice
>> > > objectClass: krbticketpolicyaux
>> > > objectClass: ipakrbprincipal
>> > > objectClass: krbprincipal
>> > > objectClass: krbprincipalaux
>> > > objectClass: pkiuser
>> > > objectClass: top
>> > > krbTicketFlags: 3145856
>> > > managedBy:
>> > fqdn=s4u.rhelent.lan,cn=computers,cn=accounts,dc=rhelent,dc=lan
>> > > krbPrincipalName: HTTP/s4u.rhelent.lan at RHELENT.LAN
>> > > ipaUniqueID: 3b563d36-88e0-11e5-917d-525400cab9fa
>> > > krbLastPwdChange: 20151112021359Z
>> > > krbExtraData:: AAIx3l1WYWRtaW4vYWRtaW5AUkhFTEVOVC5MQU4A
>> > > krbLastSuccessfulAuth: 20151201175200Z
>> > >
>> > > Ticket flags clearly changed.  Now to see if this works with ipa-web.
>> >
>> >
>> >
>> > > Thanks
>> > >
>> > > Marc Boorshtein
>> > > CTO Tremolo Security
>> > > marc.boorshtein at tremolosecurity.com
>> > > (703) 828-4902
>> > >
>> > >
>> > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <simo at redhat.com> wrote:
>> > > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorshtein wrote:
>> > > >> >
>> > > >> > How do you acquire the user ticket ?
>> > > >> >
>> > > >>
>> > > >> Using a keytab.  Here's a link to the example code I'm using:
>> > > >> https://github.com/ymartin59/java-kerberos-sfudemo  I have Java set
>> > to
>> > > >> use IPA as the DNS server and I'm passing in mmosley as the user to
>> > > >> impersonate and HTTP/freeipa.rhelent.lan as the service that will
>> > > >> consume the impersonated user's ticket.
>> > > >>
>> > > >> > Do you have the kdc log (/var/log/krb5kdc.log) that shows what the
>> > > >> > server has been requested and what it released ?
>> > > >> >
>> > > >>
>> > > >> Sure:
>> > > >>
>> > > >> Dec 01 11:55:17 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> > > >> etypes {17 23 16}) 10.8.0.2: NEEDED_PREAUTH:
>> > > >> HTTP/s4u.rhelent.lan at RHELENT.LAN for krbtgt/RHELENT.LAN at RHELENT.LAN,
>> > > >> Additional pre-authentication required
>> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3
>> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
>> > > >> krbtgt/RHELENT.LAN at RHELENT.LAN
>> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3
>> > > >> etypes {17 23 16}) 10.8.0.2: ISSUE: authtime 1448988918, etypes
>> > > >> {rep=17 tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
>> > > >> HTTP/s4u.rhelent.lan at RHELENT.LAN
>> > > >> Dec 01 11:55:18 freeipa.rhelent.lan krb5kdc[7507](info): ...
>> > > >> PROTOCOL-TRANSITION s4u-client=mmosley at RHELENT.LAN
>> > > >>
>> > > >> Thanks
>> > > >
>> > > > I think for s4u2self you may have missed a conf step (we primarily use
>> > > > s4u2proxy in the product *without* any s4u2self step).
>> > > >
>> > > > Can you check that you followed the procedure described here:
>> > > >
>> > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-kdb/README.s4u2proxy.txt#n90
>> > > >
>> > > > I think they key part is setting the +ok_to_auth_as_delegate flag which
>> > > > we do not provide an official higher level interface for yet.
>> > > >
>> > > > Simo.
>> > > >
>> > > > --
>> > > > Simo Sorce * Red Hat, Inc * New York
>> > > >
>> >
>> >
>> > --
>> > Simo Sorce * Red Hat, Inc * New York
>> >
>> >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>