[Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
Simo Sorce
simo at redhat.com
Mon Nov 23 15:38:36 UTC 2015
On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
> I'm putting together a java kerberos client and am having an issue
> getting a SGT form IPA. I get a TGT without issue, but when I submit
> the TGS-REQ I get the following errors in the ipa log:
>
> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
> tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> krbtgt/RHELENT.LAN at RHELENT.LAN
>
> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, <unknown client>
> for HTTP/ipa.rhelent.lan at RHELENT.LAN, ASN.1 structure is missing a
> required field
>
> Here's the TGS request:
>
> Kerberos
> tgs-req
> pvno: 5
> msg-type: krb-tgs-req (12)
> padata: 1 item
> PA-DATA PA-TGS-REQ
> padata-type: kRB5-PADATA-TGS-REQ (1)
> padata-value:
> 6e8201f8308201f4a003020105a10302010ea20703050000...
> ap-req
> pvno: 5
> msg-type: krb-ap-req (14)
> Padding: 0
> ap-options: 00000000
> 0... .... = reserved: False
> .0.. .... = use-session-key: False
> ..0. .... = mutual-required: False
> ticket
> tkt-vno: 5
> realm: RHELENT.LAN
> sname
> name-type: kRB5-NT-PRINCIPAL (1)
> name-string: 2 items
> KerberosString: krbtgt
> KerberosString: RHELENT.LAN
> enc-part
> etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
> kvno: 1
> cipher:
> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
> authenticator
> etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> kvno: 255
> cipher:
> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
> req-body
> Padding: 0
> kdc-options: 00000000
> 0... .... = reserved: False
> .0.. .... = forwardable: False
> ..0. .... = forwarded: False
> ...0 .... = proxiable: False
> .... 0... = proxy: False
> .... .0.. = allow-postdate: False
> .... ..0. = postdated: False
> .... ...0 = unused7: False
> 0... .... = renewable: False
> .0.. .... = unused9: False
> ..0. .... = unused10: False
> ...0 .... = opt-hardware-auth: False
> .... ..0. = request-anonymous: False
> .... ...0 = canonicalize: False
> 0... .... = constrained-delegation: False
> ..0. .... = disable-transited-check: False
> ...0 .... = renewable-ok: False
> .... 0... = enc-tkt-in-skey: False
> .... ..0. = renew: False
> .... ...0 = validate: False
> cname
> name-type: kRB5-NT-PRINCIPAL (1)
> name-string: 2 items
> KerberosString: HTTP
> KerberosString: s4u.rhelent.lan
> realm: RHELENT.LAN
> sname
> name-type: kRB5-NT-PRINCIPAL (1)
> name-string: 2 items
> KerberosString: HTTP
> KerberosString: ipa.rhelent.lan
> from: 2015-11-18 02:17:44 (UTC)
> till: 2015-11-18 10:17:44 (UTC)
> nonce: 604310537
> etype: 1 item
> ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>
>
> Is there a field missing?
CCing Andreas as this one sounds like a bug we recently discovered in
the ASN.1 parser in samba.
Andreas,
does this ring a bell ?
Marc,
what version of IPA/OS are you seeing this on ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list