[Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Mon Nov 23 15:41:11 UTC 2015
We actually tracked it down. The problem was the Authenticator was
missing the authenticatorkvno field per the RFC. Once we set that to
5 we got past this issue.
IPA 4.1 on CentOS7
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce <simo at redhat.com> wrote:
> On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
>> I'm putting together a java kerberos client and am having an issue
>> getting a SGT form IPA. I get a TGT without issue, but when I submit
>> the TGS-REQ I get the following errors in the ipa log:
>>
>> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
>> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
>> tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
>> krbtgt/RHELENT.LAN at RHELENT.LAN
>>
>> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
>> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, <unknown client>
>> for HTTP/ipa.rhelent.lan at RHELENT.LAN, ASN.1 structure is missing a
>> required field
>>
>> Here's the TGS request:
>>
>> Kerberos
>> tgs-req
>> pvno: 5
>> msg-type: krb-tgs-req (12)
>> padata: 1 item
>> PA-DATA PA-TGS-REQ
>> padata-type: kRB5-PADATA-TGS-REQ (1)
>> padata-value:
>> 6e8201f8308201f4a003020105a10302010ea20703050000...
>> ap-req
>> pvno: 5
>> msg-type: krb-ap-req (14)
>> Padding: 0
>> ap-options: 00000000
>> 0... .... = reserved: False
>> .0.. .... = use-session-key: False
>> ..0. .... = mutual-required: False
>> ticket
>> tkt-vno: 5
>> realm: RHELENT.LAN
>> sname
>> name-type: kRB5-NT-PRINCIPAL (1)
>> name-string: 2 items
>> KerberosString: krbtgt
>> KerberosString: RHELENT.LAN
>> enc-part
>> etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
>> kvno: 1
>> cipher:
>> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
>> authenticator
>> etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>> kvno: 255
>> cipher:
>> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
>> req-body
>> Padding: 0
>> kdc-options: 00000000
>> 0... .... = reserved: False
>> .0.. .... = forwardable: False
>> ..0. .... = forwarded: False
>> ...0 .... = proxiable: False
>> .... 0... = proxy: False
>> .... .0.. = allow-postdate: False
>> .... ..0. = postdated: False
>> .... ...0 = unused7: False
>> 0... .... = renewable: False
>> .0.. .... = unused9: False
>> ..0. .... = unused10: False
>> ...0 .... = opt-hardware-auth: False
>> .... ..0. = request-anonymous: False
>> .... ...0 = canonicalize: False
>> 0... .... = constrained-delegation: False
>> ..0. .... = disable-transited-check: False
>> ...0 .... = renewable-ok: False
>> .... 0... = enc-tkt-in-skey: False
>> .... ..0. = renew: False
>> .... ...0 = validate: False
>> cname
>> name-type: kRB5-NT-PRINCIPAL (1)
>> name-string: 2 items
>> KerberosString: HTTP
>> KerberosString: s4u.rhelent.lan
>> realm: RHELENT.LAN
>> sname
>> name-type: kRB5-NT-PRINCIPAL (1)
>> name-string: 2 items
>> KerberosString: HTTP
>> KerberosString: ipa.rhelent.lan
>> from: 2015-11-18 02:17:44 (UTC)
>> till: 2015-11-18 10:17:44 (UTC)
>> nonce: 604310537
>> etype: 1 item
>> ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>>
>>
>> Is there a field missing?
>
> CCing Andreas as this one sounds like a bug we recently discovered in
> the ASN.1 parser in samba.
>
> Andreas,
> does this ring a bell ?
>
> Marc,
> what version of IPA/OS are you seeing this on ?
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
More information about the Freeipa-users
mailing list