[Freeipa-users] [Solved] Re: "ASN.1 structure is missing a required field" - what is missing?
Simo Sorce
simo at redhat.com
Mon Nov 23 15:43:48 UTC 2015
On Mon, 2015-11-23 at 10:41 -0500, Marc Boorshtein wrote:
> We actually tracked it down. The problem was the Authenticator was
> missing the authenticatorkvno field per the RFC. Once we set that to
> 5 we got past this issue.
Ok, then we'll considered this solved, thanks for following up.
Simo.
> IPA 4.1 on CentOS7
>
> Thanks
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
>
>
>
> On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce <simo at redhat.com> wrote:
> > On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote:
> >> I'm putting together a java kerberos client and am having an issue
> >> getting a SGT form IPA. I get a TGT without issue, but when I submit
> >> the TGS-REQ I get the following errors in the ipa log:
> >>
> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
> >> etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
> >> tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
> >> krbtgt/RHELENT.LAN at RHELENT.LAN
> >>
> >> Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
> >> etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, <unknown client>
> >> for HTTP/ipa.rhelent.lan at RHELENT.LAN, ASN.1 structure is missing a
> >> required field
> >>
> >> Here's the TGS request:
> >>
> >> Kerberos
> >> tgs-req
> >> pvno: 5
> >> msg-type: krb-tgs-req (12)
> >> padata: 1 item
> >> PA-DATA PA-TGS-REQ
> >> padata-type: kRB5-PADATA-TGS-REQ (1)
> >> padata-value:
> >> 6e8201f8308201f4a003020105a10302010ea20703050000...
> >> ap-req
> >> pvno: 5
> >> msg-type: krb-ap-req (14)
> >> Padding: 0
> >> ap-options: 00000000
> >> 0... .... = reserved: False
> >> .0.. .... = use-session-key: False
> >> ..0. .... = mutual-required: False
> >> ticket
> >> tkt-vno: 5
> >> realm: RHELENT.LAN
> >> sname
> >> name-type: kRB5-NT-PRINCIPAL (1)
> >> name-string: 2 items
> >> KerberosString: krbtgt
> >> KerberosString: RHELENT.LAN
> >> enc-part
> >> etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
> >> kvno: 1
> >> cipher:
> >> 0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
> >> authenticator
> >> etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> >> kvno: 255
> >> cipher:
> >> f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
> >> req-body
> >> Padding: 0
> >> kdc-options: 00000000
> >> 0... .... = reserved: False
> >> .0.. .... = forwardable: False
> >> ..0. .... = forwarded: False
> >> ...0 .... = proxiable: False
> >> .... 0... = proxy: False
> >> .... .0.. = allow-postdate: False
> >> .... ..0. = postdated: False
> >> .... ...0 = unused7: False
> >> 0... .... = renewable: False
> >> .0.. .... = unused9: False
> >> ..0. .... = unused10: False
> >> ...0 .... = opt-hardware-auth: False
> >> .... ..0. = request-anonymous: False
> >> .... ...0 = canonicalize: False
> >> 0... .... = constrained-delegation: False
> >> ..0. .... = disable-transited-check: False
> >> ...0 .... = renewable-ok: False
> >> .... 0... = enc-tkt-in-skey: False
> >> .... ..0. = renew: False
> >> .... ...0 = validate: False
> >> cname
> >> name-type: kRB5-NT-PRINCIPAL (1)
> >> name-string: 2 items
> >> KerberosString: HTTP
> >> KerberosString: s4u.rhelent.lan
> >> realm: RHELENT.LAN
> >> sname
> >> name-type: kRB5-NT-PRINCIPAL (1)
> >> name-string: 2 items
> >> KerberosString: HTTP
> >> KerberosString: ipa.rhelent.lan
> >> from: 2015-11-18 02:17:44 (UTC)
> >> till: 2015-11-18 10:17:44 (UTC)
> >> nonce: 604310537
> >> etype: 1 item
> >> ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
> >>
> >>
> >> Is there a field missing?
> >
> > CCing Andreas as this one sounds like a bug we recently discovered in
> > the ASN.1 parser in samba.
> >
> > Andreas,
> > does this ring a bell ?
> >
> > Marc,
> > what version of IPA/OS are you seeing this on ?
> >
> > Simo.
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list