[Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Wed Oct 28 00:27:11 UTC 2015 

Thanks Simo.  It wouldn't surprise me that java's implementation is
wrong.  The comments in the source even ask if its necessary to check.

Thanks
Marc
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902


On Tue, Oct 27, 2015 at 4:12 PM, Simo Sorce <simo at redhat.com> wrote:
> On 27/10/15 15:43, Marc Boorshtein wrote:
>>>>
>>>>
>>>> Looking at KrbKdcRep.java:73 it looks like the failure is happening
>>>> because java is setting the forwardable flag to true on the request
>>>> but the response has no options in it.  Should the forwardable option
>>>> be false in the request?
>>>
>>>
>>>
>>> That's a fair guess.
>>> the whole point of constrained delegation (including protocol
>>> impersonation)
>>> is that you do not want to forward tickets, so you shouldn't ask for
>>> forwardable tickets methinks.
>>>
>>> Simo.
>>>
>>
>> Thanks Simio.  I tried running kinit with forwarding disabled:
>>
>> $ kinit HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN -k -t
>> ./unison-freeipa.keytab -F
>>
>> $ klist -f
>>
>> Ticket cache: FILE:/tmp/krb5cc_500
>>
>> Default principal: HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>
>>
>> Valid starting     Expires            Service principal
>>
>> 10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/RHELENT.LAN at RHELENT.LAN
>>
>> Flags: IA
>>
>> But when I try again Java refuses to generate the ticket:
>>
>> tremoloadmin at unison-freeipa ~]$ klist -f
>> Ticket cache: FILE:/tmp/krb5cc_500
>> Default principal: HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>
>> Valid starting     Expires            Service principal
>> 10/27/15 15:32:52  10/28/15 15:32:52  krbtgt/RHELENT.LAN at RHELENT.LAN
>> Flags: IA
>>
>> Hello World!
>> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5InitCredential)
>> No Subject
>>>>>
>>>>> KinitOptions cache name is /tmp/krb5cc_500
>>>>> DEBUG <CCacheInputStream>  client principal is
>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>>> DEBUG <CCacheInputStream> server principal is
>>>>> krbtgt/RHELENT.LAN at RHELENT.LAN
>>>>> DEBUG <CCacheInputStream> key type: 18
>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
>>>>> DEBUG <CCacheInputStream>  client principal is
>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>
>> Java config name: /home/tremoloadmin/krb5.conf
>> Loaded from Java config
>>>>>
>>>>> DEBUG <CCacheInputStream> server principal is
>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>>> DEBUG <CCacheInputStream> key type: 0
>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>>> DEBUG <CCacheInputStream> start time: null
>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>> CCacheInputStream: readFlags()
>>
>> Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
>> krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Wed Oct 28 15:32:52 EDT
>> 2015
>> Search Subject for SPNEGO INIT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> No Subject
>> Search Subject for Kerberos V5 INIT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5InitCredential)
>> No Subject
>>>>>
>>>>> KinitOptions cache name is /tmp/krb5cc_500
>>>>> DEBUG <CCacheInputStream>  client principal is
>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>>> DEBUG <CCacheInputStream> server principal is
>>>>> krbtgt/RHELENT.LAN at RHELENT.LAN
>>>>> DEBUG <CCacheInputStream> key type: 18
>>>>> DEBUG <CCacheInputStream> auth time: Tue Oct 27 15:32:52 EDT 2015
>>>>> DEBUG <CCacheInputStream> start time: Tue Oct 27 15:32:52 EDT 2015
>>>>> DEBUG <CCacheInputStream> end time: Wed Oct 28 15:32:52 EDT 2015
>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
>>>>> DEBUG <CCacheInputStream>  client principal is
>>>>> HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN
>>>>> DEBUG <CCacheInputStream> server principal is
>>>>> X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/RHELENT.LAN at RHELENT.LAN@RHELENT.LAN
>>>>> DEBUG <CCacheInputStream> key type: 0
>>>>> DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>>> DEBUG <CCacheInputStream> start time: null
>>>>> DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>>> DEBUG <CCacheInputStream> renew_till time: null
>>>>> CCacheInputStream: readFlags()
>>
>> Found ticket for HTTP/unison-freeipa.rhelent.lan at RHELENT.LAN to go to
>> krbtgt/RHELENT.LAN at RHELENT.LAN expiring on Wed Oct 28 15:32:52 EDT
>> 2015
>>>>>
>>>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
>>
>> Exception in thread "main" GSSException: Failure unspecified at
>> GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials
>> failed!)
>> at
>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357)
>> at
>> sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94)
>> at
>> sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141)
>> at io.tremolo.App.main(App.java:27)
>> Caused by: KrbException: Invalid option setting in ticket request. (101)
>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:165)
>> at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:100)
>> at
>> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66)
>> at
>> sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
>> at
>> sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
>> ... 3 more
>>
>> Looking at KrbTgsReq line 165:
>>
>> if (options.get(KDCOptions.FORWARDABLE) &&
>>                  (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {
>>              throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
>>          }
>>
>> If I read this correctly it has to be forwardable?  If thats the case
>> is Java wrong for requiring the options to be there or is ipa wrong
>> for not sending the options with the response ticket?
>
>
> I think the best answer would be to look at what the MIT test program does
> and make sure Java does the same.
> This stuff works with the native libraries and is interoperable with Windows
> AD KDCs where the specification was born.
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list