[Freeipa-users] S4U2Self not working for multiple allowed targets
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Mon Mar 14 16:41:58 UTC 2016
All,
I am trying to setup delegation from OpenUnison to both the IPAWeb
application and to Cockpit. I'm using a single reverse proxy for both
and the same SPN and keytab for both. The integration with ipaweb
went perfectly using these instructions I built:
https://github.com/TremoloSecurity/Unison-LastMile-Kerberos.
Trying to integrate cockpit is giving me a very odd error from freeipa
when I try to get my s4u2self ticket: unknown encryption. I'm running
RH IDM on RHEL 7.2 on Azure. Here's my delegation tree in LDAP:
# s4u2proxy, etc, azure.cloud
dn: cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: nsContainer
objectClass: top
cn: s4u2proxy
# ipa-http-delegation, s4u2proxy, etc, azure.cloud
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-http-delegation
memberPrincipal: HTTP/ipa.azure.cloud at AZURE.CLOUD
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,
dc=cloud
ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,
dc=cloud
# ipa-ldap-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-ldap-delegation-targets
memberPrincipal: ldap/ipa.azure.cloud at AZURE.CLOUD
# ipa-cifs-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets
# app-http-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: app-http-delegation-targets
memberPrincipal: HTTP/ipa.azure.cloud at AZURE.CLOUD
# unison-http-delegation, s4u2proxy, etc, azure.cloud
dn: cn=unison-http-delegation,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: unison-http-delegation
memberPrincipal: HTTP/openunison.azure.cloud at AZURE.CLOUD
ipaAllowedTarget: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,
dc=cloud
ipaAllowedTarget: cn=ipaclient-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=
azure,dc=cloud
# ipaclient-http-delegation-targets, s4u2proxy, etc, azure.cloud
dn: cn=ipaclient-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=azure,dc=cloud
objectClass: groupOfPrincipals
objectClass: top
cn: ipaclient-http-delegation-targets
memberPrincipal: HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD
Here's the log output from OpenUnison when I try to access ipaweb (success):
Found ticket for HTTP/openunison.azure.cloud at AZURE.CLOUD to go to
krbtgt/AZURE.CLOUD at AZURE.CLOUD expiring on Tue Mar 15 16:05:19 UTC
2016
Found ticket for HTTP/openunison.azure.cloud at AZURE.CLOUD to go to
krbtgt/AZURE.CLOUD at AZURE.CLOUD expiring on Tue Mar 15 16:05:19 UTC
2016
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=794
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=794
>>> KrbKdcReq send: #bytes read=670
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=1059
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=1059
>>> KrbKdcReq send: #bytes read=722
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Subject is readOnly;Kerberos Service ticket not stored
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 1032726940
Created InitSecContextToken:
0000: 01 00 6E 82 02 8A 30 82 02 86 A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ......
0020: 9C 61 82 01 98 30 82 01 94 A0 03 02 01 05 A1 0D .a...0..........
0030: 1B 0B 41 5A 55 52 45 2E 43 4C 4F 55 44 A2 22 30 ..AZURE.CLOUD."0
0040: 20 A0 03 02 01 00 A1 19 30 17 1B 04 48 54 54 50 .......0...HTTP
0050: 1B 0F 69 70 61 2E 61 7A 75 72 65 2E 63 6C 6F 75 ..ipa.azure.clou
0060: 64 A3 82 01 58 30 82 01 54 A0 03 02 01 12 A1 03 d...X0..T.......
0070: 02 01 02 A2 82 01 46 04 82 01 42 21 AC 61 34 33 ......F...B!.a43
0080: 0B A4 1B F2 03 3C 93 43 B8 33 7A 11 66 6D BF 14 .....<.C.3z.fm..
0090: 17 10 5E 3F 58 DA AE 02 FC F0 6A 32 F2 E1 49 56 ..^?X.....j2..IV
00A0: F8 AD 8F D6 B0 9A 76 92 C2 35 CF 26 10 40 68 E6 ......v..5.&. at h.
00B0: 00 38 D6 A8 A0 52 D9 F8 E6 10 D5 41 B1 E3 1E 95 .8...R.....A....
00C0: FF EC CD B3 6D 0B 2E 72 38 8C 7E 0B 53 FE 37 3B ....m..r8...S.7;
00D0: 1F 06 2E 9B 0E 7B CC 38 9A F1 83 C7 1A 6C 0B 9A .......8.....l..
00E0: 41 A6 E0 4C A8 64 75 70 D8 B6 2F 91 31 9D 34 21 A..L.dup../.1.4!
00F0: D4 64 01 F7 9B 39 E3 73 18 80 94 EC E2 4A 13 B1 .d...9.s.....J..
0100: C1 72 F4 C3 F6 A5 53 70 C0 FF E0 30 34 2D 4E 6D .r....Sp...04-Nm
0110: 07 42 F3 08 E9 91 6C C0 76 4B 1C B0 BF 79 E7 03 .B....l.vK...y..
0120: 24 5E 4D 7E A3 0E 3F FF AF 09 FA 81 68 1D C8 B2 $^M...?.....h...
0130: DB 51 B9 86 4C 95 CC 75 CD 8C C8 2C 6D 35 90 3B .Q..L..u...,m5.;
0140: 26 9D B3 A2 DB 88 04 6F 7D 1F 6A 48 D3 8F F7 D2 &......o..jH....
0150: A9 37 29 6D 50 3B AB 2A FE 76 EF 05 11 B2 4B 59 .7)mP;.*.v....KY
0160: 2E 75 35 E2 93 BB 59 8C AD E6 F3 FE A5 70 0F 73 .u5...Y......p.s
0170: A5 18 B5 D9 48 34 9A 1D BD 33 76 D9 04 E6 CF 6D ....H4...3v....m
0180: D1 6C 17 B6 4F 2B 36 C9 FE 67 50 B7 2F E8 39 9B .l..O+6..gP./.9.
0190: BA EC 49 55 AE FD 2C CB D3 60 FC D4 33 E5 E4 B1 ..IU..,..`..3...
01A0: 23 DF 10 50 48 45 B9 75 F3 AC ED ED B3 FD 9E C6 #..PHE.u........
01B0: 04 60 07 15 A3 6A 7C 8B 69 EC BD 5D 08 A4 81 D0 .`...j..i..]....
01C0: 30 81 CD A0 03 02 01 12 A2 81 C5 04 81 C2 B3 AE 0...............
01D0: D4 E9 30 E9 68 F9 37 37 11 76 A9 05 A2 65 26 41 ..0.h.77.v...e&A
01E0: 9D EF CF 4B 0B 83 1D 99 C3 E5 50 3A B3 5D 2A 09 ...K......P:.]*.
01F0: C8 9C 46 F9 0C 4D E4 F0 10 3F D4 2F 17 36 7A 72 ..F..M...?./.6zr
0200: 25 B6 37 FE 6F ED D1 1E 22 B7 79 97 6C 1D A0 BF %.7.o...".y.l...
0210: 09 02 43 E9 F3 EE 82 F8 8B 6D B3 AE BB 1C 7B C7 ..C......m......
0220: 50 02 B9 34 49 04 87 BA 31 4F 23 A7 C0 75 68 46 P..4I...1O#..uhF
0230: AF 5A F9 CA 86 B0 F5 DA D0 1B D0 B0 FB E7 2C A7 .Z............,.
0240: 0A 7F DE 27 C3 C4 B1 DB 42 76 83 42 37 81 22 B6 ...'....Bv.B7.".
0250: 28 61 23 E4 DF 69 18 0E B7 2C 60 D1 E2 31 96 05 (a#..i...,`..1..
0260: B7 ED 16 F3 60 F2 9F 6E 16 AD 55 28 10 6C 41 55 ....`..n..U(.lAU
0270: 9E 3A 97 CD 0D 99 7A AF 29 96 04 ED EA 7D 1B F8 .:....z.).......
0280: 30 D6 42 6A 9B F6 01 02 80 30 76 8A AD 80 E3 3D 0.Bj.....0v....=
and here are the log entries from kerberos:
Mar 14 16:36:45 ipa krb5kdc[11351](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.1.0.4: ISSUE: authtime 1457971519, etypes {rep=18 tkt=18
ses=18}, HTTP/ipa.azure.cloud at AZURE.CLOUD for
ldap/ipa.azure.cloud at AZURE.CLOUD
Mar 14 16:36:45 ipa krb5kdc[11351](info): ... CONSTRAINED-DELEGATION
s4u-client=mmosley at AZURE.CLOUD
Mar 14 16:36:45 ipa krb5kdc[11351](info): closing down fd 12
Now, here's the request when trying to access cockpit:
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=794
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=794
>>> KrbKdcReq send: #bytes read=670
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=ipa.azure.cloud. UDP:88, timeout=30000, number of retries =3, #bytes=1072
>>> KDCCommunication: kdc=ipa.azure.cloud. UDP:88, timeout=30000,Attempt =1, #bytes=1072
>>> KrbKdcReq send: #bytes read=211
>>> KdcAccessibility: remove ipa.azure.cloud.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
cTime is Mon Dec 16 18:12:24 UTC 2013 1387217544000
sTime is Mon Mar 14 16:37:55 UTC 2016 1457973475000
suSec is 144678
error code is 14
error Message is KDC has no support for encryption type
cname is HTTP/openunison.azure.cloud at AZURE.CLOUD
sname is HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD
msgType is 30
and here's whats in the kerberos logs:
14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16 23})
10.1.0.6: ISSUE: authtime 1457971519, etypes {rep=18 tkt=18 ses=18},
HTTP/openunison.azure.cloud at AZURE.CLOUD for
HTTP/openunison.azure.cloud at AZURE.CLOUD
Mar 14 16:37:55 ipa krb5kdc[11351](info): ... PROTOCOL-TRANSITION
s4u-client=mmosley at AZURE.CLOUD
Mar 14 16:37:55 ipa krb5kdc[11351](info): TGS_REQ (4 etypes {18 17 16
23}) 10.1.0.6: BAD_ENCRYPTION_TYPE: authtime 0,
HTTP/openunison.azure.cloud at AZURE.CLOUD for
HTTP/ipaclient-rhel72.azure.cloud at AZURE.CLOUD, KDC has no support for
encryption type
Mar 14 16:37:55 ipa krb5kdc[11351](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>
Any thoughts? Nothing really stands out to me.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
More information about the Freeipa-users
mailing list