active directory - JAAS Kerberos not adding keys from keytab as I expect -


so i'm trying implement sso/integrated security system aix server (so ibm jre). uses kerberos authenticate against ad.

keep in mind data below sanitized.

command ad admin used create keytab file on ad server (notice /kvno 2). 

ktpass /princ http/local.domain.com@localdomain.net /mapuser psldap@localdomain.net /pass <password> /crypto /ptype krb5_nt_principal /kvno 2 /out krb5.keytab

my krb5.conf file:

[libdefaults]     default_realm = localdomain.net     default_keytab_name = file:/keytabs/krb.keytab     default_tkt_enctypes = rc4-hmac     default_tgs_enctypes = rc4-hmac     dns_lookup_kdc = true     dns_lookup_realm = true [realms]     localdomain.net = {             kdc = localdc08.localdomain.net:88             kdc = otherdc08.localdomain.net:88             admin_server = localdc08.localdomain.net:749             master_kdc = localdc08.localdomain.net             default_domain = localdomain.net     } [domain_realm]     .localdomain.net = localdomain.net     localdomain.net = localdomain.net     localdc08.localdomain.net = localdomain.net     localdc08.localdomain.net = localdomain.net     localdomain.net = localdomain.net     .localdomain.net = localdomain.net [logging]     kdc = file:/var/krb5/log/krb5kdc.log     admin_server = file:/var/krb5/log/kadmin.log     kadmin_local = file:/var/krb5/log/kadmin_local.log     default = file:/var/krb5/log/krb5lib.log

here's krb5login.conf loginmodule:

krbserver {     com.ibm.security.auth.module.krb5loginmodule required      credstype=acceptor      refreshkrb5config=true      principal="http/local.domain.com"      usekeytab="/keytabs/krb5.keytab"      debug=true; };

here's java i'm running (can't disclose whole thing because ip)

        context = new logincontext("krbserver");         context.login();          // server credentials         subject sub = context.getsubject();         servercred = subject.doas(sub, new privilegedexceptionaction<gsscredential>() {             public gsscredential run() throws gssexception {                 // mechanism oid spnego authentication                 oid spnegooid = new oid("1.3.6.1.5.5.2");                  // null name defaults logged in name                 gsscredential cred = authmanager.createcredential(null,                         gsscredential.indefinite_lifetime,                         spnegooid,                         gsscredential.accept_only);                 return cred;             }         });         context.logout();

when call above code, following debug output:

constructor arg: krbserver version: 1.7.0 home: /dev/jre logincontext constructed [jgss_dbg_cred]  thread-2 jaas config: debug=true [jgss_dbg_cred]  thread-2 jaas config: principal=http/local.domain.com [jgss_dbg_cred]  thread-2 jaas config: credstype=accept [jgss_dbg_cred]  thread-2 config: usedefaultccache=false (default) [jgss_dbg_cred]  thread-2 config: useccache=null [jgss_dbg_cred]  thread-2 config: usedefaultkeytab=false [jgss_dbg_cred]  thread-2 config: usekeytab=/keytabs/krb5.keytab [krb_dbg_cfg] config:thread-2:   configfile: /etc/krb5/krb5.conf [jgss_dbg_cred]  thread-2 jaas config: forwardable=false (default) [jgss_dbg_cred]  thread-2 jaas config: renewable=false (default) [jgss_dbg_cred]  thread-2 jaas config: proxiable=false (default) [jgss_dbg_cred]  thread-2 jaas config: tryfirstpass=false (default) [jgss_dbg_cred]  thread-2 jaas config: usefirstpass=false (default) [jgss_dbg_cred]  thread-2 jaas config: modulebanner=false (default) [jgss_dbg_cred]  thread-2 jaas config: interactive login? no [jgss_dbg_cred]  thread-2 jaas config: refreshkrb5config = true [krb_dbg_cfg] config:thread-2:   configfile: /etc/krb5/krb5.conf [krb_dbg_kdc] kdccomm:thread-2:   >>> kdcaccessibility: reset [krb_dbg_kdc] kdccomm:thread-2:   >>> kdcaccessibility: reset [jgss_dbg_cred]  thread-2 try keytab principal=http/local.domain.com [krb_dbg_ktab] keytab:thread-2loading keytab file ...   >>> keytab: load() entry length: 73 [krb_dbg_ktab] keytableinputstream:thread-2:   >>> keytabinputstream, readname(): localdomain.net [krb_dbg_ktab] keytableinputstream:thread-2:   >>> keytabinputstream, readname(): http [krb_dbg_ktab] keytableinputstream:thread-2:   >>> keytabinputstream, readname(): local.domain.com [krb_dbg_kdc] encryptionkey:thread-2:   >>> encryptionkey: config default key type rc4-hmac [krb_dbg_ktab] keytab:thread-2:   added key: 23  version: 2 [krb_dbg_ktab] keytab:thread-2:   ordering keys wrt default_tkt_enctypes list [jgss_dbg_cred]  thread-2 no kerberos creds in keytab principal http/local.domain.com [jgss_dbg_cred]  thread-2 login successful [jgss_dbg_cred]  thread-2 kprincipal : http/local.domain.com@localdomain.net [jgss_dbg_cred]  thread-2 http/local.domain.com@localdomain.net added subject [jgss_dbg_cred]  thread-2 attempting add keytab subject http/local.domain.com@localdomain.net [jgss_dbg_cred]  thread-2 find keys http/local.domain.com@localdomain.net [krb_dbg_ktab] keytab:thread-2:   added key: 23  version: 2 [krb_dbg_ktab] keytab:thread-2:   ordering keys wrt default_tkt_enctypes list [jgss_dbg_cred]  thread-2 no keys add subject http/local.domain.com@localdomain.net logincontext login() method executed logincontext getsubject() method executed subject doas() method executed, servercred name: default lifetime: 2147483647 [jgss_dbg_cred]  thread-2 keytab removed subject [jgss_dbg_cred]  thread-2 kerberoskey kerberos principal http/local.domain.com@localdomain.netkey version 2key encryptionkey: keytype=23 keybytes (hex dump)= 0000: <masked>

when call 

        public string validate(string enctoken) {         byte[] token = base64.decode(enctoken);          gsscontext authcontext;         try {             authcontext = authmanager.createcontext(servercred);             authcontext.acceptseccontext(token, 0, token.length);             if (authcontext.isestablished()) {                 return authcontext.getsrcname().tostring();             }         } catch (gssexception e) {             // fall through return         }          return null;     } }

i discover "acceptseccontext" command being called on token returns value. i've been under impression acceptseccontext returns value needs passed initiator. however, initiator not expect response back. additionally (and more importantly), .isestablished() method returns false.

so questions

1) there wrong above setup?
2) why happen when call login() method context object?

[jgss_dbg_cred]  thread-2 attempting add keytab subject http/local.domain.com@localdomain.net     [jgss_dbg_cred]  thread-2 find keys http/local.domain.com@localdomain.net     [krb_dbg_ktab] keytab:thread-2:   added key: 23  version: 2     [krb_dbg_ktab] keytab:thread-2:   ordering keys wrt default_tkt_enctypes list     [jgss_dbg_cred]  thread-2 no keys add subject http/local.domain.com@localdomain.net

if found key 23 version 2, why "no keys add subject principal@domain? why didn't add key found? have problem kvno=2?

3) i've searched pretty exhaustively , can't determine how parse output acceptseccontext find out return value is. return value i'm receiving (base-64 encoded) oqcwbaadcgec.

edit: update. return value acceptseccontext hex values are: 0xa1 0x07 0x30 0x05 0xa0 0x03 0x0a 0x01 0x02

it apppears following site (https://msdn.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic2) first hex value (a1) corresponds negtokentarg. makes sense.

the next octet should length (with uppermost bit 1 if length needs more octets). since uppermost bit 0, length 7 octets. checks out.

the next octet (0x30) denotes constructed sequence, next octet being sequence length (0x05); 5 octets, checks out.

then have 0xa0, 0x03, 0x0a, 0x01 denotes sequence element 0 (negresult).

the final octet (0x02) enumerated value, "rejected".

so token being rejected. how figure out "why"? guess i'll need engage ad team find out happening on end.

have tried manually test keytab given kinit , spn? in jaas.conf use usekeytab=true , keytab="keytab_filename". maybe specific ibm jdk.


Comments

Post a Comment

Popular posts from this blog

get url and add instance to a model with prefilled foreign key :django admin -

Image
i have page in each contest shown in row. each row contains contest id , link other model names have foreign key contest. news model: class news(models.model): title = models.charfield(max_length=50, null=true) description = models.textfield() time = models.timefield( default= datetime.datetime.now().time()) contest = models.foreignkey(contest) i want use admin adding , changing these models. want when user clicks on 'news' has foreign key contest id=1, shows list of news value foreign key. use {% instance in instances %} <tr class="{% cycle 'row1' 'row2' %}"> <td>{{ instance.title }}</td> <td>{{ instance.starttime }}</td> <td>{{ instance.timespan }}</td> <td>{{ instance.date }}</td> <td><a href="/adm...
Read more

css - Make div keyboard-scrollable in jQuery Mobile? -

from can tell, although jquery-mobile-powered pages can contain divs overflow set scroll or auto, , these divs can scrolled one-screen bar or mouse wheel, cannot scrolled using arrow keys, page-up/page-down, or home/end. instead, official "page" div (with data-role="page") absorbs input. perhaps other divs can't acquire focus, i'm not sure. is there way around this? edit: jsfiddle of simple example: https://jsfiddle.net/qogz0shx/ <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"/> <style> #outer { overflow:scroll; height: 50vh; width: 50vw; } #inner { height: 500vh; width: 500vw; } ...
Read more

ruby on rails - Seeing duplicate requests handled with Unicorn -

recently upgraded our ec2 instances c3.large in order boost more unicorn workers handle increased traffic our site. (6xworkers per machine - 2 ec2 instances). when did this, started seeing duplicate records being created! looks somehow, maybe 2 unicorn workers attempting process same request? in nginx logs see 1 [post] request particular rails controller - yet 2 records being created in database. i'm hitting kind of race condition issue - have no idea how debug this. doesn't happen time, when it's frustrating well. noticed 2 database records within 5 seconds of each other. (and yes disable button when user clicks submit button). unicorn 4.8.2 ruby 1.9.3 rails 3.2.14 any great! thanks! although may not fix problem, upgrade ruby 2.0.0. there blog mentioning idea upgrade ruby 2.0.0 if using unicorn. for example: https://www.digitalocean.com/community/articles/how-to-optimize-unicorn-workers-in-a-ruby-on-rails-app specifically: if using ruby 1.9, ...
Read more