[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Easiest way to get service ticket after obtaining tgt
A klist might have helped in this case.
As I understand it you already have a krbtgt/REALM1.COM@REALM1.COM for
username@REALM1.COM.
You ultimately want to get a service ticket for
ldap/some.machine.fqdn@REALM2.COM? To get there you need a cross-realm
tgt to go from REALM1 to REALM2. That ticket is
krbtgt/REALM2.COM@REALM1.COM (tgt for REALM2 issued by REALM1) and it
looks like you can get it fine. You shouldn't need to ask for it
directly though. Just ask for the ldap... ticket and the libraries
should take care to the intermediate tgt for you as long as they
understand which machine is in which realm. (OK, maybe you need an
entry in the [capaths] section of krb5.conf.)
To get a krbtgt/REALM2.COM@REALM2.COM you need to start in REALM2.COM.
You can't get one of those for username@REALM1.COM. It's not allowed.
In fact username@REALM2.COM may be a completely different person from
username@REALM1.COM, so it probably doesn't make sense either.
On Oct 17, 2005, at 9:57 AM, Jeremiah Martell wrote:
> Here's some more information:
>
> If I set SERVER to "krbtgt/REALM1.COM@REALM1.COM", it works;
> "krbtgt/REALM2.COM@REALM1.COM", it works; but
> "krbtgt/REALM2.COM@REALM2.COM" does not work.
>
> I added lots of printf's to the heimdal source, and below you'll see
> the path it takes an where it fails. I'm still trying to analyze it,
> but if some heimdal guru could help me out, I would really appreciate
> it. :-)
>
> Thanks,
> - Jeremiah
>
> init context...
> make principal...
> getting tgt...
> > krb5_rd_error()
> < krb5_rd_error() .. returning 0
> cc default...
> cc init...
> store creds in cc...
> parse name...
> unparse name...
> unparse name...
> Printing clientName and serverName...
> client: username@REALM1.COM
> server: krbtgt/REALM2.COM@REALM2.COM
> getting service ticket...
> > krb5_get_cred_from_kdc()
> > krb5_get_cred_from_kdc_opt()
> > get_cred_from_kdc_flags()
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> ret = find_cred()
> krb5_realm_compare(...)
> while(1)
> ret = get_cred_from_kdc_flags(...)
> > get_cred_from_kdc_flags()
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> try_realm = krb5_config_get_string(... "libdefaults", "capath"
> ...)
> try_realm = client_realm
> ret = find_cred()
> krb5_realm_compare(...)
> while(1)
> ret = get_cred_from_kdc_flags(...)
> > get_cred_from_kdc_flags()
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> try_realm = krb5_config_get_string(... "libdefaults", "capath"
> ...)
> try_realm = client_realm
> ret = find_cred()
> ret == 0
> krb5_appdefault_boolean(...)
> if (noaddr) was false
> ret = get_cred_kdc_la()
> > get_cred_kdc_la()
> > get_cred_kdc()
> > get_cred_kdc_usage()
> if(flags.b.enc_tkt_in_skey){
> ret = init_tgs_req()
> ASN1_MALLOC_ENCODE()
> again:
> ret = krb5_sendto_kdc_flags()
> if(decode_TGS_REP(...) == 0){
> > krb5_rd_error()
> < krb5_rd_error() .. returning 0
> } else if ( krb5_rd_error(...) == 0) {
> get_cred_kdc_usage() .. out:
> < get_cred_kdc_usage()
> < get_cred_kdc()
> < get_cred_kdc_la()
> if (ret) was true. something failed!
> < get_cred_from_kdc_flags()
> if (ret) was true: get_cred_from_kdc_flags() failed
> < get_cred_from_kdc_flags()
> if (ret) was true: get_cred_from_kdc_flags() failed
> < get_cred_from_kdc_flags()
> < krb5_get_cred_from_kdc_opt()
> < krb5_get_cred_from_kdc()
> FAILED! (step: -9)
> Server not found in Kerberos database.
>
>
>
> On 10/15/05, Buck Huppmann <buckh@pobox.com> wrote:
>> > More information. I am very confused at this point:
>> >
>> > Below you will see my source code, and the results, and the
>> resulting klist.
>> > I have no idea what I could be doing wrong. (NOTE: if my mail
>> client puts
>> > any "http://" stuff in, please ignore it)
>> >
>> > Thanks,
>> > - Jeremiah
>>
>> first, is you LDAP server hostname really ``realm2.com''? otherwise,
>> you should change that. (i realize AD NTDS's will register an A record
>> for the name of the domain, but you should probably still use the
>> host-
>> name)
>>
>> as more troubleshooting steps, you can change SERVER to
>> `"krbtgt/REALM2.COM@REALM1.COM" to see if you get a cross-realm TGT
>> and
>> then move on to "krbtgt/REALM2.COM@REALM2.COM " to see if your
>> cross-realm
>> TGT gets you an in-realm TGT. if either of those steps fail, it's a
>> con-
>> fig or DNS issue. if they work, . . . ?
>>
>> at any rate, an easier way to get a service ticket is to use
>> krb5_mk_req,
>> for future reference (although it *does* do a bit more work, creating
>> an
>> authenticator and what not)
>>
>> good luck
>>
>> --buck
>>
>> >
>> > -- source --
>> >
>> > #include <stdio.h>
>> > #include < string.h>
>> > #include "krb5.h"
>> >
>> > char *getKrb5ErrorString( signed long int errNum );
>> >
>> > #define SERVER "ldap/realm2.com@REALM2.COM "
>> >
>> > #define CLIENTNAME "username"
>> > #define CLIENTREALM "REALM1.COM <http://REALM1.COM>"
>> > #define CLIENTPASSWORD "password"
>> >
>> > int main( )
>> > {
>> > krb5_context krbcontext;
>> > krb5_principal krbprincipal;
>> > krb5_ccache krbcache;
>> > krb5_creds krbcreds;
>> > memset( &krbcreds, 0, sizeof( krb5_creds ) );
>> >
>> > krb5_creds increds;
>> > krb5_creds *outcreds;
>> > krb5_creds **tgtcreds;
>> > memset( &increds, 0, sizeof( krb5_creds ) );
>> >
>> > krb5_principal server;
>> >
>> > krb5_error_code kerr;
>> >
>> > int rc = -1;
>> >
>> > char *clientName = NULL;
>> > char *serverName = NULL;
>> >
>> > // get tgt, this works.
>> > printf( "init context...\n" ); fflush( stdout );
>> > if ( kerr = krb5_init_context( &krbcontext ) )
>> > { rc = -2; goto f; }
>> > printf( "make principal...\n" ); fflush( stdout );
>> > if ( kerr = krb5_make_principal( krbcontext, &krbprincipal,
>> CLIENTREALM,
>> > CLIENTNAME, NULL ) )
>> > { rc = -3; goto f; }
>> > printf( "getting tgt...\n" ); fflush( stdout );
>> > if ( kerr = krb5_get_init_creds_password( krbcontext, &krbcreds,
>> > krbprincipal, CLIENTPASSWORD, NULL, NULL, 0, NULL, NULL ) )
>> > { rc = -4; goto f; }
>> >
>> > // init cache, this works.
>> > printf( "cc default...\n" ); fflush( stdout );
>> > if ( kerr = krb5_cc_default(krbcontext, &krbcache ) )
>> > { rc = -5; goto f; }
>> > printf( "cc init...\n" ); fflush( stdout );
>> > if ( kerr = krb5_cc_initialize ( krbcontext, krbcache,
>> krbcreds.client ) )
>> > { rc = -6; goto f; }
>> >
>> > // store tgt in cache, this works.
>> > printf( "store creds in cc...\n" ); fflush ( stdout );
>> > if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, &krbcreds ) )
>> > { rc = -7; goto f; }
>> >
>> > printf( "parse name...\n" ); fflush ( stdout );
>> > if ( kerr = krb5_parse_name( krbcontext, SERVER, &server ) )
>> > { rc = -8; goto f; }
>> >
>> > increds.client = krbprincipal;
>> > increds.server = server;
>> > printf( "unparse name...\n" ); fflush ( stdout );
>> > if ( kerr = krb5_unparse_name( krbcontext, krbprincipal,
>> &clientName ) )
>> > { rc = -90; goto f; }
>> > printf( "unparse name...\n" ); fflush ( stdout );
>> > if ( kerr = krb5_unparse_name( krbcontext, server, &serverName ) )
>> > { rc = -91; goto f; }
>> > printf( "Printing clientName and serverName...\n" ); fflush (
>> stdout );
>> > printf( "client: %s\n", clientName );
>> > printf( "server: %s\n", serverName ); fflush( stdout );
>> >
>> > // get service ticket for ldap directory in
>> LDAPREALM.COM<http://LDAPREALM.COM>
>> > .
>> > //
>> > // krb5_get_credentials() .. didnt work
>> > // krb5_get_cred_from_kdc() .. didnt work
>> > //
>> > printf( "getting service ticket...\n" ); fflush( stdout );
>> > // if ( kerr = krb5_get_credentials( krbcontext, 0, krbcache,
>> &increds,
>> > &outcreds ) )
>> > if ( kerr = krb5_get_cred_from_kdc( krbcontext, krbcache, &increds,
>> > &outcreds, &tgtcreds ) )
>> > { rc = -9; goto f; }
>> >
>> > // store service ticket in cache, never reached
>> > printf( "store service ticket...\n" ); fflush( stdout );
>> > if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, outcreds ) )
>> > { rc = -10; goto f; }
>> >
>> > printf( "SUCCESS\n" );
>> > return 0;
>> >
>> > f:
>> >
>> > printf( "FAILED! (step: %d)\n%s\n", rc, getKrb5ErrorString( kerr) );
>> > return -1;
>> >
>> > }
>> >
>> >
>> >
>> >
>> > -- results --
>> >
>> > init context...
>> > make principal...
>> > getting tgt...
>> > cc default...
>> > cc init...
>> > store creds in cc...
>> > parse name...
>> > unparse name...
>> > unparse name...
>> > Printing clientName and serverName...
>> > client: username@REALM1.COM
>> > server: ldap/realm2.com@REALM2.COM
>> > getting service ticket...
>> > FAILED! (step: -9)
>> > Server not found in Kerberos database.
>> >
>> >
>> >
>> >
>> > -- When I do a klist it shows this --
>> >
>> > Ticket cache: FILE:/tmp/krb5cc_0
>> > Default principal: username@REALM1.COM
>> >
>> > Valid starting Expires Service principal
>> > 10/14/05 11:00:20 10/14/05 21:00:20 krbtgt/REALM1.COM@REALM1.COM
>> >
>> >
>> > Kerberos 4 ticket cache: /tmp/tkt0
>> > klist: You have no tickets cached
>> >
>> >
>> >
>> > On 10/14/05, Jeremiah Martell < inlovewithgod@gmail.com> wrote:
>> > >
>> > > Nope, that's my mail client being too smart for me. I don't have
>> the
>> > > http:// in there. Just "LDAPREALM" plus a period "." plus the
>> "COM" :-)
>> > >
>> > > - Jeremiah
>> > >
>> > >
>> > > On 10/14/05, Buck Huppmann <buckh@pobox.com> wrote:
>> > > >
>> > > > On Thu, Oct 13, 2005 at 04:14:30PM -0400, Jeremiah Martell
>> wrote:
>> > > > > This is still not working for me. An ethereal trace shows me
>> trying to
>> > > > get a
>> > > > > ticket for "krbtgt/.", which is really strange.
>> > > >
>> > > > > // the following values are hard-coded for now.
>> > > > > // make principal for server. works, but is it correct?
>> > > > > krb5_make_principal( krbcontext, &server,
>> > > > > " LDAPREALM.COM <http://LDAPREALM.COM><http://LDAPREALM.COM>",
>> > > > > "ldap/ldaprealm.com", NULL );
>> > > >
>> > > > is this some sort of artifact of your MUA? or do you literally
>> have
>> > > > that ``<http://...>'' junk in the realm string? if so, then
>> it's pos-
>> > > > sible to imagine heimdal (or any implementation) getting
>> confused and
>> > > > trying to get a cross-realm TGT for the ``.'' realm, in order
>> to get a
>> > > > cross-realm TGT for the ``COM>'' realm, in order to get . . .
>> > > >
>> > >
>> > >
>> >
>> >
>> > --
>> > - Jeremiah
>> > inlovewithGod@gmail.com
>
>
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu