[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Easiest way to get service ticket after obtaining tgt
Thanks for the help. You are right, I shouldn't be asking for
krbtgt/domainof.realm2.com@REALM2.COM, but rather
ldap/domainof.realm2.com@REALM2.COM.
I've changed that but with no avail. I was using heimdal-0.7 and I
upgraded to heimdal-0.7.1 but I'm still seeing the same error, "Server
not found in Kerberos database.".
I've added more debug to the hiemdal library to see more what's going
on, which is included below. Futher below I've added my krb5.conf file.
This is my program with SERVER = "ldap/domainof.realm2.com@REALM2.COM",
CLIENTNAME = "username", and CLIENTREALM = "REALM1.COM". What interests
me is the lines that say:
in_creds->server = krbtgt/REALM2.COM@.
and
tmp_creds.server = krbtgt/.@REALM1.COM
Are those periods (.) expected there? I guessed that it was from my
capaths section of the krb5.conf file, but from what I know you are
supposed to put periods when two realms are directly trusted between
each other. And anyway, taking out my capths section, or putting the
actual realm instead of periods in the krb5.conf file just resulted in
more disasters. :-)
It seems like it's ultimately failing in a call to "decode_TGS_REP(...)".
This is the output of my program with lots of debug from heimdal...
init context...
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
< krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(false)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
make principal...
getting tgt...
> krb5_sendto_kdc_flags()
ret = krb5_krbhst_init_flags(...)
ret = krb5_sendto(...)
> krb5_sendto()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(domainof.realm1.com)
> krb5_config_vget_next()
< krb5_config_vget_next() ... END, returning NULL
< krb5_sendto
< krb5_sendto_kdc_flags() ... returning ret
> krb5_rd_error()
< krb5_rd_error() .. returning 0
> krb5_sendto_kdc_flags()
ret = krb5_krbhst_init_flags(...)
ret = krb5_sendto(...)
> krb5_sendto()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(domainof.realm1.com)
> krb5_config_vget_next()
< krb5_config_vget_next() ... END, returning NULL
< krb5_sendto
< krb5_sendto_kdc_flags() ... returning ret
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
cc default...
> krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
< krb5_config_get_string()
cc init...
store creds in cc...
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
parse name...
unparse name...
unparse name...
Printing clientName and serverName...
client: username@REALM1.COM
server: ldap/domainof.realm2.com@REALM2.COM
getting service ticket...
> krb5_get_cred_from_kdc()
> krb5_get_cred_from_kdc_opt()
> get_cred_from_kdc_flags()
in_creds->client = username@REALM1.COM
in_creds->server = ldap/domainof.realm2.com@REALM2.COM
ret = krb_copy_principal()
try_realm = krb5_config_get_string(... "capaths" ...)
> krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(.)
< krb5_config_get_string()
try_realm = .
tmp_creds.server = krbtgt/REALM2.COM@.
ret = find_cred()
> find_cred()
ret = krb5_c_retrieve_cred(...)
while(tgs && *tgts){
< returning KRB5_CC_NOTFOUND
krb5_realm_compare(...)
while(1)
ret = get_cred_from_kdc_flags(...)
> get_cred_from_kdc_flags()
in_creds->client = username@REALM1.COM
in_creds->server = krbtgt/REALM2.COM@.
ret = krb_copy_principal()
try_realm = krb5_config_get_string(... "capaths" ...)
> krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
< krb5_config_get_string()
try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
> krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
< krb5_config_get_string()
try_realm = client_realm
try_realm = REALM1.COM
tmp_creds.server = krbtgt/.@REALM1.COM
ret = find_cred()
> find_cred()
ret = krb5_c_retrieve_cred(...)
while(tgs && *tgts){
< returning KRB5_CC_NOTFOUND
krb5_realm_compare(...)
while(1)
ret = get_cred_from_kdc_flags(...)
> get_cred_from_kdc_flags()
in_creds->client = username@REALM1.COM
in_creds->server = krbtgt/.@REALM1.COM
ret = krb_copy_principal()
try_realm = krb5_config_get_string(... "capaths" ...)
> krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
< krb5_config_get_string()
try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
> krb5_config_get_string()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
< krb5_config_get_string()
try_realm = client_realm
try_realm = REALM1.COM
tmp_creds.server = krbtgt/REALM1.COM@REALM1.COM
ret = find_cred()
> find_cred()
ret = krb5_c_retrieve_cred(...)
< ret == 0. returning 0
ret == 0
krb5_appdefault_boolean(...)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
if (noaddr) was false
ret = get_cred_kdc_la()
> get_cred_kdc_la()
> get_cred_kdc()
> get_cred_kdc_usage()
if(flags.b.enc_tkt_in_skey){
ret = init_tgs_req()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(NULL)
ASN1_MALLOC_ENCODE()
again:
ret = krb5_sendto_kdc_flags()
> krb5_sendto_kdc_flags()
ret = krb5_krbhst_init_flags(...)
ret = krb5_sendto(...)
> krb5_sendto()
> krb5_config_vget_next()
< krb5_config_vget_next() ... returning vget_next(domainof.realm1.com)
> krb5_config_vget_next()
< krb5_config_vget_next() ... END, returning NULL
< krb5_sendto
< krb5_sendto_kdc_flags() ... returning ret
if(decode_TGS_REP(...) == 0){
> krb5_rd_error()
< krb5_rd_error() .. returning 0
} else if ( krb5_rd_error(...) == 0) {
get_cred_kdc_usage() .. out:
< get_cred_kdc_usage()
< get_cred_kdc()
< get_cred_kdc_la()
if (ret) was true. something failed!
< get_cred_from_kdc_flags()
if (ret) was true: get_cred_from_kdc_flags() failed
< get_cred_from_kdc_flags()
if (ret) was true: get_cred_from_kdc_flags() failed
< get_cred_from_kdc_flags()
< krb5_get_cred_from_kdc_opt()
< krb5_get_cred_from_kdc()
FAILED! (step: -9)
Server not found in Kerberos database.
This is my krb5.conf file:
################
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
ticket_lifetime = 24000
default_realm = REALM1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
REALM1.COM = {
kdc = domainof.realm1.com
default_domain = realm1.com
}
REALM2.COM = {
kdc = domainof.realm2.com
default_domain = realm2.com
}
[domain_realm]
.realm1.com = REALM1.COM
realm1.com = REALM1.COM
.realm2.com = REALM2.COM
realm2.com = REALM2.COM
[capaths]
REALM1.COM = {
REALM2.COM = .
}
REALM2.COM = {
REALM1.COM = .
}
################
I'll keep digging. But any pointers of where the right direction is would be much appreciated. :)
- Jeremiah
inlovewithGod@gmail.com
On 10/17/05, Douglas E. Engert <deengert@anl.gov> wrote:
Jeremiah Martell wrote:
> Here's some more information:
>
> If I set SERVER to "krbtgt/REALM1.COM@REALM1.COM", it works; "
> krbtgt/REALM2.COM@REALM1.COM", it works; but "krbtgt/REALM2.COM@REALM2.COM"
> does not work.
You should not expect REALM2.COM to issue you a krbtgt/REALM2.COM@REALM2.COM,
using the
krbtgt/REALM2.COM@REALM1.COM ticket. the krbtgt services are
treated differently. What should work is that you can use the
krbtgt/REALM2.COM@REALM1.COM ticket against
REAMLM2.COM to get some other
ticket like a host/your.host@REALM2.COM
>
> I added lots of printf's to the heimdal source, and below you'll see the
> path it takes an where it fails. I'm still trying to analyze it, but if some
> heimdal guru could help me out, I would really appreciate it. :-)
>
> Thanks,
> - Jeremiah
>
> init context...
> make principal...
> getting tgt...
>
>>krb5_rd_error()
>
> < krb5_rd_error() .. returning 0
> cc default...
> cc init...
> store creds in cc...
> parse name...
> unparse name...
> unparse name...
> Printing clientName and serverName...
> client: username@REALM1.COM
> server:
krbtgt/REALM2.COM@REALM2.COM
> getting service ticket...
>
>>krb5_get_cred_from_kdc()
>>krb5_get_cred_from_kdc_opt()
>>get_cred_from_kdc_flags()
>
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> ret = find_cred()
> krb5_realm_compare(...)
> while(1)
> ret = get_cred_from_kdc_flags(...)
>
>>get_cred_from_kdc_flags()
>
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
> try_realm = client_realm
> ret = find_cred()
> krb5_realm_compare(...)
> while(1)
> ret = get_cred_from_kdc_flags(...)
>
>>get_cred_from_kdc_flags()
>
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
> try_realm = client_realm
> ret = find_cred()
> ret == 0
> krb5_appdefault_boolean(...)
> if (noaddr) was false
> ret = get_cred_kdc_la()
>
>>get_cred_kdc_la()
>>get_cred_kdc()
>>get_cred_kdc_usage()
>
> if(flags.b.enc_tkt_in_skey){
> ret = init_tgs_req()
> ASN1_MALLOC_ENCODE()
> again:
> ret = krb5_sendto_kdc_flags()
> if(decode_TGS_REP(...) == 0){
>
>>krb5_rd_error()
>
> < krb5_rd_error() .. returning 0
> } else if ( krb5_rd_error(...) == 0) {
> get_cred_kdc_usage() .. out:
> < get_cred_kdc_usage()
> < get_cred_kdc()
> < get_cred_kdc_la()
> if (ret) was true. something failed!
> < get_cred_from_kdc_flags()
> if (ret) was true: get_cred_from_kdc_flags() failed
> < get_cred_from_kdc_flags()
> if (ret) was true: get_cred_from_kdc_flags() failed
> < get_cred_from_kdc_flags()
> < krb5_get_cred_from_kdc_opt()
> < krb5_get_cred_from_kdc()
> FAILED! (step: -9)
> Server not found in Kerberos database.
>
>
>
> On 10/15/05, Buck Huppmann <buckh@pobox.com> wrote:
>
>>On Fri, Oct 14, 2005 at 11:08:45AM -0400, Jeremiah Martell wrote:
>>
>>>More information. I am very confused at this point:
>>>
>>>Below you will see my source code, and the results, and the resulting
>>
>>klist.
>>
>>>I have no idea what I could be doing wrong. (NOTE: if my mail client
>>
>>puts
>>
>>>any "http://" stuff in, please ignore it)
>>>
>>>Thanks,
>>>- Jeremiah
>>
>>first, is you LDAP server hostname really ``realm2.com''? otherwise,
>>you should change that. (i realize AD NTDS's will register an A record
>>for the name of the domain, but you should probably still use the host-
>>name)
>>
>>as more troubleshooting steps, you can change SERVER to
>>`"krbtgt/REALM2.COM@REALM1.COM" to see if you get a cross-realm TGT and
>>then move on to "krbtgt/REALM2.COM@REALM2.COM" to see if your cross-realm
>>TGT gets you an in-realm TGT. if either of those steps fail, it's a con-
>>fig or DNS issue. if they work, . . . ?
>>
>>at any rate, an easier way to get a service ticket is to use krb5_mk_req,
>>for future reference (although it *does* do a bit more work, creating an
>>authenticator and what not)
>>
>>good luck
>>
>>--buck
>>
>>
>>>-- source --
>>>
>>>#include <stdio.h>
>>>#include <
string.h>
>>>#include "krb5.h"
>>>
>>>char *getKrb5ErrorString( signed long int errNum );
>>>
>>>#define SERVER "
ldap/realm2.com@REALM2.COM"
>>>
>>>#define CLIENTNAME "username"
>>>#define CLIENTREALM "REALM1.COM <
http://REALM1.COM> <http://REALM1.COM>"
>>>#define CLIENTPASSWORD "password"
>>>
>>>int main( )
>>>{
>>>krb5_context krbcontext;
>>>krb5_principal krbprincipal;
>>>krb5_ccache krbcache;
>>>krb5_creds krbcreds;
>>>memset( &krbcreds, 0, sizeof( krb5_creds ) );
>>>
>>>krb5_creds increds;
>>>krb5_creds *outcreds;
>>>krb5_creds **tgtcreds;
>>>memset( &increds, 0, sizeof( krb5_creds ) );
>>>
>>>krb5_principal server;
>>>
>>>krb5_error_code kerr;
>>>
>>>int rc = -1;
>>>
>>>char *clientName = NULL;
>>>char *serverName = NULL;
>>>
>>>// get tgt, this works.
>>>printf( "init context...\n" ); fflush( stdout );
>>>if ( kerr = krb5_init_context( &krbcontext ) )
>>>{ rc = -2; goto f; }
>>>printf( "make principal...\n" ); fflush( stdout );
>>>if ( kerr = krb5_make_principal( krbcontext, &krbprincipal, CLIENTREALM,
>>>CLIENTNAME, NULL ) )
>>>{ rc = -3; goto f; }
>>>printf( "getting tgt...\n" ); fflush( stdout );
>>>if ( kerr = krb5_get_init_creds_password( krbcontext, &krbcreds,
>>>krbprincipal, CLIENTPASSWORD, NULL, NULL, 0, NULL, NULL ) )
>>>{ rc = -4; goto f; }
>>>
>>>// init cache, this works.
>>>printf( "cc default...\n" ); fflush( stdout );
>>>if ( kerr = krb5_cc_default(krbcontext, &krbcache ) )
>>>{ rc = -5; goto f; }
>>>printf( "cc init...\n" ); fflush( stdout );
>>>if ( kerr = krb5_cc_initialize ( krbcontext, krbcache,
krbcreds.client )
>>
>>)
>>
>>>{ rc = -6; goto f; }
>>>
>>>// store tgt in cache, this works.
>>>printf( "store creds in cc...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, &krbcreds ) )
>>>{ rc = -7; goto f; }
>>>
>>>printf( "parse name...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_parse_name( krbcontext, SERVER, &server ) )
>>>{ rc = -8; goto f; }
>>>
>>>increds.client = krbprincipal;
>>>increds.server = server;
>>>printf( "unparse name...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_unparse_name( krbcontext, krbprincipal, &clientName ) )
>>>{ rc = -90; goto f; }
>>>printf( "unparse name...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_unparse_name( krbcontext, server, &serverName ) )
>>>{ rc = -91; goto f; }
>>>printf( "Printing clientName and serverName...\n" ); fflush ( stdout );
>>>printf( "client: %s\n", clientName );
>>>printf( "server: %s\n", serverName ); fflush( stdout );
>>>
>>>// get service ticket for ldap directory in LDAPREALM.COM<http://LDAPREALM.COM>
>>
>><
http://LDAPREALM.COM>
>>
>>>.
>>>//
>>>// krb5_get_credentials() .. didnt work
>>>// krb5_get_cred_from_kdc() .. didnt work
>>>//
>>>printf( "getting service ticket...\n" ); fflush( stdout );
>>>// if ( kerr = krb5_get_credentials( krbcontext, 0, krbcache, &increds,
>>>&outcreds ) )
>>>if ( kerr = krb5_get_cred_from_kdc( krbcontext, krbcache, &increds,
>>>&outcreds, &tgtcreds ) )
>>>{ rc = -9; goto f; }
>>>
>>>// store service ticket in cache, never reached
>>>printf( "store service ticket...\n" ); fflush( stdout );
>>>if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, outcreds ) )
>>>{ rc = -10; goto f; }
>>>
>>>printf( "SUCCESS\n" );
>>>return 0;
>>>
>>>f:
>>>
>>>printf( "FAILED! (step: %d)\n%s\n", rc, getKrb5ErrorString( kerr) );
>>>return -1;
>>>
>>>}
>>>
>>>
>>>
>>>
>>>-- results --
>>>
>>>init context...
>>>make principal...
>>>getting tgt...
>>>cc default...
>>>cc init...
>>>store creds in cc...
>>>parse name...
>>>unparse name...
>>>unparse name...
>>>Printing clientName and serverName...
>>>client: username@REALM1.COM
>>>server: ldap/realm2.com@REALM2.COM
>>>getting service ticket...
>>>FAILED! (step: -9)
>>>Server not found in Kerberos database.
>>>
>>>
>>>
>>>
>>>-- When I do a klist it shows this --
>>>
>>>Ticket cache: FILE:/tmp/krb5cc_0
>>>Default principal: username@REALM1.COM
>>>
>>>Valid starting Expires Service principal
>>>10/14/05 11:00:20 10/14/05 21:00:20
krbtgt/REALM1.COM@REALM1.COM
>>>
>>>
>>>Kerberos 4 ticket cache: /tmp/tkt0
>>>klist: You have no tickets cached
>>>
>>>
>>>
>>>On 10/14/05, Jeremiah Martell <inlovewithgod@gmail.com> wrote:
>>>
>>>>Nope, that's my mail client being too smart for me. I don't have the
>>>>http:// in there. Just "LDAPREALM" plus a period "." plus the "COM"
>>
>>:-)
>>
>>>>- Jeremiah
>>>>
>>>>
>>>>On 10/14/05, Buck Huppmann <buckh@pobox.com> wrote:
>>>>
>>>>>On Thu, Oct 13, 2005 at 04:14:30PM -0400, Jeremiah Martell wrote:
>>>>>
>>>>>>This is still not working for me. An ethereal trace shows me
>>
>>trying to
>>
>>>>>get a
>>>>>
>>>>>>ticket for "krbtgt/.", which is really strange.
>>>>>
>>>>>>// the following values are hard-coded for now.
>>>>>>// make principal for server. works, but is it correct?
>>>>>>krb5_make_principal( krbcontext, &server,
>>>>>>"LDAPREALM.COM <http://LDAPREALM.COM> <http://LDAPREALM.COM><
>>
>>http://LDAPREALM.COM>",
>>
>>>>>>"ldap/ldaprealm.com", NULL );
>>>>>
>>>>>is this some sort of artifact of your MUA? or do you literally have
>>>>>that ``<http://...>'' junk in the realm string? if so, then it's
>>
>>pos-
>>
>>>>>sible to imagine heimdal (or any implementation) getting confused
>>
>>and
>>
>>>>>trying to get a cross-realm TGT for the ``.'' realm, in order to get
>>
>>a
>>
>>>>>cross-realm TGT for the ``COM>'' realm, in order to get . . .
>>>>>
>>>>
>>>>
>>>
>>>--
>>>- Jeremiah
>>>inlovewithGod@gmail.com
>>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--
- Jeremiah
inlovewithGod@gmail.com