[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Easiest way to get service ticket after obtaining tgt



Here's some more information:

If I set SERVER to "krbtgt/REALM1.COM@REALM1.COM", it works; "krbtgt/REALM2.COM@REALM1.COM", it works; but "krbtgt/REALM2.COM@REALM2.COM" does not work.

I added lots of printf's to the heimdal source, and below you'll see the path it takes an where it fails. I'm still trying to analyze it, but if some heimdal guru could help me out, I would really appreciate it. :-)

   Thanks,
 - Jeremiah

init context...
make principal...
getting tgt...
> krb5_rd_error()
< krb5_rd_error() .. returning 0
cc default...
cc init...
store creds in cc...
parse name...
unparse name...
unparse name...
Printing clientName and serverName...
client: username@REALM1.COM
server: krbtgt/REALM2.COM@REALM2.COM
getting service ticket...
> krb5_get_cred_from_kdc()
> krb5_get_cred_from_kdc_opt()
> get_cred_from_kdc_flags()
    ret = krb_copy_principal()
    try_realm = krb5_config_get_string(... "capaths" ...)
    ret = find_cred()
    krb5_realm_compare(...)
    while(1)
    ret = get_cred_from_kdc_flags(...)
> get_cred_from_kdc_flags()
    ret = krb_copy_principal()
    try_realm = krb5_config_get_string(... "capaths" ...)
    try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
    try_realm = client_realm
    ret = find_cred()
    krb5_realm_compare(...)
    while(1)
    ret = get_cred_from_kdc_flags(...)
> get_cred_from_kdc_flags()
    ret = krb_copy_principal()
    try_realm = krb5_config_get_string(... "capaths" ...)
    try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
    try_realm = client_realm
    ret = find_cred()
    ret == 0
    krb5_appdefault_boolean(...)
    if (noaddr) was false
    ret = get_cred_kdc_la()
> get_cred_kdc_la()
> get_cred_kdc()
> get_cred_kdc_usage()
    if(flags.b.enc_tkt_in_skey){
    ret = init_tgs_req()
    ASN1_MALLOC_ENCODE()
    again:
    ret = krb5_sendto_kdc_flags()
    if(decode_TGS_REP(...) == 0){
> krb5_rd_error()
< krb5_rd_error() .. returning 0
    } else if ( krb5_rd_error(...) == 0) {
    get_cred_kdc_usage() .. out:
< get_cred_kdc_usage()
< get_cred_kdc()
< get_cred_kdc_la()
    if (ret) was true. something failed!
< get_cred_from_kdc_flags()
    if (ret) was true: get_cred_from_kdc_flags() failed
< get_cred_from_kdc_flags()
    if (ret) was true: get_cred_from_kdc_flags() failed
< get_cred_from_kdc_flags()
< krb5_get_cred_from_kdc_opt()
< krb5_get_cred_from_kdc()
FAILED! (step: -9)
Server not found in Kerberos database.



On 10/15/05, Buck Huppmann <buckh@pobox.com> wrote:
On Fri, Oct 14, 2005 at 11:08:45AM -0400, Jeremiah Martell wrote:
> More information. I am very confused at this point:
>
> Below you will see my source code, and the results, and the resulting klist.
> I have no idea what I could be doing wrong. (NOTE: if my mail client puts
> any "http://" stuff in, please ignore it)
>
> Thanks,
> - Jeremiah

first, is you LDAP server hostname really ``realm2.com''? otherwise,
you should change that. (i realize AD NTDS's will register an A record
for the name of the domain, but you should probably still use the host-
name)

as more troubleshooting steps, you can change SERVER to
`"krbtgt/REALM2.COM@REALM1.COM" to see if you get a cross-realm TGT and
then move on to "krbtgt/REALM2.COM@REALM2.COM " to see if your cross-realm
TGT gets you an in-realm TGT. if either of those steps fail, it's a con-
fig or DNS issue. if they work, . . . ?

at any rate, an easier way to get a service ticket is to use krb5_mk_req,
for future reference (although it *does* do a bit more work, creating an
authenticator and what not)

good luck

--buck

>
> -- source --
>
> #include <stdio.h>
> #include < string.h>
> #include "krb5.h"
>
> char *getKrb5ErrorString( signed long int errNum );
>
> #define SERVER "ldap/realm2.com@REALM2.COM "
>
> #define CLIENTNAME "username"
> #define CLIENTREALM "REALM1.COM <http://REALM1.COM>"
> #define CLIENTPASSWORD "password"
>
> int main( )
> {
> krb5_context krbcontext;
> krb5_principal krbprincipal;
> krb5_ccache krbcache;
> krb5_creds krbcreds;
> memset( &krbcreds, 0, sizeof( krb5_creds ) );
>
> krb5_creds increds;
> krb5_creds *outcreds;
> krb5_creds **tgtcreds;
> memset( &increds, 0, sizeof( krb5_creds ) );
>
> krb5_principal server;
>
> krb5_error_code kerr;
>
> int rc = -1;
>
> char *clientName = NULL;
> char *serverName = NULL;
>
> // get tgt, this works.
> printf( "init context...\n" ); fflush( stdout );
> if ( kerr = krb5_init_context( &krbcontext ) )
> { rc = -2; goto f; }
> printf( "make principal...\n" ); fflush( stdout );
> if ( kerr = krb5_make_principal( krbcontext, &krbprincipal, CLIENTREALM,
> CLIENTNAME, NULL ) )
> { rc = -3; goto f; }
> printf( "getting tgt...\n" ); fflush( stdout );
> if ( kerr = krb5_get_init_creds_password( krbcontext, &krbcreds,
> krbprincipal, CLIENTPASSWORD, NULL, NULL, 0, NULL, NULL ) )
> { rc = -4; goto f; }
>
> // init cache, this works.
> printf( "cc default...\n" ); fflush( stdout );
> if ( kerr = krb5_cc_default(krbcontext, &krbcache ) )
> { rc = -5; goto f; }
> printf( "cc init...\n" ); fflush( stdout );
> if ( kerr = krb5_cc_initialize ( krbcontext, krbcache, krbcreds.client ) )
> { rc = -6; goto f; }
>
> // store tgt in cache, this works.
> printf( "store creds in cc...\n" ); fflush ( stdout );
> if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, &krbcreds ) )
> { rc = -7; goto f; }
>
> printf( "parse name...\n" ); fflush ( stdout );
> if ( kerr = krb5_parse_name( krbcontext, SERVER, &server ) )
> { rc = -8; goto f; }
>
> increds.client = krbprincipal;
> increds.server = server;
> printf( "unparse name...\n" ); fflush ( stdout );
> if ( kerr = krb5_unparse_name( krbcontext, krbprincipal, &clientName ) )
> { rc = -90; goto f; }
> printf( "unparse name...\n" ); fflush ( stdout );
> if ( kerr = krb5_unparse_name( krbcontext, server, &serverName ) )
> { rc = -91; goto f; }
> printf( "Printing clientName and serverName...\n" ); fflush ( stdout );
> printf( "client: %s\n", clientName );
> printf( "server: %s\n", serverName ); fflush( stdout );
>
> // get service ticket for ldap directory in LDAPREALM.COM<http://LDAPREALM.COM>
> .
> //
> // krb5_get_credentials() .. didnt work
> // krb5_get_cred_from_kdc() .. didnt work
> //
> printf( "getting service ticket...\n" ); fflush( stdout );
> // if ( kerr = krb5_get_credentials( krbcontext, 0, krbcache, &increds,
> &outcreds ) )
> if ( kerr = krb5_get_cred_from_kdc( krbcontext, krbcache, &increds,
> &outcreds, &tgtcreds ) )
> { rc = -9; goto f; }
>
> // store service ticket in cache, never reached
> printf( "store service ticket...\n" ); fflush( stdout );
> if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, outcreds ) )
> { rc = -10; goto f; }
>
> printf( "SUCCESS\n" );
> return 0;
>
> f:
>
> printf( "FAILED! (step: %d)\n%s\n", rc, getKrb5ErrorString( kerr) );
> return -1;
>
> }
>
>
>
>
> -- results --
>
> init context...
> make principal...
> getting tgt...
> cc default...
> cc init...
> store creds in cc...
> parse name...
> unparse name...
> unparse name...
> Printing clientName and serverName...
> client: username@REALM1.COM
> server: ldap/realm2.com@REALM2.COM
> getting service ticket...
> FAILED! (step: -9)
> Server not found in Kerberos database.
>
>
>
>
> -- When I do a klist it shows this --
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: username@REALM1.COM
>
> Valid starting Expires Service principal
> 10/14/05 11:00:20 10/14/05 21:00:20 krbtgt/REALM1.COM@REALM1.COM
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
>
> On 10/14/05, Jeremiah Martell < inlovewithgod@gmail.com> wrote:
> >
> > Nope, that's my mail client being too smart for me. I don't have the
> > http:// in there. Just "LDAPREALM" plus a period "." plus the "COM" :-)
> >
> > - Jeremiah
> >
> >
> > On 10/14/05, Buck Huppmann <buckh@pobox.com> wrote:
> > >
> > > On Thu, Oct 13, 2005 at 04:14:30PM -0400, Jeremiah Martell wrote:
> > > > This is still not working for me. An ethereal trace shows me trying to
> > > get a
> > > > ticket for "krbtgt/.", which is really strange.
> > >
> > > > // the following values are hard-coded for now.
> > > > // make principal for server. works, but is it correct?
> > > > krb5_make_principal( krbcontext, &server,
> > > > " LDAPREALM.COM <http://LDAPREALM.COM><http://LDAPREALM.COM>",
> > > > "ldap/ldaprealm.com", NULL );
> > >
> > > is this some sort of artifact of your MUA? or do you literally have
> > > that ``<http://...>'' junk in the realm string? if so, then it's pos-
> > > sible to imagine heimdal (or any implementation) getting confused and
> > > trying to get a cross-realm TGT for the ``.'' realm, in order to get a
> > > cross-realm TGT for the ``COM>'' realm, in order to get . . .
> > >
> >
> >
>
>
> --
> - Jeremiah
> inlovewithGod@gmail.com