[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Easiest way to get service ticket after obtaining tgt
Jeremiah Martell wrote:
> Here's some more information:
>
> If I set SERVER to "krbtgt/REALM1.COM@REALM1.COM", it works; "
> krbtgt/REALM2.COM@REALM1.COM", it works; but "krbtgt/REALM2.COM@REALM2.COM"
> does not work.
You should not expect REALM2.COM to issue you a krbtgt/REALM2.COM@REALM2.COM,
using the krbtgt/REALM2.COM@REALM1.COM ticket. the krbtgt services are
treated differently. What should work is that you can use the
krbtgt/REALM2.COM@REALM1.COM ticket against REAMLM2.COM to get some other
ticket like a host/your.host@REALM2.COM
>
> I added lots of printf's to the heimdal source, and below you'll see the
> path it takes an where it fails. I'm still trying to analyze it, but if some
> heimdal guru could help me out, I would really appreciate it. :-)
>
> Thanks,
> - Jeremiah
>
> init context...
> make principal...
> getting tgt...
>
>>krb5_rd_error()
>
> < krb5_rd_error() .. returning 0
> cc default...
> cc init...
> store creds in cc...
> parse name...
> unparse name...
> unparse name...
> Printing clientName and serverName...
> client: username@REALM1.COM
> server: krbtgt/REALM2.COM@REALM2.COM
> getting service ticket...
>
>>krb5_get_cred_from_kdc()
>>krb5_get_cred_from_kdc_opt()
>>get_cred_from_kdc_flags()
>
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> ret = find_cred()
> krb5_realm_compare(...)
> while(1)
> ret = get_cred_from_kdc_flags(...)
>
>>get_cred_from_kdc_flags()
>
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
> try_realm = client_realm
> ret = find_cred()
> krb5_realm_compare(...)
> while(1)
> ret = get_cred_from_kdc_flags(...)
>
>>get_cred_from_kdc_flags()
>
> ret = krb_copy_principal()
> try_realm = krb5_config_get_string(... "capaths" ...)
> try_realm = krb5_config_get_string(... "libdefaults", "capath" ...)
> try_realm = client_realm
> ret = find_cred()
> ret == 0
> krb5_appdefault_boolean(...)
> if (noaddr) was false
> ret = get_cred_kdc_la()
>
>>get_cred_kdc_la()
>>get_cred_kdc()
>>get_cred_kdc_usage()
>
> if(flags.b.enc_tkt_in_skey){
> ret = init_tgs_req()
> ASN1_MALLOC_ENCODE()
> again:
> ret = krb5_sendto_kdc_flags()
> if(decode_TGS_REP(...) == 0){
>
>>krb5_rd_error()
>
> < krb5_rd_error() .. returning 0
> } else if ( krb5_rd_error(...) == 0) {
> get_cred_kdc_usage() .. out:
> < get_cred_kdc_usage()
> < get_cred_kdc()
> < get_cred_kdc_la()
> if (ret) was true. something failed!
> < get_cred_from_kdc_flags()
> if (ret) was true: get_cred_from_kdc_flags() failed
> < get_cred_from_kdc_flags()
> if (ret) was true: get_cred_from_kdc_flags() failed
> < get_cred_from_kdc_flags()
> < krb5_get_cred_from_kdc_opt()
> < krb5_get_cred_from_kdc()
> FAILED! (step: -9)
> Server not found in Kerberos database.
>
>
>
> On 10/15/05, Buck Huppmann <buckh@pobox.com> wrote:
>
>>On Fri, Oct 14, 2005 at 11:08:45AM -0400, Jeremiah Martell wrote:
>>
>>>More information. I am very confused at this point:
>>>
>>>Below you will see my source code, and the results, and the resulting
>>
>>klist.
>>
>>>I have no idea what I could be doing wrong. (NOTE: if my mail client
>>
>>puts
>>
>>>any "http://" stuff in, please ignore it)
>>>
>>>Thanks,
>>>- Jeremiah
>>
>>first, is you LDAP server hostname really ``realm2.com''? otherwise,
>>you should change that. (i realize AD NTDS's will register an A record
>>for the name of the domain, but you should probably still use the host-
>>name)
>>
>>as more troubleshooting steps, you can change SERVER to
>>`"krbtgt/REALM2.COM@REALM1.COM" to see if you get a cross-realm TGT and
>>then move on to "krbtgt/REALM2.COM@REALM2.COM" to see if your cross-realm
>>TGT gets you an in-realm TGT. if either of those steps fail, it's a con-
>>fig or DNS issue. if they work, . . . ?
>>
>>at any rate, an easier way to get a service ticket is to use krb5_mk_req,
>>for future reference (although it *does* do a bit more work, creating an
>>authenticator and what not)
>>
>>good luck
>>
>>--buck
>>
>>
>>>-- source --
>>>
>>>#include <stdio.h>
>>>#include <string.h>
>>>#include "krb5.h"
>>>
>>>char *getKrb5ErrorString( signed long int errNum );
>>>
>>>#define SERVER "ldap/realm2.com@REALM2.COM"
>>>
>>>#define CLIENTNAME "username"
>>>#define CLIENTREALM "REALM1.COM <http://REALM1.COM> <http://REALM1.COM>"
>>>#define CLIENTPASSWORD "password"
>>>
>>>int main( )
>>>{
>>>krb5_context krbcontext;
>>>krb5_principal krbprincipal;
>>>krb5_ccache krbcache;
>>>krb5_creds krbcreds;
>>>memset( &krbcreds, 0, sizeof( krb5_creds ) );
>>>
>>>krb5_creds increds;
>>>krb5_creds *outcreds;
>>>krb5_creds **tgtcreds;
>>>memset( &increds, 0, sizeof( krb5_creds ) );
>>>
>>>krb5_principal server;
>>>
>>>krb5_error_code kerr;
>>>
>>>int rc = -1;
>>>
>>>char *clientName = NULL;
>>>char *serverName = NULL;
>>>
>>>// get tgt, this works.
>>>printf( "init context...\n" ); fflush( stdout );
>>>if ( kerr = krb5_init_context( &krbcontext ) )
>>>{ rc = -2; goto f; }
>>>printf( "make principal...\n" ); fflush( stdout );
>>>if ( kerr = krb5_make_principal( krbcontext, &krbprincipal, CLIENTREALM,
>>>CLIENTNAME, NULL ) )
>>>{ rc = -3; goto f; }
>>>printf( "getting tgt...\n" ); fflush( stdout );
>>>if ( kerr = krb5_get_init_creds_password( krbcontext, &krbcreds,
>>>krbprincipal, CLIENTPASSWORD, NULL, NULL, 0, NULL, NULL ) )
>>>{ rc = -4; goto f; }
>>>
>>>// init cache, this works.
>>>printf( "cc default...\n" ); fflush( stdout );
>>>if ( kerr = krb5_cc_default(krbcontext, &krbcache ) )
>>>{ rc = -5; goto f; }
>>>printf( "cc init...\n" ); fflush( stdout );
>>>if ( kerr = krb5_cc_initialize ( krbcontext, krbcache, krbcreds.client )
>>
>>)
>>
>>>{ rc = -6; goto f; }
>>>
>>>// store tgt in cache, this works.
>>>printf( "store creds in cc...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, &krbcreds ) )
>>>{ rc = -7; goto f; }
>>>
>>>printf( "parse name...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_parse_name( krbcontext, SERVER, &server ) )
>>>{ rc = -8; goto f; }
>>>
>>>increds.client = krbprincipal;
>>>increds.server = server;
>>>printf( "unparse name...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_unparse_name( krbcontext, krbprincipal, &clientName ) )
>>>{ rc = -90; goto f; }
>>>printf( "unparse name...\n" ); fflush ( stdout );
>>>if ( kerr = krb5_unparse_name( krbcontext, server, &serverName ) )
>>>{ rc = -91; goto f; }
>>>printf( "Printing clientName and serverName...\n" ); fflush ( stdout );
>>>printf( "client: %s\n", clientName );
>>>printf( "server: %s\n", serverName ); fflush( stdout );
>>>
>>>// get service ticket for ldap directory in LDAPREALM.COM<http://LDAPREALM.COM>
>>
>><http://LDAPREALM.COM>
>>
>>>.
>>>//
>>>// krb5_get_credentials() .. didnt work
>>>// krb5_get_cred_from_kdc() .. didnt work
>>>//
>>>printf( "getting service ticket...\n" ); fflush( stdout );
>>>// if ( kerr = krb5_get_credentials( krbcontext, 0, krbcache, &increds,
>>>&outcreds ) )
>>>if ( kerr = krb5_get_cred_from_kdc( krbcontext, krbcache, &increds,
>>>&outcreds, &tgtcreds ) )
>>>{ rc = -9; goto f; }
>>>
>>>// store service ticket in cache, never reached
>>>printf( "store service ticket...\n" ); fflush( stdout );
>>>if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, outcreds ) )
>>>{ rc = -10; goto f; }
>>>
>>>printf( "SUCCESS\n" );
>>>return 0;
>>>
>>>f:
>>>
>>>printf( "FAILED! (step: %d)\n%s\n", rc, getKrb5ErrorString( kerr) );
>>>return -1;
>>>
>>>}
>>>
>>>
>>>
>>>
>>>-- results --
>>>
>>>init context...
>>>make principal...
>>>getting tgt...
>>>cc default...
>>>cc init...
>>>store creds in cc...
>>>parse name...
>>>unparse name...
>>>unparse name...
>>>Printing clientName and serverName...
>>>client: username@REALM1.COM
>>>server: ldap/realm2.com@REALM2.COM
>>>getting service ticket...
>>>FAILED! (step: -9)
>>>Server not found in Kerberos database.
>>>
>>>
>>>
>>>
>>>-- When I do a klist it shows this --
>>>
>>>Ticket cache: FILE:/tmp/krb5cc_0
>>>Default principal: username@REALM1.COM
>>>
>>>Valid starting Expires Service principal
>>>10/14/05 11:00:20 10/14/05 21:00:20 krbtgt/REALM1.COM@REALM1.COM
>>>
>>>
>>>Kerberos 4 ticket cache: /tmp/tkt0
>>>klist: You have no tickets cached
>>>
>>>
>>>
>>>On 10/14/05, Jeremiah Martell <inlovewithgod@gmail.com> wrote:
>>>
>>>>Nope, that's my mail client being too smart for me. I don't have the
>>>>http:// in there. Just "LDAPREALM" plus a period "." plus the "COM"
>>
>>:-)
>>
>>>>- Jeremiah
>>>>
>>>>
>>>>On 10/14/05, Buck Huppmann <buckh@pobox.com> wrote:
>>>>
>>>>>On Thu, Oct 13, 2005 at 04:14:30PM -0400, Jeremiah Martell wrote:
>>>>>
>>>>>>This is still not working for me. An ethereal trace shows me
>>
>>trying to
>>
>>>>>get a
>>>>>
>>>>>>ticket for "krbtgt/.", which is really strange.
>>>>>
>>>>>>// the following values are hard-coded for now.
>>>>>>// make principal for server. works, but is it correct?
>>>>>>krb5_make_principal( krbcontext, &server,
>>>>>>"LDAPREALM.COM <http://LDAPREALM.COM> <http://LDAPREALM.COM><
>>
>>http://LDAPREALM.COM>",
>>
>>>>>>"ldap/ldaprealm.com", NULL );
>>>>>
>>>>>is this some sort of artifact of your MUA? or do you literally have
>>>>>that ``<http://...>'' junk in the realm string? if so, then it's
>>
>>pos-
>>
>>>>>sible to imagine heimdal (or any implementation) getting confused
>>
>>and
>>
>>>>>trying to get a cross-realm TGT for the ``.'' realm, in order to get
>>
>>a
>>
>>>>>cross-realm TGT for the ``COM>'' realm, in order to get . . .
>>>>>
>>>>
>>>>
>>>
>>>--
>>>- Jeremiah
>>>inlovewithGod@gmail.com
>>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444