includedir /var/lib/sss/pubconf/krb5.include.d/[libdefaults] default_realm =

1. includedir /var/lib/sss/pubconf/krb5.include.d/
2.  
3. [libdefaults]
4. default_realm = AUTHDEMO.IT
5. dns_lookup_realm = true
6. dns_lookup_kdc = true
7. rdns = false
8. ticket_lifetime = 24h
9. forwardable = true
10. udp_preference_limit = 0
11. default_ccache_name = KEYRING:persistent:%{uid}
12.  
13.  
14. [realms]
15. AUTHDEMO.IT = {
16. pkinit_anchors = FILE:/etc/ipa/ca.crt
17.  
18. }
19.  
20.  
21. [domain_realm]
22. .authdemo.it = AUTHDEMO.IT
23. authdemo.it = AUTHDEMO.IT
24.  
25. JaasDemo {
26. com.sun.security.auth.module.Krb5LoginModule required
27. useTicketCache=true
28. principal=uclient
29. debug=true; /**Useful for debug, look at jaasclient.sh for other options**/
30. };
31.  
32. public LoginContext login(){
33. LoginContext lc = null;
34. try {
35. System.out.println("Initialize logincontext");
36. lc = new LoginContext("JaasLogin",
37. new TextCallbackHandler());
38. } catch (LoginException | SecurityException le) {
39. System.err.println("Cannot create LoginContext."
40. + le.getMessage());
41. return lc;
42. }
43.  
44. try {
45. // attempt authentication
46. System.out.println("Attempt login");
47. lc.login();
48. } catch (LoginException le) {
49. System.err.println("Authentication failed:");
50. System.err.println(" " + le.getMessage());
51. return lc;
52. }
53.  
54. System.out.println("Authentication succeeded!");
55. return lc;
56. }
57.  
58. java -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Djava.security.auth.login.config=jaas.conf -jar myapp.jar
59.  
60. Initialize logincontext
61. Attempt login
62. Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is uclient tryFirstPass is false useFirstPass is false storePass is false clearPass is false
63. Acquire TGT from Cache
64. >>>KinitOptions cache name is /tmp/krb5cc_1000
65. Principal is uclient@AUTHDEMO.IT
66. null credentials from Ticket Cache
67. **Login Handler invoked, providing username and password to login manager..**
68. [Krb5LoginModule] user entered username: uclient
69.  
70. Using builtin default etypes for default_tkt_enctypes
71. default etypes for default_tkt_enctypes: 18 17 16 23.
72. >>> KrbAsReq creating message
73. getKDCFromDNS using UDP
74. >>> KrbKdcReq send: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000, number of retries =3, #bytes=143
75. >>> KDCCommunication: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000,Attempt =1, #bytes=143
76. >>> KrbKdcReq send: #bytes read=283
77. >>>Pre-Authentication Data:
78. PA-DATA type = 136
79.  
80. >>>Pre-Authentication Data:
81. PA-DATA type = 19
82. PA-ETYPE-INFO2 etype = 18, salt = REMOVED 3@, s2kparams = null
83. PA-ETYPE-INFO2 etype = 17, salt = REMOVED, s2kparams = null
84.  
85. >>>Pre-Authentication Data:
86. PA-DATA type = 2
87. PA-ENC-TIMESTAMP
88. >>>Pre-Authentication Data:
89. PA-DATA type = 133
90.  
91. >>> KdcAccessibility: remove authdemo2.authdemo.it.:88
92. >>> KDCRep: init() encoding tag is 126 req type is 11
93. >>>KRBError:
94. cTime is Wed Jun 29 17:12:49 CEST 1988 583600369000
95. sTime is Wed Aug 02 15:53:28 CEST 2017 1501682008000
96. suSec is 981130
97. error code is 25
98. error Message is Additional pre-authentication required
99. cname is uclient@AUTHDEMO.IT
100. sname is krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
101. eData provided.
102. msgType is 30
103. >>>Pre-Authentication Data:
104. PA-DATA type = 136
105.  
106. >>>Pre-Authentication Data:
107. PA-DATA type = 19
108. PA-ETYPE-INFO2 etype = 18, salt = REMOVED 3@, s2kparams = null
109. PA-ETYPE-INFO2 etype = 17, salt = REMOVED, s2kparams = null
110.  
111. >>>Pre-Authentication Data:
112. PA-DATA type = 2
113. PA-ENC-TIMESTAMP
114. >>>Pre-Authentication Data:
115. PA-DATA type = 133
116.  
117. KRBError received: NEEDED_PREAUTH
118. KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
119. Using builtin default etypes for default_tkt_enctypes
120. default etypes for default_tkt_enctypes: 18 17 16 23.
121. Using builtin default etypes for default_tkt_enctypes
122. default etypes for default_tkt_enctypes: 18 17 16 23.
123. >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
124. >>> KrbAsReq creating message
125. getKDCFromDNS using UDP
126. >>> KrbKdcReq send: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000, number of retries =3, #bytes=225
127. >>> KDCCommunication: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000,Attempt =1, #bytes=225
128. >>> KrbKdcReq send: #bytes read=674
129. >>> KdcAccessibility: remove authdemo2.authdemo.it.:88
130. >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
131. >>> KrbAsRep cons in KrbAsReq.getReply uclient
132. principal is uclient@AUTHDEMO.IT
133. Commit Succeeded
134.  
135. Authentication succeeded!
136.  
137.  
138. Subject.toString:
139. Principal: uclient@AUTHDEMO.IT
140. Private Credential: Ticket (hex) =
141. REMOVED TICKET DETAILS K.
142.  
143. Client Principal = uclient@AUTHDEMO.IT
144. Server Principal = krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
145. Session Key = EncryptionKey: keyType=18 keyBytes (hex dump)=
146. REMOVED
147.  
148. Forwardable Ticket true
149. Forwarded Ticket false
150. Proxiable Ticket false
151. Proxy Ticket false
152. Postdated Ticket false
153. Renewable Ticket false
154. Initial Ticket false
155. Auth Time = Wed Aug 02 15:53:28 CEST 2017
156. Start Time = Wed Aug 02 15:53:28 CEST 2017
157. End Time = Thu Aug 03 15:53:28 CEST 2017
158. Renew Till = null
159. Client Addresses Null
160.  
161. klist -c /tmp/krb5cc_1000
162. Ticket cache: FILE:/tmp/krb5cc_1000
163. Default principal: otheruser@AUTHDEMO.IT
164.  
165. Valid starting Expires Service principal
166. 08/02/2017 16:05:19 08/03/2017 16:05:13 krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
167.  
168. Initialize logincontext
169. Attempt login
170. Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is uclient tryFirstPass is false useFirstPass is false storePass is false clearPass is false
171. Acquire TGT from Cache
172. >>>KinitOptions cache name is /tmp/krb5cc_1000
173. java.io.IOException: Primary principals don't match.
174. at sun.security.krb5.internal.ccache.FileCredentialsCache.load(FileCredentialsCache.java:179)
175. at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(FileCredentialsCache.java:82)
176. at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(CredentialsCache.java:83)
177. at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:333)
178. at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:665)
179. at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
180. at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
181. at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
182. at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
183. at java.lang.reflect.Method.invoke(Method.java:498)
184. at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
185. at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
186. at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
187. at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
188. at java.security.AccessController.doPrivileged(Native Method)
189. at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
190. at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
191. at it.kerberosdemo.login.JaasDemo.login(JaasDemo.java:45)
192. at it.kerberosdemo.login.JaasDemo.login(JaasDemo.java:27)
193. at it.male.kerberosdemo.client.ClientMain.main(ClientMain.java:29)
194. Principal is uclient@AUTHDEMO.IT
195. null credentials from Ticket Cache
196. Login Handler invokerd, providing username and password to login manager..
197. [Krb5LoginModule] user entered username: uclient
198.  
199. Using builtin default etypes for default_tkt_enctypes
200. default etypes for default_tkt_enctypes: 18 17 16 23.
201. >>> KrbAsReq creating message
202. getKDCFromDNS using UDP
203. >>> KrbKdcReq send: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000, number of retries =3, #bytes=143
204. >>> KDCCommunication: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000,Attempt =1, #bytes=143
205. >>> KrbKdcReq send: #bytes read=283
206. >>>Pre-Authentication Data:
207. PA-DATA type = 136
208.  
209. >>>Pre-Authentication Data:
210. PA-DATA type = 19
211. PA-ETYPE-INFO2 etype = 18, salt = REMOVED, s2kparams = null
212. PA-ETYPE-INFO2 etype = 17, salt = REMOVED, s2kparams = null
213.  
214. >>>Pre-Authentication Data:
215. PA-DATA type = 2
216. PA-ENC-TIMESTAMP
217. >>>Pre-Authentication Data:
218. PA-DATA type = 133
219.  
220. >>> KdcAccessibility: remove authdemo2.authdemo.it.:88
221. >>> KDCRep: init() encoding tag is 126 req type is 11
222. >>>KRBError:
223. cTime is Mon Sep 22 16:38:56 CEST 2031 1947854336000
224. sTime is Wed Aug 02 16:07:05 CEST 2017 1501682825000
225. suSec is 803283
226. error code is 25
227. error Message is Additional pre-authentication required
228. cname is uclient@AUTHDEMO.IT
229. sname is krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
230. eData provided.
231. msgType is 30
232. >>>Pre-Authentication Data:
233. PA-DATA type = 136
234. ...OMITTED IDENTICAL