includedir /var/lib/sss/pubconf/krb5.include.d/[libdefaults] default_realm =

1. includedir /var/lib/sss/pubconf/krb5.include.d/
2.  
3. [libdefaults]
4. default_realm = AUTHDEMO.IT
5. dns_lookup_realm = true
6. dns_lookup_kdc = true
7. rdns = false
8. ticket_lifetime = 24h
9. forwardable = true
10. udp_preference_limit = 0
11. default_ccache_name = KEYRING:persistent:%{uid}
12.  
13.  
14. [realms]
15. AUTHDEMO.IT = {
16. pkinit_anchors = FILE:/etc/ipa/ca.crt
17.  
18. }
19.  
20.  
21. [domain_realm]
22. .authdemo.it = AUTHDEMO.IT
23. authdemo.it = AUTHDEMO.IT
24.  
25. JaasDemo {
26. com.sun.security.auth.module.Krb5LoginModule required
27. useTicketCache=true
28. principal=uclient
29. debug=true;
30. };
31.  
32. public LoginContext login(){
33. LoginContext lc = null;
34. try {
35. System.out.println("Initialize logincontext");
36. lc = new LoginContext("JaasLogin",
37. new TextCallbackHandler());
38. } catch (LoginException | SecurityException le) {
39. System.err.println("Cannot create LoginContext."
40. + le.getMessage());
41. return lc;
42. }
43.  
44. try {
45. // attempt authentication
46. System.out.println("Attempt login");
47. lc.login();
48. } catch (LoginException le) {
49. System.err.println("Authentication failed:");
50. System.err.println(" " + le.getMessage());
51. return lc;
52. }
53.  
54. System.out.println("Authentication succeeded!");
55. return lc;
56. }
57.  
58. java -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Djava.security.auth.login.config=jaas.conf -jar myapp.jar
59.  
60. Initialize logincontext
61. Attempt login
62. Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is uclient tryFirstPass is false useFirstPass is false storePass is false clearPass is false
63. Acquire TGT from Cache
64. >>>KinitOptions cache name is /tmp/krb5cc_1000
65. Principal is uclient@AUTHDEMO.IT
66. null credentials from Ticket Cache
67. **Login Handler invoked, providing username and password to login manager..**
68. [Krb5LoginModule] user entered username: uclient
69.  
70. Using builtin default etypes for default_tkt_enctypes
71. default etypes for default_tkt_enctypes: 18 17 16 23.
72. >>> KrbAsReq creating message
73. getKDCFromDNS using UDP
74. >>> KrbKdcReq send: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000, number of retries =3, #bytes=143
75. >>> KDCCommunication: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000,Attempt =1, #bytes=143
76. >>> KrbKdcReq send: #bytes read=283
77. >>>Pre-Authentication Data:
78. PA-DATA type = 136
79.  
80. >>>Pre-Authentication Data:
81. PA-DATA type = 19
82. PA-ETYPE-INFO2 etype = 18, salt = REMOVED 3@, s2kparams = null
83. PA-ETYPE-INFO2 etype = 17, salt = REMOVED, s2kparams = null
84.  
85. >>>Pre-Authentication Data:
86. PA-DATA type = 2
87. PA-ENC-TIMESTAMP
88. >>>Pre-Authentication Data:
89. PA-DATA type = 133
90.  
91. >>> KdcAccessibility: remove authdemo2.authdemo.it.:88
92. >>> KDCRep: init() encoding tag is 126 req type is 11
93. >>>KRBError:
94. cTime is Wed Jun 29 17:12:49 CEST 1988 583600369000
95. sTime is Wed Aug 02 15:53:28 CEST 2017 1501682008000
96. suSec is 981130
97. error code is 25
98. error Message is Additional pre-authentication required
99. cname is uclient@AUTHDEMO.IT
100. sname is krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
101. eData provided.
102. msgType is 30
103. >>>Pre-Authentication Data:
104. PA-DATA type = 136
105.  
106. >>>Pre-Authentication Data:
107. PA-DATA type = 19
108. PA-ETYPE-INFO2 etype = 18, salt = REMOVED 3@, s2kparams = null
109. PA-ETYPE-INFO2 etype = 17, salt = REMOVED, s2kparams = null
110.  
111. >>>Pre-Authentication Data:
112. PA-DATA type = 2
113. PA-ENC-TIMESTAMP
114. >>>Pre-Authentication Data:
115. PA-DATA type = 133
116.  
117. KRBError received: NEEDED_PREAUTH
118. KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
119. Using builtin default etypes for default_tkt_enctypes
120. default etypes for default_tkt_enctypes: 18 17 16 23.
121. Using builtin default etypes for default_tkt_enctypes
122. default etypes for default_tkt_enctypes: 18 17 16 23.
123. >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
124. >>> KrbAsReq creating message
125. getKDCFromDNS using UDP
126. >>> KrbKdcReq send: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000, number of retries =3, #bytes=225
127. >>> KDCCommunication: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000,Attempt =1, #bytes=225
128. >>> KrbKdcReq send: #bytes read=674
129. >>> KdcAccessibility: remove authdemo2.authdemo.it.:88
130. >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
131. >>> KrbAsRep cons in KrbAsReq.getReply uclient
132. principal is uclient@AUTHDEMO.IT
133. Commit Succeeded
134.  
135. Authentication succeeded!
136.  
137.  
138. Subject.toString:
139. Principal: uclient@AUTHDEMO.IT
140. Private Credential: Ticket (hex) =
141. REMOVED TICKET DETAILS K.
142.  
143. Client Principal = uclient@AUTHDEMO.IT
144. Server Principal = krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
145. Session Key = EncryptionKey: keyType=18 keyBytes (hex dump)=
146. REMOVED
147.  
148. Forwardable Ticket true
149. Forwarded Ticket false
150. Proxiable Ticket false
151. Proxy Ticket false
152. Postdated Ticket false
153. Renewable Ticket false
154. Initial Ticket false
155. Auth Time = Wed Aug 02 15:53:28 CEST 2017
156. Start Time = Wed Aug 02 15:53:28 CEST 2017
157. End Time = Thu Aug 03 15:53:28 CEST 2017
158. Renew Till = null
159. Client Addresses Null
160.  
161. klist -c /tmp/krb5cc_1000
162.  
163. Ticket cache: FILE:/tmp/krb5cc_1000
164. Default principal: otheruser@AUTHDEMO.IT
165.  
166. Valid starting Expires Service principal
167. 08/02/2017 16:05:19 08/03/2017 16:05:13 krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
168.  
169. Initialize logincontext
170. Attempt login
171. Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is uclient tryFirstPass is false useFirstPass is false storePass is false clearPass is false
172. Acquire TGT from Cache
173. >>>KinitOptions cache name is /tmp/krb5cc_1000
174. java.io.IOException: Primary principals don't match.
175. at sun.security.krb5.internal.ccache.FileCredentialsCache.load(FileCredentialsCache.java:179)
176. at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(FileCredentialsCache.java:82)
177. at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(CredentialsCache.java:83)
178. at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:333)
179. at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:665)
180. at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
181. at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
182. at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
183. at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
184. at java.lang.reflect.Method.invoke(Method.java:498)
185. at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
186. at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
187. at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
188. at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
189. at java.security.AccessController.doPrivileged(Native Method)
190. at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
191. at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
192. at it.kerberosdemo.login.JaasDemo.login(JaasDemo.java:45)
193. at it.kerberosdemo.login.JaasDemo.login(JaasDemo.java:27)
194. at it.male.kerberosdemo.client.ClientMain.main(ClientMain.java:29)
195. Principal is uclient@AUTHDEMO.IT
196. null credentials from Ticket Cache
197. Login Handler invokerd, providing username and password to login manager..
198. [Krb5LoginModule] user entered username: uclient
199.  
200. Using builtin default etypes for default_tkt_enctypes
201. default etypes for default_tkt_enctypes: 18 17 16 23.
202. >>> KrbAsReq creating message
203. getKDCFromDNS using UDP
204. >>> KrbKdcReq send: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000, number of retries =3, #bytes=143
205. >>> KDCCommunication: kdc=authdemo2.authdemo.it. UDP:88, timeout=30000,Attempt =1, #bytes=143
206. >>> KrbKdcReq send: #bytes read=283
207. >>>Pre-Authentication Data:
208. PA-DATA type = 136
209.  
210. >>>Pre-Authentication Data:
211. PA-DATA type = 19
212. PA-ETYPE-INFO2 etype = 18, salt = REMOVED, s2kparams = null
213. PA-ETYPE-INFO2 etype = 17, salt = REMOVED, s2kparams = null
214.  
215. >>>Pre-Authentication Data:
216. PA-DATA type = 2
217. PA-ENC-TIMESTAMP
218. >>>Pre-Authentication Data:
219. PA-DATA type = 133
220.  
221. >>> KdcAccessibility: remove authdemo2.authdemo.it.:88
222. >>> KDCRep: init() encoding tag is 126 req type is 11
223. >>>KRBError:
224. cTime is Mon Sep 22 16:38:56 CEST 2031 1947854336000
225. sTime is Wed Aug 02 16:07:05 CEST 2017 1501682825000
226. suSec is 803283
227. error code is 25
228. error Message is Additional pre-authentication required
229. cname is uclient@AUTHDEMO.IT
230. sname is krbtgt/AUTHDEMO.IT@AUTHDEMO.IT
231. eData provided.
232. msgType is 30
233. >>>Pre-Authentication Data:
234. PA-DATA type = 136
235. ...OMITTED IDENTICAL