[38406] in Kerberos
Kerberos Authentication Fails
daemon@ATHENA.MIT.EDU (Hari Prasanth Loganathan)
Thu Jan 3 13:56:03 2019
MIME-Version: 1.0
From: Hari Prasanth Loganathan <hariprasanth.l@msystechnologies.com>
Date: Fri, 4 Jan 2019 00:25:30 +0530
Message-ID: <CAHMzDShao2qi21xZ02jbJT+6mjuqYo_OT1g3+gdbXR2Aaqp_cg@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Team,
I have installed the
i) FreeIPA server which internally has the kerberos
server in Machine 1 and
ii) Installed the Free IPA client which internally has
the kerberos client in Machine 2
I configured using the link :
https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
and It is successfully configured.
When I try to test this using the python code
http://python-notes.curiousefficiency.org/en/latest/python_kerberos.html#wrapping-this-up-in-a-helper-class
While verifying
In the first negotiation, I get the following ticket in header with 401
unauthorized error,
Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIq+XqxtoG1oqytbke8GM8YnGMPP9pbp8iLUmmvBRPWf4aoHxVbLgnyUqgN5Q/dAK8lR92qd7XHNRRdKusKSBE+Efc4Ws2pV9mLt36iY+AydCtz8gb7Bk7cHpLPBAfd5y2D2gR3yMyHkCVPiGdkPA0IN4Br6z15dr/guv1TJXMEc6VJOS/Rj1fFeidBvD6IhmWmfx6HtezG64zbhVfK7QkZv36gcyqSXlDK9z5y7vwKb5qfdXd2gX9cH/W9fC14eUoQSgFmB9z/s0wijHBrQruEWuF0PUx61rlqpP44d8S+3FCH6fk3lVmeOpvDObNgC+q4guoKhAYKQPA+DBE2foCL2ceLDwgfN/FhJ5UysGbWGAMY7YZbp8HlOORPl3roFMTzpg1htoxDDL6hVLInxcze9XNDwgYhAdlgun+9a5MEjwd9u7jTjK2EKmAKq+3kW0ozKRexPbD2nxvwN1YxsFZ96WWQpB/uF0Pe3g0JQCbjzeNeZGyrKa1GF7QPWdTJfxTqx7T3vqbNUXvdZhfcBy4aQQu50Qsvk9sPxxdgrDBPOeBerSiYOVOqEG88HGIx1YLqDVyqteasGzVFSUlE5Xk0503k3DmGozuheXSxrT/dtqxSQ1HeBiv93LdDDVKLyjN8gnC/hocGKeCHRyDK0tv0gNp7JaEsqcs+JTr4rQ45UbK7tJd5ZKdSKOOPwJJOVNyFW0Vk347yO/BGsBK8Bcec0buhJa7iGq0zFhQG/fThTnvwXJeA7WhiBoq51EopGDOYlZ8IwZFnkn!
rvdF0Ou+8X7wVW2xQnC4Nr1smu+M2x3Fe3g71nDvnhZCrQuN4sl50WGMYesjFLEMO8FwZj2bb6onpBbFXZtszAobHDfMsM+tVhW36267RH2Bp/EpjmbZrTe/70QQ2JzxPc1tcOPM4BDj6vymsB4Vma4voG92DnwMywVa8zGatqJEo6rMhnRdEXwIyP8/XH1x7zuok7xHNad30uCojReJ8x9FTttbqUTEWh7AwZf7JhAmXHWlKp5jqD/ItcHvB02FyyUNVLcb92TB3wBJoZPDenssCr0+vZUbaiPUjMYLtORQmIGQHbfXYZJgR+MTzlTRRuG7c/K5bDdOq4I+y9awWpIHUMIHRoAMCARKigckEgcbT1IsX4VKDJUcFxlrpZ40sW7+s+iArC2WVFF8/e29+bSX6ydObxtu4a6YfYWRsYa1tXTYWBOVm0kv9Z1nCmb0BrZ7+I1YWw1Arw7BDBmh3KVPnrHO8ZtJsV8Nagr6xjXf8RXK846Ix5cQpRSXtQkkfWuy82RSZOCtjImtFhUeriGf4hDEYFrZGv9MP+qDiGQHDJ8op0/t33CtZv1C/6E2oVcHDdysjw5q9G3b4vKUsZ2LRC+QhaGaYOBp1ZwDAlS5oZ+I4GyM=
then in the second negotiation, I get the following token in the header,
{'Content-Length': '381', 'Keep-Alive': 'timeout=15, max=99', 'Server':
'Apache/2.4.6 (CentOS)', 'Connection': 'Keep-Alive', 'Date': 'Thu, 03 Jan
2019 18:43:26 GMT', 'Content-Type': 'text/html; charset=iso-8859-1',
'WWW-Authenticate': 'Negotiate
YHkGCSqGSIb3EgECAgMAfmowaKADAgEFoQMCAR6kERgPMjAxOTAxMDMxODQzMjZapQUCAwVXdKYDAgEhqRAbDk1TWVNJUEFRQ1MuQ09NqiswKaADAgEBoSIwIBsESFRUUBsYb3BlbnN0YWNrLm1zeXNpcGFxY3MuY29t'}
then It *passes* the following code,
1) kerberos.*authGSSClientInit*, As a response for this authGSSClientInit
in the header, I receive the following ticket,
It *fails* in the following part of the code,
2) kerberos.*authGSSClientStep*(krb_context, auth_details)
with the error as follows,
generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
_negotiate_value(response))
*GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))*
Finale Error ....................................
(('Invalid token was supplied', 589824), ('Success', 100001))
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
_negotiate_value(response))
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
handle_401(): returning <Response [401]>
handle_response(): returning <Response [401]>
handle_response() has seen 1 401 responses
handle_response(): returning 401 <Response [401]>
Request returned failure status: 401
Unauthorized (HTTP 401)
clean_up IssueToken: Unauthorized (HTTP 401)
END return value: 1
*But I didn't understand this error, what is the reason for this error ?
How to rectify this error? *
*FYI*,
[root@openstack ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: rdoadmin@XXXXXXXX.COM
Valid starting Expires Service principal
2019-01-04T08:12:17 2019-01-05T08:02:16 HTTP/
openstack.XXXXXXXX.com@XXXXXXXX.COM
2019-01-04T08:02:18 2019-01-05T08:02:16 krbtgt/XXXXXXXX.COM@XXXXXXXX.COM
Thanks, Any help is appreciated.
Hari
--
DISCLAIMER - *MSysTechnologies LLC*
This email message, contents and
its attachments may contain confidential, proprietary or legally privileged
information and is intended solely for the use of the individual or entity
to whom it is actually intended. If you have erroneously received this
message, please permanently delete it immediately and notify the sender. If
you are not the intended recipient of the email message,you are notified
strictly not to disseminate,distribute or copy this e-mail.E-mail
transmission cannot be guaranteed to be secure or error-free as Information
could be intercepted, corrupted, lost, destroyed, incomplete or contain
viruses and MSysTechnologies LLC accepts no liability for the contents and
integrity of this mail or for any damage caused by the limitations of the
e-mail transmission.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos