...
Now I will try 'kinit' again with the 'codehauscbuckley' user, which does have a SAM Type configured.
| Code Block |
|---|
43147696 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@20d10a
43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM
hostAddresses: org.apache.kerberos.messages.value.HostAddresses@7c15c0
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@7800e9
from krb time: null
realm krb time: null
kdcOptions: FORWARDABLE
messageType: initial authentication request (10)
nonce: 1122289013
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@83dae1
43147706 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
43147745 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM.
43147750 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
43147752 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@94cc7
|
I try 'codehauscbuckley' again to test that HOTP values are properly incrementing.
| Code Block |
|---|
43162271 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@3449a8
43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM
hostAddresses: org.apache.kerberos.messages.value.HostAddresses@51b0af
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@126ecd2
from krb time: null
realm krb time: null
kdcOptions: FORWARDABLE
messageType: initial authentication request (10)
nonce: 1122289028
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@85def8
43162276 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
43162301 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM.
43162306 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
43162312 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@4065c4
|
...
| Code Block |
|---|
47490382 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
47495375 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
47495835 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@16218f9
47495836 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: host/www.example.com@EXAMPLE.COM
clientPrincipal: null
hostAddresses: null
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@155aa19
from krb time: null
realm krb time: null
kdcOptions: FORWARDABLE RENEWABLE
messageType: request for authentication based on TGT (12)
nonce: 1005116086
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@1125a40
47495844 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@1df3255
47495845 [IoThreadPool-19] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: host/www.example.com@EXAMPLE.COM
clientPrincipal: null
hostAddresses: null
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@618821
from krb time: null
realm krb time: null
kdcOptions: FORWARDABLE RENEWABLE
messageType: request for authentication based on TGT (12)
nonce: 1005116086
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@130661d
47495886 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.TicketGrantReply@22e3ac
47495887 [IoThreadPool-19] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Request is a replay
org.apache.kerberos.exceptions.KerberosException: Request is a replay
at org.apache.kerberos.service.KerberosService.verifyAuthHeader(KerberosService.java:252)
at org.apache.kerberos.kdc.TicketGrantingService.getReplyFor(TicketGrantingService.java:93)
at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:120)
at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
...
47495888 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.ErrorMessage@f55759
|
I now test with the 'codehauscbuckley' account, which is configured for HOTP. There are three requests here: authentication with no pre-authentication and denial, authentication with pre-authentication, and then a ticket grant.
| Code Block |
|---|
47660732 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1034 RCVD: org.apache.kerberos.messages.KdcRequest@1187d2f
47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM
hostAddresses: null
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@16cacdd
from krb time: null
realm krb time: org.apache.kerberos.messages.value.KerberosTime@1c8e80d
kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK
messageType: initial authentication request (10)
nonce: 510706200
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@fadb88
47660739 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47660739 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Additional pre-authentication required
org.apache.kerberos.exceptions.KerberosException: Additional pre-authentication required
at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:200)
at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101)
at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115)
at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
...
47660740 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1034 SENT: org.apache.kerberos.messages.ErrorMessage@35b5e8
47660741 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1035 RCVD: org.apache.kerberos.messages.KdcRequest@4dd413
47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM
hostAddresses: null
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@19e421e
from krb time: null
realm krb time: org.apache.kerberos.messages.value.KerberosTime@106d4ea
kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK
messageType: initial authentication request (10)
nonce: 510706200
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@1847a42
47660745 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47660759 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM.
47660765 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
47660767 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1035 SENT: org.apache.kerberos.messages.AuthenticationReply@18b429b
47660769 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1036 RCVD: org.apache.kerberos.messages.KdcRequest@1c0d0a8
47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: host/www.example.com@EXAMPLE.COM
clientPrincipal: null
hostAddresses: null
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1c2fff0
from krb time: null
realm krb time: null
kdcOptions: FORWARDABLE RENEWABLE
messageType: request for authentication based on TGT (12)
nonce: 511288584
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@130fafb
47660780 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1036 SENT: org.apache.kerberos.messages.TicketGrantReply@12a585c
|
...
| Code Block |
|---|
47681499 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@dfbabd
47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM
hostAddresses: org.apache.kerberos.messages.value.HostAddresses@5cd7f9
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1672c01
from krb time: null
realm krb time: null
kdcOptions: FORWARDABLE
messageType: initial authentication request (10)
nonce: 1122293547
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@7a279c
47681504 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47681540 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: HOTP-3: Preauth failed!
org.apache.kerberos.exceptions.KerberosException: HOTP-3: Preauth failed!
at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:216)
at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101)
at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115)
at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
...
47681541 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.ErrorMessage@166faac
|
...
| Code Block |
|---|
47693594 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED
47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@1db8f3a
47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request:
realm: EXAMPLE.COM
serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM
hostAddresses: org.apache.kerberos.messages.value.HostAddresses@1984161
encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@ec849e
from krb time: null
realm krb time: null
kdcOptions: FORWARDABLE
messageType: initial authentication request (10)
nonce: 1122293559
protocolVersionNumber: 5
till: org.apache.kerberos.messages.value.KerberosTime@1f6b81c
47693598 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47693611 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM.
47693616 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
47693618 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.AuthenticationReply@7a6c34
|