...
Now I will try 'kinit' again with the 'codehauscbuckley' user, which does have a SAM Type configured.
Code Block |
---|
43147696 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@20d10a 43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@7c15c0 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@7800e9 from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122289013 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@83dae1 43147706 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 43147745 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM. 43147750 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 43147752 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@94cc7 |
I try 'codehauscbuckley' again to test that HOTP values are properly incrementing.
Code Block |
---|
43162271 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@3449a8 43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@51b0af encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@126ecd2 from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122289028 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@85def8 43162276 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 43162301 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM. 43162306 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 43162312 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@4065c4 |
...
Code Block |
---|
47490382 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47495375 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47495835 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@16218f9 47495836 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: host/www.example.com@EXAMPLE.COM clientPrincipal: null hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@155aa19 from krb time: null realm krb time: null kdcOptions: FORWARDABLE RENEWABLE messageType: request for authentication based on TGT (12) nonce: 1005116086 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@1125a40 47495844 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@1df3255 47495845 [IoThreadPool-19] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: host/www.example.com@EXAMPLE.COM clientPrincipal: null hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@618821 from krb time: null realm krb time: null kdcOptions: FORWARDABLE RENEWABLE messageType: request for authentication based on TGT (12) nonce: 1005116086 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@130661d 47495886 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.TicketGrantReply@22e3ac 47495887 [IoThreadPool-19] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Request is a replay org.apache.kerberos.exceptions.KerberosException: Request is a replay at org.apache.kerberos.service.KerberosService.verifyAuthHeader(KerberosService.java:252) at org.apache.kerberos.kdc.TicketGrantingService.getReplyFor(TicketGrantingService.java:93) at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:120) at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149) ... 47495888 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.ErrorMessage@f55759 |
I now test with the 'codehauscbuckley' account, which is configured for HOTP. There are three requests here: authentication with no pre-authentication and denial, authentication with pre-authentication, and then a ticket grant.
Code Block |
---|
47660732 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1034 RCVD: org.apache.kerberos.messages.KdcRequest@1187d2f 47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@16cacdd from krb time: null realm krb time: org.apache.kerberos.messages.value.KerberosTime@1c8e80d kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK messageType: initial authentication request (10) nonce: 510706200 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@fadb88 47660739 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47660739 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Additional pre-authentication required org.apache.kerberos.exceptions.KerberosException: Additional pre-authentication required at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:200) at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101) at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115) at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149) ... 47660740 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1034 SENT: org.apache.kerberos.messages.ErrorMessage@35b5e8 47660741 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1035 RCVD: org.apache.kerberos.messages.KdcRequest@4dd413 47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@19e421e from krb time: null realm krb time: org.apache.kerberos.messages.value.KerberosTime@106d4ea kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK messageType: initial authentication request (10) nonce: 510706200 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@1847a42 47660745 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47660759 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM. 47660765 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 47660767 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1035 SENT: org.apache.kerberos.messages.AuthenticationReply@18b429b 47660769 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1036 RCVD: org.apache.kerberos.messages.KdcRequest@1c0d0a8 47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: host/www.example.com@EXAMPLE.COM clientPrincipal: null hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1c2fff0 from krb time: null realm krb time: null kdcOptions: FORWARDABLE RENEWABLE messageType: request for authentication based on TGT (12) nonce: 511288584 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@130fafb 47660780 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1036 SENT: org.apache.kerberos.messages.TicketGrantReply@12a585c |
...
Code Block |
---|
47681499 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@dfbabd 47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@5cd7f9 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1672c01 from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122293547 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@7a279c 47681504 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47681540 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: HOTP-3: Preauth failed! org.apache.kerberos.exceptions.KerberosException: HOTP-3: Preauth failed! at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:216) at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101) at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115) at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149) ... 47681541 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.ErrorMessage@166faac |
...
Code Block |
---|
47693594 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@1db8f3a 47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLEcbuckley@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@1984161 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@ec849e from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122293559 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@1f6b81c 47693598 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLEcbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47693611 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLEcbuckley@EXAMPLE.COM. 47693616 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 47693618 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.AuthenticationReply@7a6c34 |