Kerberos Authentication Fails

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Kerberos Authentication Fails

Hari Prasanth Loganathan
Hi Team,

I have installed the

                     i) FreeIPA server which internally has the kerberos
server in Machine 1 and

                    ii) Installed the Free IPA client which internally has
the kerberos client in Machine 2

I configured using the link :
https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
and It is successfully configured.

When I try to test this using the python code
http://python-notes.curiousefficiency.org/en/latest/python_kerberos.html#wrapping-this-up-in-a-helper-class

While verifying


In the first negotiation, I get the following ticket in header with 401
unauthorized error,

Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIq+XqxtoG1oqytbke8GM8YnGMPP9pbp8iLUmmvBRPWf4aoHxVbLgnyUqgN5Q/dAK8lR92qd7XHNRRdKusKSBE+Efc4Ws2pV9mLt36iY+AydCtz8gb7Bk7cHpLPBAfd5y2D2gR3yMyHkCVPiGdkPA0IN4Br6z15dr/guv1TJXMEc6VJOS/Rj1fFeidBvD6IhmWmfx6HtezG64zbhVfK7QkZv36gcyqSXlDK9z5y7vwKb5qfdXd2gX9cH/W9fC14eUoQSgFmB9z/s0wijHBrQruEWuF0PUx61rlqpP44d8S+3FCH6fk3lVmeOpvDObNgC+q4guoKhAYKQPA+DBE2foCL2ceLDwgfN/FhJ5UysGbWGAMY7YZbp8HlOORPl3roFMTzpg1htoxDDL6hVLInxcze9XNDwgYhAdlgun+9a5MEjwd9u7jTjK2EKmAKq+3kW0ozKRexPbD2nxvwN1YxsFZ96WWQpB/uF0Pe3g0JQCbjzeNeZGyrKa1GF7QPWdTJfxTqx7T3vqbNUXvdZhfcBy4aQQu50Qsvk9sPxxdgrDBPOeBerSiYOVOqEG88HGIx1YLqDVyqteasGzVFSUlE5Xk0503k3DmGozuheXSxrT/dtqxSQ1HeBiv93LdDDVKLyjN8gnC/hocGKeCHRyDK0tv0gNp7JaEsqcs+JTr4rQ45UbK7tJd5ZKdSKOOPwJJOVNyFW0Vk347yO/BGsBK8Bcec0buhJa7iGq0zFhQG/fThTnvwXJeA7WhiBoq51EopGDOYlZ8IwZFnkn!
 rvdF0Ou+8X7wVW2xQnC4Nr1smu+M2x3Fe3g71nDvnhZCrQuN4sl50WGMYesjFLEMO8FwZj2bb6onpBbFXZtszAobHDfMsM+tVhW36267RH2Bp/EpjmbZrTe/70QQ2JzxPc1tcOPM4BDj6vymsB4Vma4voG92DnwMywVa8zGatqJEo6rMhnRdEXwIyP8/XH1x7zuok7xHNad30uCojReJ8x9FTttbqUTEWh7AwZf7JhAmXHWlKp5jqD/ItcHvB02FyyUNVLcb92TB3wBJoZPDenssCr0+vZUbaiPUjMYLtORQmIGQHbfXYZJgR+MTzlTRRuG7c/K5bDdOq4I+y9awWpIHUMIHRoAMCARKigckEgcbT1IsX4VKDJUcFxlrpZ40sW7+s+iArC2WVFF8/e29+bSX6ydObxtu4a6YfYWRsYa1tXTYWBOVm0kv9Z1nCmb0BrZ7+I1YWw1Arw7BDBmh3KVPnrHO8ZtJsV8Nagr6xjXf8RXK846Ix5cQpRSXtQkkfWuy82RSZOCtjImtFhUeriGf4hDEYFrZGv9MP+qDiGQHDJ8op0/t33CtZv1C/6E2oVcHDdysjw5q9G3b4vKUsZ2LRC+QhaGaYOBp1ZwDAlS5oZ+I4GyM=

then in the second negotiation, I get the following token in the header,

{'Content-Length': '381', 'Keep-Alive': 'timeout=15, max=99', 'Server':
'Apache/2.4.6 (CentOS)', 'Connection': 'Keep-Alive', 'Date': 'Thu, 03 Jan
2019 18:43:26 GMT', 'Content-Type': 'text/html; charset=iso-8859-1',
'WWW-Authenticate': 'Negotiate
YHkGCSqGSIb3EgECAgMAfmowaKADAgEFoQMCAR6kERgPMjAxOTAxMDMxODQzMjZapQUCAwVXdKYDAgEhqRAbDk1TWVNJUEFRQ1MuQ09NqiswKaADAgEBoSIwIBsESFRUUBsYb3BlbnN0YWNrLm1zeXNpcGFxY3MuY29t'}


then It *passes* the following code,
1) kerberos.*authGSSClientInit*, As a response for this authGSSClientInit
in the header, I receive the following ticket,
It *fails* in the following part of the code,

2) kerberos.*authGSSClientStep*(krb_context, auth_details)

with the error as follows,

generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
    _negotiate_value(response))
*GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))*
Finale Error ....................................
(('Invalid token was supplied', 589824), ('Success', 100001))
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
    _negotiate_value(response))
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
handle_401(): returning <Response [401]>
handle_response(): returning <Response [401]>
handle_response() has seen 1 401 responses
handle_response(): returning 401 <Response [401]>
Request returned failure status: 401
Unauthorized (HTTP 401)
clean_up IssueToken: Unauthorized (HTTP 401)
END return value: 1


*But I didn't understand this error, what is the reason for this error ?
How to rectify this error? *


*FYI*,

[root@openstack ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [hidden email]

Valid starting       Expires              Service principal
2019-01-04T08:12:17  2019-01-05T08:02:16  HTTP/
[hidden email]
2019-01-04T08:02:18  2019-01-05T08:02:16  krbtgt/[hidden email]


Thanks, Any help is appreciated.

Hari

--


DISCLAIMER - *MSysTechnologies LLC*



This email message, contents and
its attachments may contain confidential, proprietary or legally privileged
information and is intended solely for the use of the individual or entity
to whom it is actually intended. If you have erroneously received this
message, please permanently delete it immediately and notify the sender. If
you are not the intended recipient of the email message,you are notified
strictly not to disseminate,distribute or copy this e-mail.E-mail
transmission cannot be guaranteed to be secure or error-free as Information
could be intercepted, corrupted, lost, destroyed, incomplete or contain
viruses and MSysTechnologies LLC accepts no liability for the contents and
integrity of this mail or for any damage caused by the limitations of the
e-mail transmission.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos