compile KDC with KKDCP support

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

compile KDC with KKDCP support

Jim Shi-2
I have another questions.
to compile KDC with kkdcp support, do I need pass in any special flag(s)? 
Or kkdcp is supported by default in recent code?
The reason I ask this question, is that when I run a test: (I do have kdc = https://.... configured for the realm). It does not seem to make https connection to the  server. Here is the trace log:

host:~/test/bin] kdct$ env KRB5_TRACE=/dev/stdout ./kinit xxx@***

init module "encrypted_timestamp", pa_type 2, flag 1

init module "encrypted_challenge", pa_type 138, flag 1

pkinit_init_plg_crypto: initializing openssl crypto context at 0x1c829e0

pkinit_client_plugin_init: returning plgctx at 0x1c67b40

init module "pkinit", pa_type 17, flag 1

init module "pkinit", pa_type 16, flag 1

init module "pkinit", pa_type 15, flag 1

init module "pkinit", pa_type 14, flag 1

init module "pkinit", pa_type 147, flag 130

pkinit_init_req_crypto: returning ctx at 0x1c67770

pkinit_init_identity_crypto: returning ctx at 0x1c84210

pkinit_client_req_init: returning reqctx at 0x1c67730

get_plugin_data_sym(service_locator)

kinit: Cannot contact any KDC for realm 'APPLECONNECT.APPLE.COM' while getting initial credentials

pkinit_client_plugin_fini: got plgctx at 0x1c67b40
Jim
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: compile KDC with KKDCP support

Greg Hudson
On 08/27/2018 07:47 PM, Jim Shi wrote:
> I have another questions.
> to compile KDC with kkdcp support, do I need pass in any special flag(s)?
> Or kkdcp is supported by default in recent code?

We have KKDCP support in the client library, but not natively in the
KDC.  You can run a proxy KKDCP server using
https://github.com/latchset/kdcproxy (available as kdcproxy in the
Python package index).

> The reason I ask this question, is that when I run a test: (I do have kdc = https://.... configured for the realm). It does not seem to make https connection to the  server. Here is the trace log:
>
> host:~/test/bin] kdct$ env KRB5_TRACE=/dev/stdout ./kinit xxx@***
>
> init module "encrypted_timestamp", pa_type 2, flag 1
[...]

These messages look like output from compiling with -DDEBUG, not trace
logs.  That syntax looks correct for setting KRB5_TRACE, so I'm not sure
why you're not seeing trace logs.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: compile KDC with KKDCP support

Jim Shi-2
 Hi, Greg,
I undestood kkdcp supprt is in client lib. 
But in my test (kinit), it seems the client is not making https request to the proxy server.
Do you have any idea?
Thanks.
Jim
    On Monday, August 27, 2018, 11:08:31 PM PDT, Greg Hudson <[hidden email]> wrote:  
 
 On 08/27/2018 07:47 PM, Jim Shi wrote:
> I have another questions.
> to compile KDC with kkdcp support, do I need pass in any special flag(s)?
> Or kkdcp is supported by default in recent code?

We have KKDCP support in the client library, but not natively in the
KDC.  You can run a proxy KKDCP server using
https://github.com/latchset/kdcproxy (available as kdcproxy in the
Python package index).

> The reason I ask this question, is that when I run a test: (I do have kdc = https://.... configured for the realm). It does not seem to make https connection to the  server. Here is the trace log:
>
> host:~/test/bin] kdct$ env KRB5_TRACE=/dev/stdout ./kinit xxx@***
>
> init module "encrypted_timestamp", pa_type 2, flag 1
[...]

These messages look like output from compiling with -DDEBUG, not trace
logs.  That syntax looks correct for setting KRB5_TRACE, so I'm not sure
why you're not seeing trace logs.
 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: compile KDC with KKDCP support

Robbie Harwood
Jim Shi <[hidden email]> writes:

>  Hi, Greg,
> I undestood kkdcp supprt is in client lib. 
> But in my test (kinit), it seems the client is not making https request to the proxy server.
> Do you have any idea?

Do you see trace output if you send to a file rather than stdout?

Thanks,
--Robbie

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: compile KDC with KKDCP support

Jim Shi-2
Hi, Robbie,
I got trace after using a file. Looks the client is not recognizing kdc = https://...
Instead it thinks the host name is 'https'.  
I compile KDC client with recent code.
What could be missing in KDC client?
Thanks
Jim


[8585] 1535476182.376165: Getting initial credentials for XXX@XXX

[8585] 1535476182.380936: Sending request (199 bytes) to XXXXX

[8585] 1535476182.381231: Resolving hostname https

[8585] 1535476182.381711: Initiating TCP connection to stream 17.212.195.105:0

[8585] 1535476183.382990: Sending initial UDP request to dgram 17.212.195.105:0

[8585] 1535476186.386213: Sending retry UDP request to dgram 17.212.195.105:0

[8585] 1535476191.391403: Sending retry UDP request to dgram 17.212.195.105:0

   On Tuesday, August 28, 2018, 9:46:38 AM PDT, Robbie Harwood <[hidden email]> wrote:  
 
 Jim Shi <[hidden email]> writes:

>  Hi, Greg,
> I undestood kkdcp supprt is in client lib. 
> But in my test (kinit), it seems the client is not making https request to the proxy server.
> Do you have any idea?

Do you see trace output if you send to a file rather than stdout?

Thanks,
--Robbie  
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: compile KDC with KKDCP support

Benjamin Kaduk-2
On Tue, Aug 28, 2018 at 05:16:40PM +0000, Jim Shi wrote:
> Hi, Robbie,
> I got trace after using a file. Looks the client is not recognizing kdc = https://...
> Instead it thinks the host name is 'https'.  
> I compile KDC client with recent code.
> What could be missing in KDC client?

Sorry for repeating the simple/obvious questions, but have you
double-checked (e.g., via PATH and ldd) that you are running the code you
think you are?

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: compile KDC with KKDCP support

Jim Shi-2
Benjamin,
Right on. Had LD_LIBRARY_PATH pointing to old lib.
Thank you so much!
Jim   On Tuesday, August 28, 2018, 5:52:39 PM PDT, Benjamin Kaduk <[hidden email]> wrote:  
 
 On Tue, Aug 28, 2018 at 05:16:40PM +0000, Jim Shi wrote:
> Hi, Robbie,
> I got trace after using a file. Looks the client is not recognizing kdc = https://...
> Instead it thinks the host name is 'https'.  
> I compile KDC client with recent code.
> What could be missing in KDC client?

Sorry for repeating the simple/obvious questions, but have you
double-checked (e.g., via PATH and ldd) that you are running the code you
think you are?

-Ben
 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos