Kerberos Authentication Fails

Hari Prasanth Loganathan hariprasanth.l at msystechnologies.com
Thu Jan 3 13:55:30 EST 2019


Hi Team,

I have installed the

                     i) FreeIPA server which internally has the kerberos
server in Machine 1 and

                    ii) Installed the Free IPA client which internally has
the kerberos client in Machine 2

I configured using the link :
https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
and It is successfully configured.

When I try to test this using the python code
http://python-notes.curiousefficiency.org/en/latest/python_kerberos.html#wrapping-this-up-in-a-helper-class

While verifying


In the first negotiation, I get the following ticket in header with 401
unauthorized error,

Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIq+XqxtoG1oqytbke8GM8YnGMPP9pbp8iLUmmvBRPWf4aoHxVbLgnyUqgN5Q/dAK8lR92qd7XHNRRdKusKSBE+Efc4Ws2pV9mLt36iY+AydCtz8gb7Bk7cHpLPBAfd5y2D2gR3yMyHkCVPiGdkPA0IN4Br6z15dr/guv1TJXMEc6VJOS/Rj1fFeidBvD6IhmWmfx6HtezG64zbhVfK7QkZv36gcyqSXlDK9z5y7vwKb5qfdXd2gX9cH/W9fC14eUoQSgFmB9z/s0wijHBrQruEWuF0PUx61rlqpP44d8S+3FCH6fk3lVmeOpvDObNgC+q4guoKhAYKQPA+DBE2foCL2ceLDwgfN/FhJ5UysGbWGAMY7YZbp8HlOORPl3roFMTzpg1htoxDDL6hVLInxcze9XNDwgYhAdlgun+9a5MEjwd9u7jTjK2EKmAKq+3kW0ozKRexPbD2nxvwN1YxsFZ96WWQpB/uF0Pe3g0JQCbjzeNeZGyrKa1GF7QPWdTJfxTqx7T3vqbNUXvdZhfcBy4aQQu50Qsvk9sPxxdgrDBPOeBerSiYOVOqEG88HGIx1YLqDVyqteasGzVFSUlE5Xk0503k3DmGozuheXSxrT/dtqxSQ1HeBiv93LdDDVKLyjN8gnC/hocGKeCHRyDK0tv0gNp7JaEsqcs+JTr4rQ45UbK7tJd5ZKdSKOOPwJJOVNyFW0Vk347yO/BGsBK8Bcec0buhJa7iGq0zFhQG/fThTnvwXJeA7WhiBoq51EopGDOYlZ8IwZFnknrvdF0Ou+8X7wVW2xQnC4Nr1smu+M2x3Fe3g71nDvnhZCrQuN4sl50WGMYesjFLEMO8FwZj2bb6onpBbFXZtszAobHDfMsM+tVhW36267RH2Bp/EpjmbZrTe/70QQ2JzxPc1tcOPM4BDj6vymsB4Vma4voG92DnwMywVa8zGatqJEo6rMhnRdEXwIyP8/XH1x7zuok7xHNad30uCojReJ8x9FTttbqUTEWh7AwZf7JhAmXHWlKp5jqD/ItcHvB02FyyUNVLcb92TB3wBJoZPDenssCr0+vZUbaiPUjMYLtORQmIGQHbfXYZJgR+MTzlTRRuG7c/K5bDdOq4I+y9awWpIHUMIHRoAMCARKigckEgcbT1IsX4VKDJUcFxlrpZ40sW7+s+iArC2WVFF8/e29+bSX6ydObxtu4a6YfYWRsYa1tXTYWBOVm0kv9Z1nCmb0BrZ7+I1YWw1Arw7BDBmh3KVPnrHO8ZtJsV8Nagr6xjXf8RXK846Ix5cQpRSXtQkkfWuy82RSZOCtjImtFhUeriGf4hDEYFrZGv9MP+qDiGQHDJ8op0/t33CtZv1C/6E2oVcHDdysjw5q9G3b4vKUsZ2LRC+QhaGaYOBp1ZwDAlS5oZ+I4GyM=

then in the second negotiation, I get the following token in the header,

{'Content-Length': '381', 'Keep-Alive': 'timeout=15, max=99', 'Server':
'Apache/2.4.6 (CentOS)', 'Connection': 'Keep-Alive', 'Date': 'Thu, 03 Jan
2019 18:43:26 GMT', 'Content-Type': 'text/html; charset=iso-8859-1',
'WWW-Authenticate': 'Negotiate
YHkGCSqGSIb3EgECAgMAfmowaKADAgEFoQMCAR6kERgPMjAxOTAxMDMxODQzMjZapQUCAwVXdKYDAgEhqRAbDk1TWVNJUEFRQ1MuQ09NqiswKaADAgEBoSIwIBsESFRUUBsYb3BlbnN0YWNrLm1zeXNpcGFxY3MuY29t'}


then It *passes* the following code,
1) kerberos.*authGSSClientInit*, As a response for this authGSSClientInit
in the header, I receive the following ticket,
It *fails* in the following part of the code,

2) kerberos.*authGSSClientStep*(krb_context, auth_details)

with the error as follows,

generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
    _negotiate_value(response))
*GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))*
Finale Error ....................................
(('Invalid token was supplied', 589824), ('Success', 100001))
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
    _negotiate_value(response))
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
handle_401(): returning <Response [401]>
handle_response(): returning <Response [401]>
handle_response() has seen 1 401 responses
handle_response(): returning 401 <Response [401]>
Request returned failure status: 401
Unauthorized (HTTP 401)
clean_up IssueToken: Unauthorized (HTTP 401)
END return value: 1


*But I didn't understand this error, what is the reason for this error ?
How to rectify this error? *


*FYI*,

[root at openstack ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: rdoadmin at XXXXXXXX.COM

Valid starting       Expires              Service principal
2019-01-04T08:12:17  2019-01-05T08:02:16  HTTP/
openstack.XXXXXXXX.com at XXXXXXXX.COM
2019-01-04T08:02:18  2019-01-05T08:02:16  krbtgt/XXXXXXXX.COM at XXXXXXXX.COM


Thanks, Any help is appreciated.

Hari

-- 


DISCLAIMER - *MSysTechnologies LLC* 



This email message, contents and 
its attachments may contain confidential, proprietary or legally privileged 
information and is intended solely for the use of the individual or entity 
to whom it is actually intended. If you have erroneously received this 
message, please permanently delete it immediately and notify the sender. If 
you are not the intended recipient of the email message,you are notified 
strictly not to disseminate,distribute or copy this e-mail.E-mail 
transmission cannot be guaranteed to be secure or error-free as Information 
could be intercepted, corrupted, lost, destroyed, incomplete or contain 
viruses and MSysTechnologies LLC accepts no liability for the contents and 
integrity of this mail or for any damage caused by the limitations of the 
e-mail transmission.



More information about the Kerberos mailing list