Kerberos Authentication Fails
Hari Prasanth Loganathan
hariprasanth.l at msystechnologies.com
Thu Jan 3 13:55:30 EST 2019
Hi Team,
I have installed the
i) FreeIPA server which internally has the kerberos
server in Machine 1 and
ii) Installed the Free IPA client which internally has
the kerberos client in Machine 2
I configured using the link :
https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
and It is successfully configured.
When I try to test this using the python code
http://python-notes.curiousefficiency.org/en/latest/python_kerberos.html#wrapping-this-up-in-a-helper-class
While verifying
In the first negotiation, I get the following ticket in header with 401
unauthorized error,
Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIq+XqxtoG1oqytbke8GM8YnGMPP9pbp8iLUmmvBRPWf4aoHxVbLgnyUqgN5Q/dAK8lR92qd7XHNRRdKusKSBE+Efc4Ws2pV9mLt36iY+AydCtz8gb7Bk7cHpLPBAfd5y2D2gR3yMyHkCVPiGdkPA0IN4Br6z15dr/guv1TJXMEc6VJOS/Rj1fFeidBvD6IhmWmfx6HtezG64zbhVfK7QkZv36gcyqSXlDK9z5y7vwKb5qfdXd2gX9cH/W9fC14eUoQSgFmB9z/s0wijHBrQruEWuF0PUx61rlqpP44d8S+3FCH6fk3lVmeOpvDObNgC+q4guoKhAYKQPA+DBE2foCL2ceLDwgfN/FhJ5UysGbWGAMY7YZbp8HlOORPl3roFMTzpg1htoxDDL6hVLInxcze9XNDwgYhAdlgun+9a5MEjwd9u7jTjK2EKmAKq+3kW0ozKRexPbD2nxvwN1YxsFZ96WWQpB/uF0Pe3g0JQCbjzeNeZGyrKa1GF7QPWdTJfxTqx7T3vqbNUXvdZhfcBy4aQQu50Qsvk9sPxxdgrDBPOeBerSiYOVOqEG88HGIx1YLqDVyqteasGzVFSUlE5Xk0503k3DmGozuheXSxrT/dtqxSQ1HeBiv93LdDDVKLyjN8gnC/hocGKeCHRyDK0tv0gNp7JaEsqcs+JTr4rQ45UbK7tJd5ZKdSKOOPwJJOVNyFW0Vk347yO/BGsBK8Bcec0buhJa7iGq0zFhQG/fThTnvwXJeA7WhiBoq51EopGDOYlZ8IwZFnknrvdF0Ou+8X7wVW2xQnC4Nr1smu+M2x3Fe3g71nDvnhZCrQuN4sl50WGMYesjFLEMO8FwZj2bb6onpBbFXZtszAobHDfMsM+tVhW36267RH2Bp/EpjmbZrTe/70QQ2JzxPc1tcOPM4BDj6vymsB4Vma4voG92DnwMywVa8zGatqJEo6rMhnRdEXwIyP8/XH1x7zuok7xHNad30uCojReJ8x9FTttbqUTEWh7AwZf7JhAmXHWlKp5jqD/ItcHvB02FyyUNVLcb92TB3wBJoZPDenssCr0+vZUbaiPUjMYLtORQmIGQHbfXYZJgR+MTzlTRRuG7c/K5bDdOq4I+y9awWpIHUMIHRoAMCARKigckEgcbT1IsX4VKDJUcFxlrpZ40sW7+s+iArC2WVFF8/e29+bSX6ydObxtu4a6YfYWRsYa1tXTYWBOVm0kv9Z1nCmb0BrZ7+I1YWw1Arw7BDBmh3KVPnrHO8ZtJsV8Nagr6xjXf8RXK846Ix5cQpRSXtQkkfWuy82RSZOCtjImtFhUeriGf4hDEYFrZGv9MP+qDiGQHDJ8op0/t33CtZv1C/6E2oVcHDdysjw5q9G3b4vKUsZ2LRC+QhaGaYOBp1ZwDAlS5oZ+I4GyM=
then in the second negotiation, I get the following token in the header,
{'Content-Length': '381', 'Keep-Alive': 'timeout=15, max=99', 'Server':
'Apache/2.4.6 (CentOS)', 'Connection': 'Keep-Alive', 'Date': 'Thu, 03 Jan
2019 18:43:26 GMT', 'Content-Type': 'text/html; charset=iso-8859-1',
'WWW-Authenticate': 'Negotiate
YHkGCSqGSIb3EgECAgMAfmowaKADAgEFoQMCAR6kERgPMjAxOTAxMDMxODQzMjZapQUCAwVXdKYDAgEhqRAbDk1TWVNJUEFRQ1MuQ09NqiswKaADAgEBoSIwIBsESFRUUBsYb3BlbnN0YWNrLm1zeXNpcGFxY3MuY29t'}
then It *passes* the following code,
1) kerberos.*authGSSClientInit*, As a response for this authGSSClientInit
in the header, I receive the following ticket,
It *fails* in the following part of the code,
2) kerberos.*authGSSClientStep*(krb_context, auth_details)
with the error as follows,
generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
_negotiate_value(response))
*GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))*
Finale Error ....................................
(('Invalid token was supplied', 589824), ('Success', 100001))
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
line 148, in generate_request_header
_negotiate_value(response))
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
handle_401(): returning <Response [401]>
handle_response(): returning <Response [401]>
handle_response() has seen 1 401 responses
handle_response(): returning 401 <Response [401]>
Request returned failure status: 401
Unauthorized (HTTP 401)
clean_up IssueToken: Unauthorized (HTTP 401)
END return value: 1
*But I didn't understand this error, what is the reason for this error ?
How to rectify this error? *
*FYI*,
[root at openstack ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: rdoadmin at XXXXXXXX.COM
Valid starting Expires Service principal
2019-01-04T08:12:17 2019-01-05T08:02:16 HTTP/
openstack.XXXXXXXX.com at XXXXXXXX.COM
2019-01-04T08:02:18 2019-01-05T08:02:16 krbtgt/XXXXXXXX.COM at XXXXXXXX.COM
Thanks, Any help is appreciated.
Hari
--
DISCLAIMER - *MSysTechnologies LLC*
This email message, contents and
its attachments may contain confidential, proprietary or legally privileged
information and is intended solely for the use of the individual or entity
to whom it is actually intended. If you have erroneously received this
message, please permanently delete it immediately and notify the sender. If
you are not the intended recipient of the email message,you are notified
strictly not to disseminate,distribute or copy this e-mail.E-mail
transmission cannot be guaranteed to be secure or error-free as Information
could be intercepted, corrupted, lost, destroyed, incomplete or contain
viruses and MSysTechnologies LLC accepts no liability for the contents and
integrity of this mail or for any damage caused by the limitations of the
e-mail transmission.
More information about the Kerberos
mailing list