You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Kai Zheng (JIRA)" <ji...@apache.org> on 2015/11/21 01:21:11 UTC
[jira] [Updated] (DIRKRB-464) Correcting the principal name type
for the TGS principal
[ https://issues.apache.org/jira/browse/DIRKRB-464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kai Zheng updated DIRKRB-464:
-----------------------------
Description: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that. (was: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1).)
> Correcting the principal name type for the TGS principal
> --------------------------------------------------------
>
> Key: DIRKRB-464
> URL: https://issues.apache.org/jira/browse/DIRKRB-464
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Kai Zheng
> Assignee: Kai Zheng
>
> The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
RE: [jira] [Updated] (DIRKRB-464) Correcting the principal name
type for the TGS principal
Posted by "Zheng, Kai" <ka...@intel.com>.
Thanks Steve. Per discussion with Emmanuel, +kerby@ mailing list.
>> that value shouldn't be hard-coded because there are cases where it needs to have a different value.
Below is the only change the commit made so you meant it. The change is only for makeTgsPrincipal method which only involves TGS principal (krbtgt), normal server principal won't/shouldn't go here.
public static PrincipalName makeTgsPrincipal(String realm) {
String nameString = KrbConstant.TGS_PRINCIPAL + "/" + realm + "@" + realm;
- return new PrincipalName(nameString, NameType.NT_PRINCIPAL);
+ return new PrincipalName(nameString, NameType.NT_SRV_INST);
One thing to clarify for confirm. In MIT kinit, any difference between the resultant tickets, using a TGS-REQ with TGT and using -S/AS-REQ with password and a normal server name (not TGS/krbtgt)?
I thought so but not confirmed. The both tickets will serve as service tickets and can be sent to the target application server for authentication, right?
>> In the long run it might be easier to give the client a couple methods like:
>>1) retrieveTgt(AsRequest)
>>2) retrieveTgs(AsRequest)
To avoid confusion, how about retrieveTgt => retrieveSgt (for service ticket), and retrieveTgs => retrieveTgt (for ticket granting ticket)?
Let's consider such ideas in near term and I thought it would be good to relatively stabilize the API before 1.0.0.
I will assemble such inputs for refactoring client API and would take this sometime later when have CMS/X509 types done with Jiajia. Thanks Steve for the thoughts!
Regards,
Kai
-----Original Message-----
From: Steve Moyer [mailto:smoyer@psu.edu]
Sent: Tuesday, November 24, 2015 12:04 AM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: Re: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal
Actually, that value shouldn't be hard-coded because there are cases where it needs to have a different value. Take a look at the MIT kinit packet (with a -S argument) that I captured and attached to DIRKRB-440. The MIT knit program with a -S option actually retrieves a TGT with an associated server principal. This is different from what happens when a TGS is granted using a TGT.
This is one of those cases we discussed in the thread with Emmanuel - the KrbOption layer makes it tougher to handle both cases. It would be possible to ad a KrbOption that specifies which NameType should be used with each request, but that means the code will need to differentiate between the values. And I'm not sure what sane default would be since it's normally a NameType(1) with a TGT request and a NameType(2) with a TGS request (from my experience). I guess maybe if a S-Principal is specified, require that the S-Principal-NameType also be provided?
In the long run it might be easier to give the client a couple methods like:
1) retrieveTgt(AsRequest)
2) retrieveTgs(AsRequest)
and let the client user's code build the appropriate AsRequest.
Hope this helps!
Steve
--
“The mark of the immature man is that he wants to die nobly for a cause, while the mark of the mature man is that he wants to live humbly for one.” - Wilhelm Stekel
----- Original Message -----
From: "Kai Zheng (JIRA)" <ji...@apache.org>
To: dev@directory.apache.org
Sent: Friday, November 20, 2015 7:21:11 PM
Subject: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal
[ https://issues.apache.org/jira/browse/DIRKRB-464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kai Zheng updated DIRKRB-464:
-----------------------------
Description: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that. (was: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1).)
> Correcting the principal name type for the TGS principal
> --------------------------------------------------------
>
> Key: DIRKRB-464
> URL: https://issues.apache.org/jira/browse/DIRKRB-464
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Kai Zheng
> Assignee: Kai Zheng
>
> The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
RE: [jira] [Updated] (DIRKRB-464) Correcting the principal name
type for the TGS principal
Posted by "Zheng, Kai" <ka...@intel.com>.
Thanks Steve. Per discussion with Emmanuel, +kerby@ mailing list.
>> that value shouldn't be hard-coded because there are cases where it needs to have a different value.
Below is the only change the commit made so you meant it. The change is only for makeTgsPrincipal method which only involves TGS principal (krbtgt), normal server principal won't/shouldn't go here.
public static PrincipalName makeTgsPrincipal(String realm) {
String nameString = KrbConstant.TGS_PRINCIPAL + "/" + realm + "@" + realm;
- return new PrincipalName(nameString, NameType.NT_PRINCIPAL);
+ return new PrincipalName(nameString, NameType.NT_SRV_INST);
One thing to clarify for confirm. In MIT kinit, any difference between the resultant tickets, using a TGS-REQ with TGT and using -S/AS-REQ with password and a normal server name (not TGS/krbtgt)?
I thought so but not confirmed. The both tickets will serve as service tickets and can be sent to the target application server for authentication, right?
>> In the long run it might be easier to give the client a couple methods like:
>>1) retrieveTgt(AsRequest)
>>2) retrieveTgs(AsRequest)
To avoid confusion, how about retrieveTgt => retrieveSgt (for service ticket), and retrieveTgs => retrieveTgt (for ticket granting ticket)?
Let's consider such ideas in near term and I thought it would be good to relatively stabilize the API before 1.0.0.
I will assemble such inputs for refactoring client API and would take this sometime later when have CMS/X509 types done with Jiajia. Thanks Steve for the thoughts!
Regards,
Kai
-----Original Message-----
From: Steve Moyer [mailto:smoyer@psu.edu]
Sent: Tuesday, November 24, 2015 12:04 AM
To: Apache Directory Developers List <de...@directory.apache.org>
Subject: Re: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal
Actually, that value shouldn't be hard-coded because there are cases where it needs to have a different value. Take a look at the MIT kinit packet (with a -S argument) that I captured and attached to DIRKRB-440. The MIT knit program with a -S option actually retrieves a TGT with an associated server principal. This is different from what happens when a TGS is granted using a TGT.
This is one of those cases we discussed in the thread with Emmanuel - the KrbOption layer makes it tougher to handle both cases. It would be possible to ad a KrbOption that specifies which NameType should be used with each request, but that means the code will need to differentiate between the values. And I'm not sure what sane default would be since it's normally a NameType(1) with a TGT request and a NameType(2) with a TGS request (from my experience). I guess maybe if a S-Principal is specified, require that the S-Principal-NameType also be provided?
In the long run it might be easier to give the client a couple methods like:
1) retrieveTgt(AsRequest)
2) retrieveTgs(AsRequest)
and let the client user's code build the appropriate AsRequest.
Hope this helps!
Steve
--
“The mark of the immature man is that he wants to die nobly for a cause, while the mark of the mature man is that he wants to live humbly for one.” - Wilhelm Stekel
----- Original Message -----
From: "Kai Zheng (JIRA)" <ji...@apache.org>
To: dev@directory.apache.org
Sent: Friday, November 20, 2015 7:21:11 PM
Subject: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal
[ https://issues.apache.org/jira/browse/DIRKRB-464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kai Zheng updated DIRKRB-464:
-----------------------------
Description: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that. (was: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1).)
> Correcting the principal name type for the TGS principal
> --------------------------------------------------------
>
> Key: DIRKRB-464
> URL: https://issues.apache.org/jira/browse/DIRKRB-464
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Kai Zheng
> Assignee: Kai Zheng
>
> The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Re: [jira] [Updated] (DIRKRB-464) Correcting the principal name
type for the TGS principal
Posted by Steve Moyer <sm...@psu.edu>.
Actually, that value shouldn't be hard-coded because there are cases where it needs to have a different value. Take a look at the MIT kinit packet (with a -S argument) that I captured and attached to DIRKRB-440. The MIT knit program with a -S option actually retrieves a TGT with an associated server principal. This is different from what happens when a TGS is granted using a TGT.
This is one of those cases we discussed in the thread with Emmanuel - the KrbOption layer makes it tougher to handle both cases. It would be possible to ad a KrbOption that specifies which NameType should be used with each request, but that means the code will need to differentiate between the values. And I'm not sure what sane default would be since it's normally a NameType(1) with a TGT request and a NameType(2) with a TGS request (from my experience). I guess maybe if a S-Principal is specified, require that the S-Principal-NameType also be provided?
In the long run it might be easier to give the client a couple methods like:
1) retrieveTgt(AsRequest)
2) retrieveTgs(AsRequest)
and let the client user's code build the appropriate AsRequest.
Hope this helps!
Steve
--
“The mark of the immature man is that he wants to die nobly for a cause, while the mark of the mature man is that he wants to live humbly for one.” - Wilhelm Stekel
----- Original Message -----
From: "Kai Zheng (JIRA)" <ji...@apache.org>
To: dev@directory.apache.org
Sent: Friday, November 20, 2015 7:21:11 PM
Subject: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal
[ https://issues.apache.org/jira/browse/DIRKRB-464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kai Zheng updated DIRKRB-464:
-----------------------------
Description: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that. (was: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1).)
> Correcting the principal name type for the TGS principal
> --------------------------------------------------------
>
> Key: DIRKRB-464
> URL: https://issues.apache.org/jira/browse/DIRKRB-464
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Kai Zheng
> Assignee: Kai Zheng
>
> The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists on that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)