jcmturner / gokrb5 Goto Github PK
View Code? Open in Web Editor NEWPure Go Kerberos library for clients and services
License: Apache License 2.0
Pure Go Kerberos library for clients and services
License: Apache License 2.0
Solution to change a password via kadmind and against Active Directory
First off, thank you so much for creating this library! 😄
I have a usecase where I have an existing ticket (the user has performed a kerberos login elsewhere) and the ticket is available in the credentials cache at this location: /tmp/krb5cc_$(id -u $(whoami))
.
Do you have an example of using the ticket to authenticate and make requests against a HTTP service using SPNEGO?
Great library @jcmturner
I'm having a little trouble with selecting keys from the keytab on the client side, because you have to know the correct KVNo ahead of time. Which is, of course, possible to lookup but is a little fiddly.
I couldn't see in the RFC what is the suggested approach for this, but generally when using krb5 libraries you just create a keytab entry with a kvno of (say) 1 and everything works.
Haven't seen the mechanism other libraries are taking around this, not sure if you're away of any? One possible solution would be to take newest key of the correct principal and cipher suite if an exact match including the version failed at keytab.go:52?
Happy to raise a PR, but would like your view first.
After doing this
go get gopkg.in/jcmturner/gokrb5.v1
When I try to import the module.
I keep getting
Can't load package: ... no buildable Go source files.
I get a panic in this line if the Principal name has fewer components but leading components match what's in the keytab:
/home/fst/GoApps/src/github.com/jcmturner/gokrb5/keytab/keytab.go:55 +0x59c
This is my local fix:
index 6f9fd66..bab1a97 100644
--- a/keytab/keytab.go
+++ b/keytab/keytab.go
@@ -51,11 +51,15 @@ func (kt *Keytab) GetEncryptionKey(nameString []string, real
for _, k := range kt.Entries {
if k.Principal.Realm == realm && int(k.Key.KeyType) == etype &&
p := true
- for i, n := range k.Principal.Components {
- if nameString[i] != n {
- p = false
- break
+ if len(nameString) == len(k.Principal.Components) {
+ for i, n := range k.Principal.Components {
+ if nameString[i] != n {
+ p = false
+ break
+ }
}
+ } else {
+ p = false
}
if p {
key = k.Key
Hi,
I'm receiving following error when trying to obtain TGT with client.Login()
in ActiveDirectory environment:
[Root cause: KRBMessage_Handling_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid < KRBMessage_Handling_Error: KDC did not respond appropriately to FAST negotiation
Commenting out those line in KDCRep.go
helps, but, of course, it is not a solution:
if len(k.DecryptedEncPart.EncPAData) < 2 || !k.DecryptedEncPart.EncPAData.Contains(patype.PA_FX_FAST) {
return false, krberror.NewErrorf(krberror.KRBMsgError, "KDC did not respond appropriately to FAST negotiation")
}
Debugger shows that k.DecryptedEncPart.EncPAData
has 1 element with PADataType = 149
.
Thanks.
Can the library support tcp request?I wan‘t to use gokrb5 to connect kafka,can you give me a test sample?Thank you very much.
Keep getting SPNEGO Kerberos authentication failed
I have a keytab file which I am able to read thru ktutil. When I do "list" I see all the Principals.
The error message is decrypting encpart of service ticket provided: [KRB Error: (45) KRB_AP_ERR_NOKEY Service key not avaliable - Could not get key from keytab: Matching key not found in keytab. Looking for [HTTP hostname.FDQN] real: REAL.com kvno: 20 etype: 18]
Is there anything else I should be doing?
This might be useful for the config
package to augment Load
.
For example, config, err := config.LoadFromDefaultLocations()
, which would attempt to load configuration from the following locations:
Windows | c:\winnt\krb5.ini |
---|---|
Windows | c:\windows\krb5.ini |
Linux | /etc/krb5.conf |
Other Unix | /etc/krb5/krb5.conf |
z/OS | /etc/krb5/krb5.conf |
IBM i | /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf |
Solaris | /etc/krb5/krb5.conf |
The file paths are from these 2 references:
Support referral contained in KDC_ERR_WRONG_REALM message
Hey,
I have a SPNEGO flow that worked fine for some user but suddenly I started to get this error:
SID revision value read as 4 when it must be 1
In parallel I tried with other user and it worked fine, but i'm not sure what causing the SID.revision to be 4 instead of 1 for a specific user (tried purging klist ticket, etc... nothing works)
Any clue what could have caused this ?
Microsoft papers don't say much except that revision value in SID should be 0x1 but it is not and I'm a bit clueless,
Thanks,
Asaf.
Howdy!
I need to bundle something cross-platform that can serve the most basic function of Kinit, specifically, getting a TGT from the KDC and putting it in the ticket cache.
Is it easy to either combine or modify elements of this library to mimic that behavior? It appears that all TGT caching occurs within the go process.
gokrb5/config can't read empty lines within a section nor configs containing "v4_name_convert", see http://web.mit.edu/quentin/krb5-config/krb5.conf
When using the gokrb5 libarary, how come the ticket and SPN doesn't show up in klist
?
When I do a klist first, I see my credential cache, then I do a curl -u --negotiate u: http://foo.org and I authentication. Then when i do a klist I see the credential again. Howwever, when I use gokrb5 I don't see it.
Btw, the client library works, just curious why I don't see the certificate.
Enhancement request:
Add functions to marshal the keytab to bytes and also write to to disk.
Hi,
If I have unsupported enctype in the first place of my krb5.conf, the program panics:
default_tgs_enctypes = des-cbc-crc rc4-hmac
It panics because there is no error check in krb5Token.go
line 130 and etype
is nil
:
etype, _ := crypto.GetEtype(keyType)
auth.GenerateSeqNumberAndSubKey(keyType, etype.GetKeyByteSize())
Is it possible to ignore unsupported enctypes in default_tgs_enctypes
config parameter?
Thanks in advance!
Could we get more insight on why the call:
func (cl *Client) IsConfigured() bool
return false?
Creating a client from a password rather than a keytab...
cl := client.NewClientWithPassword("user", "EXAMPLE.COM", "password")
... and using rc4-hmac as an enctype, results in:
GOKRB5 Client: 2017/11/27 15:29:39 test.go:29: Error on AS_REQ: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: Error getting key from credentials: [Error deriving key from string: Invalid s2kparams length]
Hi,
I'm receiving following error if I perform client.Login()
for a user with realm that not matching default_realm
in configuration:
[Root cause: Encoding_Error] Encoding_Error: AS Exchange Error: failed to process the AS_REP: [KRB Error: (6) KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database]
This was alluded to in #58; I'm trying to use this library to be able to perform dynamic DNS updates that are signed using RFC 3645 GSS-TSIG. According to the RFC, the GSSAPI calls I should be using are GSS_Init_sec_context()
, GSS_GetMIC()
and/or GSS_VerifyMIC()
. I can't find these by name in your library but the "Generic Kerberos Client" section in the README seems to read like it's the same flow, particularly the final bit:
Now send the AP_REQ to the serivce. How this is done will be specific to the application use case.
This would be (I think) where I send the first TKEY DNS query to the target DNS server. I've captured DNS traffic generated by nsupdate -g
and looking at it with Wireshark shows the same; there's a TKEY query that has the ID KRB5_AP_REQ so it looks like my first step is to send that AP_REQ in a DNS query.
However, I'm not sure what to do about setting the checksum on the authenticator, or is that the equivalent to GSS_VerifyMIC()
for the reply(ies) from the server?
Any pointers appreciated.
Hey,
First i'd like to say thanks for this great library (finally no conflicts between million of versions of native krb libraries!)
Is there any reason why error is not propagated in this line? making it impossible to be aware of IO problems during file read
Line 101 in 6aa472f
Thanks
ok, so I caveat this with "I'm new to Krb5 authentication" and "Its likely a misconfiguration on my end". I have a need to set up a simple Kerberos token mechanism in order to connect a Go microservice running in a linux docker container to an MS SQL Server that requires a domain login.
I have a dedicated domain "service account" that can successfully log in using kinit via command-line, however, using the same credentials in the following code-snippet produces:
[Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with UDP (no KDCs defined in configuration for realm ) and then TCP (no KDCs defined in configuration for realm )
The snippet of code is:
cfg, err := config.Load("/etc/krb5.conf")
if err != nil {
logger.Log("Error", err)
}
cl := client.NewClientWithPassword(userCreds.kdcLogin, kdcDomain, userCreds.kdcPasswd)
cl.WithConfig(cfg)
if err := cl.Login(); err != nil {
logger.Log("Error", err)
}
It doesn't seem to make any difference if my userCreds.kdcLogin contains "[email protected]" or "my_service_account" (sans '@Domain').
Again, I CAN log in via CLI using kinit with the credentials specified, but when running it via the GoLang microservice, I can't successfully log in.
If it helps, here is a paste of my /etc/krb5.conf file:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = WINDOWSKDCDOMAIN
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
WINDOWSKDCDOMAIN = {
kdc = MYDC.MYCOMPANY.COM:88
}
I've tried this WITH and WITHOUT domain_realm section, and it makes ZERO difference.
Calling GetServiceTicket
with, for example, only a service string (ie, GetServiceTicket("hdfs")
results in a panic
:
panic: runtime error: index out of range
goroutine 1 [running]:
gopkg.in/jcmturner/gokrb5.v3/client.(*Client).GetSessionFromPrincipalName(0xc420081cb0, 0x1, 0xc420011430, 0x1, 0x1, 0x1, 0x1, 0x0)
/home/go/src/gopkg.in/jcmturner/gokrb5.v3/client/session.go:140 +0x159
gopkg.in/jcmturner/gokrb5.v3/client.(*Client).GetServiceTicket(0xc420081cb0, 0x12f7284, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/go/src/gopkg.in/jcmturner/gokrb5.v3/client/TGSExchange.go:77 +0x1c0
main.main()
/home/go/Documents/workspace/go-krb-sandbox/krb-auth.go:55 +0x445
It's relatively minor as such a call should not happen anyway (I ran into it after doing a copy-paste mistake) but the function could be slightly more polite and return an error with a helpful message.
(happens with gokrb5.v3 and go version 1.9.2)
Happy to do a PR if this is meaningful.
I was trying to use your library and my test code was generating the error client krb5 config does not have a default realm
. My /etc/krb5.conf
does have the default_realm
setting, here's the relevant bit:
---8<---
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
default_realm = EXAMPLE.COM
[realms]
---8<---
I tracked down the problem to the fact there's no blank line between default_realm
and the following [realms]
section. If I add one then my test code gets further. I looked through the krb5.conf(5)
man page and couldn't see anything that mandated there should be a blank line before subsequent sections but the example in the man page does have that.
I'm going to clean up the /etc/krb5.conf
at my end as it looks untidy but I thought I'd raise the issue here in case it's a small bug in the parser.
conf, err := config.Load("/etc/krb5.conf")
cc, err := credentials.LoadCCache("/tmp/krb5cc_20115788")
fmt.Println(cc.GetClientPrincipalName())
cl, err := client.NewClientFromCCache(cc)
if err != nil {
panic(err)
}
cl.WithConfig(conf)
Can i pass cl
to multiple go routines? The go routines will be doing something like
r, _ := http.NewRequest("GET", "http://kerberized.end.point", nil)
cl.SetSPNEGOHeader(r, "")
httpResp, err := http.DefaultClient.Do(r)
defer httpResp.Body.Close()
"GetServiceTicket
makes a request to get a service ticket for the SPN specified and The ticket will be added to the client's ticket cache", will there be a race condition here? or in any other place.
Hey,
First of all, thanks for this library, no more native dependencies in our stack :-)
We could successfully use it with ApacheDS but fail with AD,
First, we created a Keytab using the following command:
ktpass -princ HTTP/[email protected] -mapuser ad_sso_user -crypto AES-128-SHA1 -ptype KRB5_NT_PRINCIPAL -pass passw0rd -out c:\temp\my.ketab
(etype for this AES-128-SHA1 is 0x11)
With AD, the 2nd HTTP roundtrip has the token header but fails on this line
Seems like gokrb5 expects 1.2.840.113554.1.2.2
while we receive from KDC 1.2.840.48018.1.2.2
, seems like this OID is a krb5 with legacy bit.
No idea what causing AD to use this OID instead of the expected krb5 OID (any clue?)
Trying to comment out this condition we failed on:
Could not get key from kteytab: Matching key not found in keytab. Looking for [HTTP myvm.mydomain.corp] realm: MYDOMAIN.CORP kvno: 3 etype: 23
Not sure why ticket contains etype: 23
while keytab was generated with etype: 17,
So we tried to generate a keytab with RC4-HMAC-NT
etype, which is 23, we fail on this line with:
Unknown or unsupported checksum type: 4294967158
Seems like we fail on pac type check
It seems like pac.ServerChecksum.SignatureType
value is 4294967158
while pac_type.go and crypto expects checksum types that corresponds to etypes,
Any clue how to proceed from here ?
Thanks,
Asaf.
Hi,
I saw there was an issue recently closed about building on 32-bit systems. Just tried to test it and it seems there is an error still:
$ GOARCH=386 go build gopkg.in/jcmturner/gokrb5.v3/crypto
# gopkg.in/jcmturner/gokrb5.v3/crypto
../go/src/gopkg.in/jcmturner/gokrb5.v3/crypto/crypto.go:61: constant 4294967158 overflows int
Would be good to have a fix.
Thanks.
I've just realized that my KDC (ActiveDirectory) not closes connection when responding to ticket request.
As the result this io.Copy()
operation takes 5 seconds on every call:
conn.SetDeadline(time.Now().Add(time.Duration(5 * time.Second)))
...
io.Copy(&rBuf, conn)
network.go, func sentTCP()
Implement the ability to request tickets that can only be used from the client's IP addresses.
This needs the ability to set the "addresses" field in the AS_REQ's request body to the client's local IP addresses
Do you have an example of parsing client credentials cache files with kinit
?
Hey,
I'm not sure this is a bug or this is an intended behavior, but Credential's userName property becomes a display name when using ADCredentials,
I started to use the CName instead but I find it confusing,
Please close if this is an intended behavior,
Thanks.
Hi,
I am trying to understand how to calculate checksum in authenticator for AP_REQ and from current documentation is not really clear what GetChecksumHash (if I understand correct, this method should be used for calculating checksum) method parameters are:
Line 26 in 51e4362
So:
protocolKey
parameter?data
is marshaled data from messages.Ticket.EncPart
. Ticket got here Line 64 in ab3cf9b
usage
parameter?Thank you in advance!
Hello,
krb5conf fails to parse [realms]
section with auth_to_local RULE definition like:
auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/.*//
It seems the root cause is square brackets, which are interpreted as a new section definition.
Doing some benchmarking and I plan to create few hundred go routines.
What is the preffered way to call the GET call while setting the SPNEGO header
r, _ := http.NewRequest("GET", "http://host.test.gokrb5/index.html", nil)
spn := ""
cl.SetSPNEGOHeader(r, spn)
HTTPResp, err := http.DefaultClient.Do(r)
should i go inside each goroutine? or do I have to just set the SetSPNEGOHeader only once?
I want to use gohbase client to access a hbase cluster with kerberos, however, I am confused with integrating gokrb5 and gohbase.
Would it make sense to replace your readIntX
methods with a library like this: https://github.com/zhuangsirui/binpacker
It seems much easier to maintain and read.
Installation instructions of this package do not work for me:
$ go get gopkg.in/jcmturner/gokrb5.v3
package gopkg.in/jcmturner/gokrb5.v3: no Go files in $GOPATH/src/gopkg.in/jcmturner/gokrb5.v3
Tested in two environments:
# CentOS 7
$ go version
go version go1.9.2 linux/amd64
# macOS 10.11
$ go version
go version go1.9.2 darwin/amd64
Am I missing something?
cfg, _ := config.NewConfigFromString("...")
cc, _ := credentials.LoadCCache("/tmp/krb5cc_1000")
k5cli, _ := client.NewClientFromCCache(cc)
k5cli.WithConfig(cfg)
req, _ := http.NewRequest("GET", "https://example.com/endpoint", nil)
k5cli.SetSPNEGOHeader(req, "HTTP/example.com")
KDC, kinit, and gokrb5 are all choosing aes256-cts-hmac-sha1-96 encryption (etype 18).
Tested against v2.1.2 and v4.1.1. Go version is go1.10 linux/amd64.
Uses existing cached ticket for "HTTP/example.com" if one exists in ccache.
Uses TGT to obtain "HTTP/example.com" ticket if no existing ticket in ccache.
Works fine if ccache contains TGT and nothing else.
Fails with following error when trying to use cached ticket:
[Root cause: Encoding_Error] Encoding_Error: cound not generate SPNEGO negotiation token: Could not create NegTokenInit: error getting MechToken; [Root cause: Encrypting_Error] KRBMessage_Handling_Error: Error creating Authenticator for AP_REQ < Encrypting_Error: Error encrypting Authenticator: Error encrypting data: Incorrect keysize: expected: 32 actual: 0
Proximate cause is that encryptAuthenticator in messages/APReq.go has usage values defined for nametype.KRB_NT_PRINCIPAL
and for nametype.KRB_NT_SRV_INST
, but not for nametype.KRB_NT_SRV_HST
. This causes usage to equal 0, which causes EncryptMessage in crypto/rfc3962/encryption.go to use a nil derived key.
Unfortunately, I do not understand enough about the Kerberos protocol to propose an actual fix.
Running klist -ef
shows (with redactions):
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
03/07/2018 11:37:54 03/07/2018 21:37:54 krbtgt/[email protected]
renew until 03/08/2018 11:37:47, Flags: FPRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
03/07/2018 11:38:44 03/07/2018 21:37:54 krbtgt/[email protected]
renew until 03/08/2018 11:37:47, Flags: FPRAO
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
03/07/2018 11:38:44 03/07/2018 21:37:54 HTTP/[email protected]
renew until 03/08/2018 11:37:47, Flags: FPRAT
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
CORP.REALM is a Windows AD DC, PROD.REALM is an MIT KDC (krb5-kdc on Ubuntu).
$ dep status
PROJECT CONSTRAINT VERSION REVISION LATEST PKGS USED
gopkg.in/jcmturner/gokrb5.v2 v2.1.1 v2.1.1 fbb9b86 fbb9b86 30
$ go build
vendor/gopkg.in/jcmturner/gokrb5.v2/crypto/common/common.go:157:3: constant 4294967296 overflows int
vendor/gopkg.in/jcmturner/gokrb5.v2/crypto/common/common.go:161:3: constant 4294967296 overflows int
vendor/gopkg.in/jcmturner/gokrb5.v2/crypto/common/common.go:167:3: constant 4294967296 overflows int
Once I figured out #56 my next error is that my test client gets the error client krb5 config does not have any defined KDCs for the default realm
. My /etc/krb5.conf
simply has the following:
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = EXAMPLE.COM
---8<---
[realms]
EXAMPLE.COM = {
}
which means the KDC's are located using DNS SRV records, i.e. _kerberos._tcp.example.com
, (it's a Windows AD environment).
For now I've just done the lookup manually with dig
and added them to the configuration file but would you be open to this as an enhancement?
Hi,
When [realms]
section is last in the config file, it is not detecting last realm:
[libdefaults]
...
[domain_realm]
...
[realms]
TEST.GOKRB5 = {
kdc = 10.80.88.88:88
}
EXAMPLE.COM = {
kdc = kerberos.example.com
}
Test fails:
--- FAIL: TestLoad (0.65s)
assertions.go:239:
Error Trace: krb5conf_test.go:66
Error: Not equal:
expected: 2
actual: 1
Messages: Number of realms not as expected
math/rand is predictable so should be replaced with crypto/rand
math/rand is currently used in:
First of all, thanks for the effort to create this library!
Unfortunately, it looks like krb5.conf files with tabs as indentation are not parsed correctly. This leads to "no user-defined or default realm is specified" later on. I am not sure how correct it is to use tabs in krb5.conf, but I saw this in a Cloudera installation.
I tested gokrb5 2.1.2 and 1.1.0.
Consider a sample krb5.conf below (note tabs and absence of an empty line at the end).
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log
default = SYSLOG:INFO:DAEMON
[libdefaults]
default_realm = ANSIBLE
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
[realms]
ANSIBLE = {
kdc = fake_kdc.invalid.com
admin_server = fake_as.invalid.com
default_domain = invalid.com
}
[domain_realm]
.invalid.com = ANSIBLE
invalid.com = ANSIBLE
[login]
krb4_convert = true
krb4_get_tickets = false
Hi,
I'm trying to authenticate to a web service in a different Realm other than client:
// krb5.conf has a default realm AAA.CORP.COM and all other realms under [realms] section
cfg, err := config.Load("C:\\krb5.conf")
cl := client.NewClientWithPassword("user", "AAA.CORP.COM", "password")
cl.WithConfig(cfg)
r, _ := http.NewRequest("GET", "https://service.bbb.corp.com/", nil)
cl.SetSPNEGOHeader(r, "HTTP/service.bbb.corp.com")
Request fails with 401 - Unauthorized error.
If I use client's credential in bbb.corp.com
realm - everything works.
I was trying also to specify full SPN for a web service like this:
cl.SetSPNEGOHeader(r, "HTTP/[email protected]")
does not work either.
Thanks.
Add implementation for GSSAPI Wrap Tokens:
https://tools.ietf.org/html/rfc4121#section-4.2.6.2
Hi,
by default KDC port is 88, we have a config without the port and it is works for all other our services, but not with gokrb5. So I assume it would be good to add the default port if it is not defined in krb5.conf. Here is following error:
[Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: [[] Failed to communicate with KDC kdc.example.com. Attempts made with UDP (Error resolving KDC address: address kdc.example.com: missing port in address) and then TCP (Error resolving KDC address: address kdc.example.com: missing port in address)]
Thanks.
Here's my test client that I'm trying to get working against my Windows 2012r2 AD environment which I figure should be the bare minimum that should work:
package main
import "gopkg.in/jcmturner/gokrb5.v2/config"
import "gopkg.in/jcmturner/gokrb5.v2/client"
//import "gopkg.in/jcmturner/gokrb5.v2/keytab"
import "log"
import "os"
func main() {
l := log.New(os.Stderr, "GOKRB5 Client: ", log.Ldate|log.Ltime|log.Lshortfile)
cfg, err := config.Load("/etc/krb5.conf")
if err != nil {
l.Printf("Error on config: %v\n", err)
}
//kt, err := keytab.Load("/home/user/nsupdate.keytab")
//if err != nil {
// l.Printf("Error on keytab: %v\n", err)
//}
cl := client.NewClientWithPassword("user", "EXAMPLE.COM", "password")
cl.WithConfig(cfg)
err = cl.Login()
if err != nil {
l.Printf("Error on AS_REQ: %v\n", err)
}
}
With this I get the error Error on AS_REQ: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: Error creating etype: [Unknown or unsupported EType: 26]
. Looking up EType 26 suggests it's one of the Camellia ciphers camellia256-cts-cmac
(defined in RFC 6803), I'm a bit suprised as all my searching suggests Windows doesn't support that.
I've found if I edit the user in AD and tick the option Do not require Kerberos preauthentication
then I get this different error Error on AS_REQ: [Root cause: KRBMessage_Handling_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid < KRBMessage_Handling_Error: KDC did not respond appropriately to FAST negotiation
. Now I'm a bit stuck. I'd like to eventually use a keytab but for now I'm just trying to get it passing with a password.
Ultimately, I'm trying to work out if it's possible to use your library along with github.com/miekg/dns
to be able to perform GSS-TSIG DNS updates to a Windows DNS/AD server as they don't support normal key-based TSIG updates like BIND does or otherwise require you to turn off secure DNS updates altogether, which won't be an option. I can currently do this manually with a combination of ktutil
, kinit
and nsupdate -g
but I would like a Go equivalent.
You might be able to tell me straight off if your library has enough of the GSSAPI implemented for me to even do that.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.