ADSSO/NTLM Bug in v18 EAP3

Hi,

during the test of the adsso Kerberos authentication for Web, i could see in the nasm.log that there are some files missing:

[nasm]  hi_i_m_child(): excvp('/bin/ntlm_krb5_setup.sh') failed for 'No such file or directory'

initialize_kerberos(): gss_acquire_cred HOST/AFWXGTEST01@INTERN.LOCAL: Key table file '/etc/krb5.keytab' not found

after i renamed the /content/nasm/etc/ntlm_krb5.sh to ntlm_krb5_setup.sh and change some values in the script

#!/bin/sh

export KRB5_KTNAME=FILE:/tmp/krb5.keytab

MYNBNAME=fwxg01$4

/bin/rm /tmp/krb5.keytab
/oss/net -U "$1%$2" ads keytab add HTTP/$MYNBNAME.demo.io@$3
/oss/net -U "$1%$2" ads keytab add host/$MYNBNAME.demo.io@$3
/oss/net -U "$1%$2" ads keytab add HTTP/$MYNBNAME.$3@$3
/oss/net -U "$1%$2" ads keytab add host/$MYNBNAME.$3@$3
/oss/net -U "$1%$2" ads keytab add HTTP/$MYNBNAME@$3
/oss/net -U "$1%$2" ads keytab add host/$MYNBNAME@$3
/oss/net -U "$1%$2" ads keytab add HOST/$MYNBNAME@$3

exit 0

i got a valid krb5.keytab file which i linked from the /content/nasm/etc/krb5.keytab to the /content/nasm/etc/krb.keytab

but now i got an Kerberos decrypting error in the nasm.log

[ntlmserver]  authenticate_kerberos(): gss_accept_sec_context: Request ticket server HTTP/fwxg01.demo.io@DEMO.IO kvno 2 enctype aes256-cts found in keytab but cannot decrypt ticket

With EAP1 and EAP2 it was working.

Are there any settings missed, or is the feature actually broken?

 

Best regards,

Markus

 

Parents
  • There have been no changes to kerberos or authentication overall since EAP1.  If it was working in EAP1/2 I have no idea what would stop working in EAP3.

    Did you do any rollbacks to previous builds?  The way that nasm does rollback is different from the rest of the system.

    Please don't modify files like that.  Depending on what you have done, I don't know how reversible it is.  Some of these files are symlinked and only valid when running in the chroot that nasm runs in.

    It might just be your post, but you are also mixing up bin and etc directories.

     

    Can you revert your system back and then tell me what the original problem is?

Reply
  • There have been no changes to kerberos or authentication overall since EAP1.  If it was working in EAP1/2 I have no idea what would stop working in EAP3.

    Did you do any rollbacks to previous builds?  The way that nasm does rollback is different from the rest of the system.

    Please don't modify files like that.  Depending on what you have done, I don't know how reversible it is.  Some of these files are symlinked and only valid when running in the chroot that nasm runs in.

    It might just be your post, but you are also mixing up bin and etc directories.

     

    Can you revert your system back and then tell me what the original problem is?

Children
No Data