I am trying to generate a keytab file for kerberos setup. I keep getting an error "Failed to set property "ServicePrinciplalName.""
My call Looks like this:
ktpass -out ssowebapp.keytab -princ HTTP/pdx-kerbtest#DEV
-COMPANY.LOCAL -mapUser webapp5#DEV-COMPANY.LOCAL -crypto AES256-SHA1 -pType KRB5_
NT_PRINCIPAL -pass password -mapOp set
When I run it I get this return:
Targeting domain controller: DC1.dev-COMPANY.local
Failed to set property 'servicePrincipalName' to 'HTTP/pdx-kerbtest' on Dn 'CN=S
SO WEBAPP5,OU=Ken OU,DC=dev-COMPANY,DC=local': 0x13.
WARNING: Unable to set SPN mapping data.
If webapp5 already has an SPN mapping installed for HTTP/pdx-kerbtest, this is n
o cause for concern.
Password successfully set!
Key created.
Output keytab to ssowebapp.keytab:
Keytab version: 0x502
keysize 85 HTTP/pdx-kerbtest#DEV-COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 67
etype 0x12 (AES256-SHA1) keylength 32 (0xf5873e603d459d34cc3346f672bb4e72189328
256eecc9aed4363b5c121f1b41)
There isn't a current mapping. I am logged in as an administrator that is a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group. CMD window is ran as an administrator. The UAC on the server is disabled.
Not sure what I am doing wrong here or what else I need to check to get this to run correctly.
Related
I am using this helm chart
https://artifacthub.io/packages/helm/vulcanlink/chainlink
I managed to launch and connect Chainlink node with Postgres, with these values
config:
# Login Info
ROOT: /chainlink
API_LOGIN: |
API_EMAIL=admin#admin.com
API_LOGIN=admin
WALLET_PASSWORD: "9xMR9PN7CTk6Axs" # a random test password based on chainlink's demands
# HTTP Security
ALLOW_ORIGINS: "*"
SECURE_COOKIES: "false"
CHAINLINK_PORT: "6688"
CHAINLINK_TLS_PORT: "0"
# Database
DATABASE_TIMEOUT: "0"
DATABASE_URL: postgresql://chainlink:chainlink#pgdb-postgresql:5432/chainlink?sslmode=disable
# Ethereum
ETH_URL: wss://rinkeby.infura.io/ws/v3/somerandomnumber # ws://geth:8546
ETH_CHAIN_ID: "4"
LINK_CONTRACT_ADDRESS: 0x514910771af9ca656af840dff83e8264ecf986ca # this was here ...
I port forward the k8s service and I see the Chainlink UI.
But what combination of the above should I use?
I have tried them all.
EDIT
In order to change the env vars, I ended up destroying the whole minikube env. Insane, and I have no idea why...
Now I get this in the logs
There are no accounts, creating a new account with the specified password
There are no P2P keys; creating a new key encrypted with given password
There are no OCR keys; creating a new key encrypted with given password
2022-09-02T10:22:50Z [INFO] API exposed for user API_EMAIL=admin#admin.com cmd/local_client.go:122
2022-09-02T10:23:32Z [INFO] POST /sessions web/router.go:433 body={"email":"admin#admin.com","password":"*REDACTED*"} clientIP=127.0.0.1 errors=Error #01: Invalid email
latency=4.918708ms method=POST path=/sessions servedAt=2022-09-02 10:23:32 status=401
... so I still cannot log in in the GUI. It is frustrating
EDIT
This is what happens when the instructions are not clear...
The username was API_EMAIL=admin#admin.com and the password API_LOGIN=admin .
Now I can login...but surely gonna change them...
I'm trying to integrate Kafka Connect FS & Source SFTP with Username & Passwordless Entry(Private key). But I'm getting AUTH Failure with below settings.
Its completely working fine with username:password#hostname:port format for a Test SFTP Location, but actual source doesnt allow password based authentication.
Even i tried, "fs.sftp.keyfile". but no luck.
Here is my Property file:
name=SourceConnector
connector.class=com.github.mmolimar.kafka.connect.fs.FsSourceConnector
tasks.max=1
policy.fs.fs.sftp.impl=org.apache.hadoop.fs.sftp.SFTPFileSystem
fs.uris=sftp://username:#hostname:22/home/user/output/
fs.sftp.keyfile=/home/user/.ssh/id_rsa
topic=sampletopic
policy.class=com.github.mmolimar.kafka.connect.fs.policy.CronPolicy
policy.recursive=true
file_reader.delimited.settings.data_type_mapping_error=false
file_reader.delimited.settings.allow_nulls=true
policy.regexp=^SOURCE_1.*.gz$
policy.batch_size=0
policy.cleanup=none
file_reader.class=com.github.mmolimar.kafka.connect.fs.file.reader.CsvFileReader
file_reader.batch_size=3000
policy.cron.expression=0/30 * * ? * * *
file_reader.delimited.compression.type=gzip
Please help me to connect with private key. Thanks
ERROR FsSourceTask Cannot retrieve files to process from the FS: [[]]. There was an error executing the policy but the task tolerates this and continues: com.jcraft.jsch.JSchException: Auth fail
I'm able to resolve this error with below config:
policy.fs.fs.sftp.keyfile=/home/user/.ssh/id_rsa
I am new to SPGO and trying to use on SP On-Prem 2016 in a corp environment. I do not have to sign into SP but am authenticated via CAC. I chose NTLM but was prompted for my credentials so I don't know what the password is since I don't have to enter one. I then tried the "AddinOnly" method and was able to supply a client ID, entering "", secret: "", and realm: "". I did this by first registering an app and generating that info. That got me a little closer (or so it seemed). My workspace resides in C:\Users\myName\SPSites
SPGo.json setup:
{
"sourceDirectory": "src",
"sharePointSiteUrl": "https://fake.com/sitename/site",
"workspaceRoot": "c:\Users\myName\SPSites",
"publishWorkspaceOptions": {
"destinationFolder":"/",
"globPattern":"c:\Users\myName\SPSites\src*.",
"localRoot":"c:\Users\myName\SPSites\src"
},
"publishingScope": "SaveOnly",
"authenticationType": "AddinOnly",
"remoteFolders": [
"/siteassets/"
]
}
app permissions:
<AppPermissions AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl"/>
</AppPermissionRequests>
VSCodeVersion: 1.65.0
SP On-Prem: 2016
It says Starting File Synchronization when I try to populate workspace and it just hangs with Populating Workspace (bottom left) just spinning. Eventually I get an error about the workspace.
Also got this error, which is new: Output: syntax error: Unexpected token m in JSON at position 363. Might just be my typing. So I did populate workspace again and entered app credentials (client id, etc). It is now just hanging, Starting File Synchronization ... Populating Workspace
My goal: implement SSO on a java-based web application.
My problem: I'm not a security guy...
After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).
I used the samples in the following project:
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample
I realized that I need to create a keytab. When I tried to use the keytab I got the following error:
javax.security.auth.login.LoginException: Unable to obtain password from user
Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.
So I decided to check my keytab and see if it's ok.
First, this is last command (after a long evolution) I used to create my keytab:
ktpass /out http-web.keytab /mapuser MyUser#MYDOMAIN.COM /princ HTTP/MyUser#MYDOMAIN.COM /pass MyPass /ptype KRB5_NT_PRINCIPAL
Of course I created an SPN for MyUser with the following command:
setspn -a HTTP/MyUser#MYDOMAIN.COM MYDOMAIN.COM\MyUser
I tested the spn with the the following:
setspn -Q HTTP/MyUser#MYDOMAIN.COM
And got a successful result:
Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
HTTP/MyUser
HTTP/MyUser#MYDOMAIN.COM
Existing SPN found!
Now I wanted to test if I can obtain a ticket for MyUser by running the following command:
kinit MyUser#MYDOMAIN.COM
I got a successful result ("new ticket is stored in cache file....")
Now I wanted to test it with my keytab:
kinit MyUser#MYDOMAIN.COM -k -t http-web.keytab
Got the following exception:
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
I used klist tool to see if my keytab contains any keys:
klist -e -K -k -t http-web.keytab
Got the following result:
KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00
As a last desperate attempt, I checked the following account options for MyUser:
Use Kerberos DES encryption types for this account
The account suppoerts Kerberos AES 128 bit encryption
The account suppoerts Kerberos AES 256 bit encryption
I'm not sure if setting these options caused it, but now when I run
kinit MyUser#MYDOMAIN.COM
I get the following error:
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error).
If anyone can guide me through here it would be much appreciated.
Thanks,
Lior
Turned out to be a stupid mistake.
I injected in spring the user account instead of the principal name as the servicePrincipal.
I have a Kerberos keytab file. Is there an easy way to verify that the password contained is the one that I assume?
I looked at the file in a hex editor, and, according to the structure described at http://www.gnu.org/software/shishi/manual/html_node/The-Keytab-Binary-File-Format.html, the
keyblock types contained are 3 for des-cbc-md5, 1 for ??, 23 for arcfour-hmac-md5, 16 for des3-cbc-sha1, and 17 for ??