My goal: implement SSO on a java-based web application.
My problem: I'm not a security guy...
After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).
I used the samples in the following project:
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample
I realized that I need to create a keytab. When I tried to use the keytab I got the following error:
javax.security.auth.login.LoginException: Unable to obtain password from user
Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.
So I decided to check my keytab and see if it's ok.
First, this is last command (after a long evolution) I used to create my keytab:
ktpass /out http-web.keytab /mapuser MyUser#MYDOMAIN.COM /princ HTTP/MyUser#MYDOMAIN.COM /pass MyPass /ptype KRB5_NT_PRINCIPAL
Of course I created an SPN for MyUser with the following command:
setspn -a HTTP/MyUser#MYDOMAIN.COM MYDOMAIN.COM\MyUser
I tested the spn with the the following:
setspn -Q HTTP/MyUser#MYDOMAIN.COM
And got a successful result:
Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
HTTP/MyUser
HTTP/MyUser#MYDOMAIN.COM
Existing SPN found!
Now I wanted to test if I can obtain a ticket for MyUser by running the following command:
kinit MyUser#MYDOMAIN.COM
I got a successful result ("new ticket is stored in cache file....")
Now I wanted to test it with my keytab:
kinit MyUser#MYDOMAIN.COM -k -t http-web.keytab
Got the following exception:
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
I used klist tool to see if my keytab contains any keys:
klist -e -K -k -t http-web.keytab
Got the following result:
KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00
As a last desperate attempt, I checked the following account options for MyUser:
Use Kerberos DES encryption types for this account
The account suppoerts Kerberos AES 128 bit encryption
The account suppoerts Kerberos AES 256 bit encryption
I'm not sure if setting these options caused it, but now when I run
kinit MyUser#MYDOMAIN.COM
I get the following error:
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error).
If anyone can guide me through here it would be much appreciated.
Thanks,
Lior
Turned out to be a stupid mistake.
I injected in spring the user account instead of the principal name as the servicePrincipal.
Related
I am trying to generate a keytab file for kerberos setup. I keep getting an error "Failed to set property "ServicePrinciplalName.""
My call Looks like this:
ktpass -out ssowebapp.keytab -princ HTTP/pdx-kerbtest#DEV
-COMPANY.LOCAL -mapUser webapp5#DEV-COMPANY.LOCAL -crypto AES256-SHA1 -pType KRB5_
NT_PRINCIPAL -pass password -mapOp set
When I run it I get this return:
Targeting domain controller: DC1.dev-COMPANY.local
Failed to set property 'servicePrincipalName' to 'HTTP/pdx-kerbtest' on Dn 'CN=S
SO WEBAPP5,OU=Ken OU,DC=dev-COMPANY,DC=local': 0x13.
WARNING: Unable to set SPN mapping data.
If webapp5 already has an SPN mapping installed for HTTP/pdx-kerbtest, this is n
o cause for concern.
Password successfully set!
Key created.
Output keytab to ssowebapp.keytab:
Keytab version: 0x502
keysize 85 HTTP/pdx-kerbtest#DEV-COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 67
etype 0x12 (AES256-SHA1) keylength 32 (0xf5873e603d459d34cc3346f672bb4e72189328
256eecc9aed4363b5c121f1b41)
There isn't a current mapping. I am logged in as an administrator that is a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group. CMD window is ran as an administrator. The UAC on the server is disabled.
Not sure what I am doing wrong here or what else I need to check to get this to run correctly.
I am using this helm chart
https://artifacthub.io/packages/helm/vulcanlink/chainlink
I managed to launch and connect Chainlink node with Postgres, with these values
config:
# Login Info
ROOT: /chainlink
API_LOGIN: |
API_EMAIL=admin#admin.com
API_LOGIN=admin
WALLET_PASSWORD: "9xMR9PN7CTk6Axs" # a random test password based on chainlink's demands
# HTTP Security
ALLOW_ORIGINS: "*"
SECURE_COOKIES: "false"
CHAINLINK_PORT: "6688"
CHAINLINK_TLS_PORT: "0"
# Database
DATABASE_TIMEOUT: "0"
DATABASE_URL: postgresql://chainlink:chainlink#pgdb-postgresql:5432/chainlink?sslmode=disable
# Ethereum
ETH_URL: wss://rinkeby.infura.io/ws/v3/somerandomnumber # ws://geth:8546
ETH_CHAIN_ID: "4"
LINK_CONTRACT_ADDRESS: 0x514910771af9ca656af840dff83e8264ecf986ca # this was here ...
I port forward the k8s service and I see the Chainlink UI.
But what combination of the above should I use?
I have tried them all.
EDIT
In order to change the env vars, I ended up destroying the whole minikube env. Insane, and I have no idea why...
Now I get this in the logs
There are no accounts, creating a new account with the specified password
There are no P2P keys; creating a new key encrypted with given password
There are no OCR keys; creating a new key encrypted with given password
2022-09-02T10:22:50Z [INFO] API exposed for user API_EMAIL=admin#admin.com cmd/local_client.go:122
2022-09-02T10:23:32Z [INFO] POST /sessions web/router.go:433 body={"email":"admin#admin.com","password":"*REDACTED*"} clientIP=127.0.0.1 errors=Error #01: Invalid email
latency=4.918708ms method=POST path=/sessions servedAt=2022-09-02 10:23:32 status=401
... so I still cannot log in in the GUI. It is frustrating
EDIT
This is what happens when the instructions are not clear...
The username was API_EMAIL=admin#admin.com and the password API_LOGIN=admin .
Now I can login...but surely gonna change them...
I'm trying to integrate Kafka Connect FS & Source SFTP with Username & Passwordless Entry(Private key). But I'm getting AUTH Failure with below settings.
Its completely working fine with username:password#hostname:port format for a Test SFTP Location, but actual source doesnt allow password based authentication.
Even i tried, "fs.sftp.keyfile". but no luck.
Here is my Property file:
name=SourceConnector
connector.class=com.github.mmolimar.kafka.connect.fs.FsSourceConnector
tasks.max=1
policy.fs.fs.sftp.impl=org.apache.hadoop.fs.sftp.SFTPFileSystem
fs.uris=sftp://username:#hostname:22/home/user/output/
fs.sftp.keyfile=/home/user/.ssh/id_rsa
topic=sampletopic
policy.class=com.github.mmolimar.kafka.connect.fs.policy.CronPolicy
policy.recursive=true
file_reader.delimited.settings.data_type_mapping_error=false
file_reader.delimited.settings.allow_nulls=true
policy.regexp=^SOURCE_1.*.gz$
policy.batch_size=0
policy.cleanup=none
file_reader.class=com.github.mmolimar.kafka.connect.fs.file.reader.CsvFileReader
file_reader.batch_size=3000
policy.cron.expression=0/30 * * ? * * *
file_reader.delimited.compression.type=gzip
Please help me to connect with private key. Thanks
ERROR FsSourceTask Cannot retrieve files to process from the FS: [[]]. There was an error executing the policy but the task tolerates this and continues: com.jcraft.jsch.JSchException: Auth fail
I'm able to resolve this error with below config:
policy.fs.fs.sftp.keyfile=/home/user/.ssh/id_rsa
I want to visualise my data base and tried using SchemaSpy, but I can't connect to the data base. It's a mysql data base, running on my computer, accessible under localhost and I called SchemaSpy with the following command:
java -jar schemaspy-6.0.0.jar -t mysql -dp postgresql-42.2.7.jar -db <name> -host <host> -p <port> -s <name> -u <user> -p <password> -o ./output/
I downloaded postgresql-42.2.7.jar as a driver and set the respective parameter in the call. I also tried not setting a driver at all, but it didn't change the output.
I get the following error message after trying to run SchemaSpy:
SchemaSpy generates an HTML representation of a database schema's relationships.
SchemaSpy comes with ABSOLUTELY NO WARRANTY.
SchemaSpy is free software and can be redistributed under the conditions of LGPL version 3 or later.
http://www.gnu.org/licenses/
INFO - Starting Main v6.0.0 on ####### with PID 10774 (/path/to/file started by ##### in /path/to/file)
INFO - The following profiles are active: default
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils$1 (jar:file:/path/to/file/schemaspy-6.0.0.jar!/BOOT-INF/lib/spring-core-4.3.13.RELEASE.jar!/) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of org.springframework.cglib.core.ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO - Found configuration file: schemaspy.properties
INFO - Started Main in 1.397 seconds (JVM running for 1.944)
INFO - Starting schema analysis
WARN - Connection Failure
I also tried setting the --illegal-access=warn parameter, but no changes.
Does anyone know what problem might be?
Thanks a lot!
I'm trying to start multi-master replication on two LDAP ubuntu 16.4 servers (ldap2 and ldap3).
After whole parametrization is done I'm not able to establish the connection between servers:
slap_client_connect: URI=ldap://ldap3.rs.local DN="cn=admin,cn=config" ldap_sasl_bind_s failed (49)
The same error in both directions.
Credentials verification using below command is finishing successfully (no errors):
ldapmodify -H ldap://ldap3.rs.local -D "cn=admin,cn=config" -W
I have read all existing tutorials and forums without result.
I will be thankfull for any hints.
In the meantime I've fixed the problem.
In below update, for each host, credentials value must have ADMIN_PASSWORD filled
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap1.example.local binddn="cn=admin,cn=config" bindmethod=simple credentials=ADMIN_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldap2.example.local binddn="cn=admin,cn=config" bindmethod=simple credentials=ADMIN_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
In tutorial this value was equal to "test" and somehow I've missed it