-
Notifications
You must be signed in to change notification settings - Fork 11
ClientClaimsInfo error when authenticating with winkerberos #9
Comments
It should work, I've been running exactly this on Windows and it works. I suspect something else is up with the setup. |
Getting a similar error to the above: |
Maybe try asking upstream in the gokrb5 project what this means? @jcmturner has been really helpful before. |
Hi, I suspect this may be an bug in gokrb5 for processing the CLIENT_CLAIMS_INFO PAC entry that comes from the Active Directory KDC. Microsoft are not consistent in what is and is not NDR encoded and the documentation does not always specify what is an isn't. This has made it hard to code as I also have little to no access to test data to work against. As you can see here only a small proportion of the structures have examples. Can I ask you to raise an issue against gokrb5. It would be great if you could share some data of the kerberos tickets (via a tcpdump/wireshark capture) as this will give me something to write a unit test against. |
@ah- I can confirm that @jcmturner patch on jcmturner/gokrb5#156 fixes this error. Patch https://github.com/jcmturner/gokrb5/compare/issue-156 I am guessing this will applied to vault-plugin-auth-kerberos once the fix is merged to upstream. |
Oh fantastic! Once this is merged into gokrb5 and released we can run |
I did get another error which I will add to the current issue on gokrb5.
It seems to be related to smart card login. When I log on without smart-card it works. Will update the upstream issue. |
Fixed in 1.2.0. |
Add tokenutil fields
The below code fails when running from a windows machine:
See error below:
{"time":"2018-05-29T21:48:01.052877076Z","type":"response","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":""},"request":{"id":"e03ae638-16fb-8bb9-513c-ebe0334acbdc","operation":"update","client_token":"","client_token_accessor":"","path":"auth/kerberos/login","data":{"authorization":"hmac-sha256:1705419e6936724587ae0e5b1a4560736ecd6124ca9c0b63050c76ea17862c53"},"policy_override":false,"remote_address":"127.0.0.1","wrap_ttl":0,"headers":{}},"response":{},"error":"error processing ClientClaimsInfo: error parsing byte stream headers: Malformed NDR steam: Not enough bytes."}
The text was updated successfully, but these errors were encountered: