Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kerberos and IP address. #167

Open
igolikov opened this issue Oct 27, 2015 · 6 comments
Open

Kerberos and IP address. #167

igolikov opened this issue Oct 27, 2015 · 6 comments

Comments

@igolikov
Copy link

Hello, I found a strange issue: it is possible to use IP address instead of FQDN with Kerberos authentication.
First I tried it with Overthere 2.4.5 and it worked.
Then I tried it with Overthere 4.0.1 and it failed with "Server not found in Kerberos database".

Overthere 2.4.5 has httpclient-4.2.1 in dependencies
Overthere 4.0.1 has httpclient-4.4.1 in dependencies.

I override httpclient dependency for Overthere 4.0.1 from 4.4.1 to 4.2.1 and it stared working.

Here is an example that use IP for ConnectionOptions.ADDRESS.
It works fine with Overthere 4.0.1 and httpclient-4.3.3 (or httpclient-4.2.1).
With Overthere 4.0.1 and httpclient-4.4.1 it fails with "Server not found in Kerberos database"

I know that Kerberos "works" only with FQDN and doesn't work with IP. But overthere works with IP in some cases.
So is this a feature, or just an issue.

import com.xebialabs.overthere.CmdLine;
import com.xebialabs.overthere.ConnectionOptions;
import com.xebialabs.overthere.OperatingSystemFamily;
import com.xebialabs.overthere.Overthere;
import com.xebialabs.overthere.OverthereConnection;
import com.xebialabs.overthere.cifs.CifsConnectionBuilder;
import com.xebialabs.overthere.cifs.CifsConnectionType;
import com.xebialabs.overthere.util.CapturingOverthereExecutionOutputHandler;
import static com.xebialabs.overthere.util.CapturingOverthereExecutionOutputHandler.capturingHandler;
import org.apache.commons.codec.binary.Base64;

public class overthereIp {

    private static final String DOMAIN = "some.domain.com"; //<- PUT HERE REAL VALUE

    public static void main(String[] args) throws Exception {
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("java.security.krb5.realm", DOMAIN.toUpperCase());
        System.setProperty("java.security.krb5.kdc", "kdc_host." + DOMAIN);  //<- PUT HERE REAL VALUE

        final String encodedCmd = Base64.encodeBase64String("[System.Environment]::OSVersion.Version".getBytes("UTF_16LE"));

        ConnectionOptions options = new ConnectionOptions();
        //IP address instead of FQDN
        options.set(ConnectionOptions.ADDRESS, "x.x.x.x"); //<- PUT HERE REAL VALUE
        options.set(ConnectionOptions.USERNAME, "user.name@" + DOMAIN);  //<- PUT HERE REAL VALUE
        options.set(ConnectionOptions.PASSWORD, "password");  //<- PUT HERE REAL VALUE
        options.set(ConnectionOptions.OPERATING_SYSTEM, OperatingSystemFamily.WINDOWS);
        options.set(CifsConnectionBuilder.CONNECTION_TYPE, CifsConnectionType.WINRM_INTERNAL);
        exec(options, encodedCmd);
    }

    private static void exec(ConnectionOptions options, String encodedCmd) throws Exception {
        try (OverthereConnection con = Overthere.getConnection("cifs", options)) {

            CapturingOverthereExecutionOutputHandler innerOutputHandler;
            con.execute(innerOutputHandler = capturingHandler(),
                    capturingHandler(),
                    CmdLine.build("powershell",
                            "-NoProfile",
                            "-NonInteractive",
                            "-EncodedCommand",
                            encodedCmd));
            System.out.println(innerOutputHandler.getOutput());

        }
    }

}
@hierynomus
Copy link
Contributor

I think that the current behaviour is correct. It would be possible to support the previous behaviour at the cost of an extra DNS lookup, which I think used to happen in older httpclient libs.

@igolikov
Copy link
Author

I haven't found any revers DNS lookup calls in apache http libraries, at least calls that use InetAddress.
But I caught revers DNS request using Wireshark, maybe it is done by com.sun.jndi.dns.

@igolikov
Copy link
Author

So is that overthere feature or not, should Kerberos works with IP or not?

Maybe that is just Kerberos server realization issue?

@ashwinrayaprolu
Copy link

I tried above code and also with lot of other variations. I always get
Exception in thread "main" com.xebialabs.overthere.cifs.winrm.WinRmRuntimeIOException: Unexpected HTTP response on http://host.domain.com:5985/wsman: (500)

I see kerberos handshake and everthing worked fine i also was able to get tickets but not remote commands. Did anyone came across similar scenario

@igolikov
Copy link
Author

Could you check that "allow unencrypted" is set to true?

500 error explanation you can find in winrm event log

@ashwinrayaprolu
Copy link

Thank You that was issue. Not sure how i missed. Even winrm trace logs didn't give me much information while debugging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hierynomus @igolikov @ashwinrayaprolu