Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetServicePrincipalNegotiationTokenAsync utility duplicates domain name ( user@domain@domain) #371

Open
ionmincu opened this issue Oct 31, 2024 · 0 comments
Open

GetServicePrincipalNegotiationTokenAsync utility duplicates domain name ( user@domain@domain) #371

ionmincu opened this issue Oct 31, 2024 · 0 comments

Comments

@ionmincu
Copy link

ionmincu commented Oct 31, 2024
edited
Loading

Describe the bug
Using KerberosAuthMethodHelper.GetServicePrincipalNegotiationTokenAsync duplicates the domain name.

VaultSharp Version
1.17.5.1

Vault Version
Vault v1.18.0 (77f26ba561a4b6b1ccd5071b8624cefef7a72e84), built 2024-10-08T09:12:52Z

Does this work with Vault CLI?
Yes

Sample Code Snippet
Output from Vault CLI

PS C:\Programs\vault> .\vault login -method=kerberos username=ion.mincu service=HTTP/im-ws2019-01 realm=DESKOVER.LOCAL keytab_path=ion.mincu.keytab krb5conf_path=krb5.conf disable_fast_negotiation=true
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.CAESIE289Dkbm3LysjR8NKVPP-BKKUt94wKzaQqBDesF-pVsGh4KHGh2cy5XbzBMR3NTVGhOaUtDblJOT3BJRlQ3WG4
token_accessor       IKnwddD0Acz6JrLteuCdM9Un
token_duration       768h
token_renewable      false
token_policies       ["default"]
identity_policies    []
policies             ["default"]
token_meta_domain    DESKOVER.LOCAL
token_meta_user      ion.mincu
PS C:\Programs\vault> .\vault -v
Vault v1.18.0 (77f26ba561a4b6b1ccd5071b8624cefef7a72e84), built 2024-10-08T09:12:52Z

Using the exact same keytab

public async static Task PostRequest()
{
    var token = await KerberosAuthMethodHelper.GetServicePrincipalNegotiationTokenAsync("ion.mincu", "HTTP/im-ws2019-01", "DESKOVER.LOCAL", _keyTabPath, _krb5conf, true, factory);
    
    var handler = new HttpClientHandler()
    {
        // Proxy = new WebProxy { BypassProxyOnLocal = true },
        PreAuthenticate = true,
        UseDefaultCredentials = true,
        AllowAutoRedirect = true,
        // Credentials = CredentialCache.DefaultNetworkCredentials
    };

    using (var client = new HttpClient(handler))
    {
        client.BaseAddress = new Uri("http://im-ws2019-01.deskover.local:8200/");
        client.DefaultRequestHeaders.Add("Authorization", token);

        var content = new StringContent("null");

        var response = await client.PostAsync("v1/auth/kerberos/login", content);

        // If the request is successful, read the response body as string
        if (response.IsSuccessStatusCode)
        {
            var responseBody = await response.Content.ReadAsStringAsync();
            Console.WriteLine(responseBody);
        }
        else
        {
            Console.WriteLine($"Error when posting manually: {response.StatusCode}");
        }
    }
}

Exception Details/Stack Trace/Error Message
Error message, stack trace you see

Any additional info
Vault logs when logging in with CLI

10:34:11.688+0200 [INFO]  auth.kerberos.auth_kerberos_6e6adb1a: 127.0.0.1:8080 [email protected] - SPNEGO authentication succeeded
10:34:11.689+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: identity: &{username:ion.mincu displayName:Ion Mincu realm:DESKOVER.LOCAL cname:{NameType:1 NameString:[ion.mincu]} keytab:0xc003304f80 password: attributes:map[gokrb5AttributeKeyADCredentials:{EffectiveName:ion.mincu FullName:Ion Mincu UserID:35254 PrimaryGroupID:513 LogOnTime:{wall:93939700 ext:63865960455 loc:<nil>} LogOffTime:{wall:709551516 ext:68937867273 loc:<nil>} PasswordLastSet:{wall:668273300 ext:63865351735 loc:<nil>} GroupMembershipSIDs:[S-1-5-21-1667818259-1789684151-1906802761-35255 S-1-5-21-1667818259-1789684151-1906802761-513 S-1-18-1] LogonDomainName:DESKOVER LogonDomainID:S-1-5-21-1667818259-1789684151-1906802761 LogonServer:ROINFRAWDDC01}] validUntil:{wall:0 ext:63865996455 loc:<nil>} authenticated:true human:true authTime:{wall:688330400 ext:63865960451 loc:<nil>} groupMembership:map[S-1-18-1:true S-1-5-21-1667818259-1789684151-1906802761-35255:true S-1-5-21-1667818259-1789684151-1906802761-513:true] sessionID:0643c91b-28a6-76d2-a078-6d193370ac40}
10:34:11.699+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: compiling search filter: search_filter="({{.UserAttr}}={{.Username}})"
10:34:11.699+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: discovering user: userdn="OU=deskover,DC=deskover,DC=local" filter="([email protected])"
10:34:11.700+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: auth/ldap: User BindDN fetched: username=ion.mincu binddn="CN=Ion Mincu,OU=Engineering,OU=deskover,DC=deskover,DC=local"
10:34:11.704+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: searching upn: userdn="OU=deskover,DC=deskover,DC=local" filter="([email protected])"
10:34:11.706+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: compiling group filter: group_filter="(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
10:34:11.706+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: searching: groupdn="DC=DESKOVER,DC=LOCAL" rendered_query="(|(memberUid=ion.mincu)(member=CN=Ion Mincu,OU=Engineering,OU=deskover,DC=deskover,DC=local)(uniqueMember=CN=Ion Mincu,OU=Engineering,OU=deskover,DC=deskover,DC=local))"
10:34:12.071+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: auth/ldap: Groups fetched from server: num_server_groups=1 server_groups=["Engineering_Local_Admins"]
10:34:12.071+0200 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: unable to find Engineering_Local_Admins, does not currently exist

Vault logs when logging in with C# code notice the principal is [email protected]@DESKOVER.LOCAL

10:29:38.623 [INFO]  auth.kerberos.auth_kerberos_6e6adb1a: 10.10.16.150:8080 [email protected]@DESKOVER.LOCAL - SPNEGO authentication succeeded
10:29:38.624 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: identity: &{username:[email protected] displayName:[email protected] realm:DESKOVER.LOCAL cname:{NameType:10 NameString:[[email protected]]} keytab:0xc0049ff1c0 password: attributes:map[] validUntil:{wall:0 ext:63865996177 loc:<nil>} authenticated:true human:true authTime:{wall:623712200 ext:63865960178 loc:<nil>} groupMembership:map[] sessionID:e6bad2f4-a60f-2f0d-c4e6-673c5c21013b}
10:29:38.632 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: compiling search filter: search_filter="({{.UserAttr}}={{.Username}})"
10:29:38.632 [DEBUG] auth.kerberos.auth_kerberos_6e6adb1a: discovering user: userdn="OU=deskover,DC=deskover,DC=local" filter="([email protected]@DESKOVER.LOCAL)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ionmincu