[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Thu Jul 26 10:09:11 EDT 2007 

Hi Achim

With the patch applied:

[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1451): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1451): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1148): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1269): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1285): [client
130.226.36.170] Verification returned code 0
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1303): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1351): [client
130.226.36.170] set cached name mkj.lib at CBS.DK for connection
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1359): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Thu Jul 26 16:05:21 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))

/Mikkel

On Wed, 2007-07-25 at 20:56 +0200, Achim Grolms wrote:

> On Wednesday 25 July 2007 11:55, Mikkel Kruse Johnsen wrote:
> 
> > Compiled the mod_auth_kerb with the attched
> 
> The modification does a check if GSS_C_DELEG_FLAG
> is present.
> 
> From my point of view (a paranoid point of view)
> an additional check has to follow:
> before the code does the call to store_gss_creds()
> The code should check if
> 
> delegated_cred != GSS_C_NO_CREDENTIAL
> 
> and report this state to logfile and only in case of 
> delegated_cred != GSS_C_NO_CREDENTIAL
> do the call of store_gss_creds()
> 
> Can you give that a try?
> 
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.14 as permitted sender)
> 
> !DSPAM:46a79cdd293831136180008!
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-deleg.patch
Type: text/x-patch
Size: 1631 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070726/e8585061/attachment.bin

More information about the Kerberos mailing list