KRB5CCNAME is not reread

Brian C. DeRocher brian.derocher at mitretek.org
Thu Feb 2 17:20:47 EST 2006 

Hello all,

I was adding kerberos authentication to a few web apps.  This would be
useful for mediawiki (wikipgedia) and phppgadmin, among others.  The
problem we are seeing is that, PHP and its PostgreSQL extension will
make a connection on the first web request.  But subsequent requests
to the web server fail to connect to the database because Apache2 and
mod_auth_kerb assign a new KRB5CCNAME value.

The error message is 
Warning: pg_connect() [function.pg-connect]: Unable to connect to 
PostgreSQL server: krb5_sendauth: No credentials cache found

They have the form /tmp/krb5cc_apache_xxxxxx.  Each web request has a
different suffix.  However mod_php stays in memory.  It appears that
libkrb5 doesn't check if KRB5CCNAME has changed.

Here's a simple demonstration.

/*
kinit before you run this program.

output:
Connection established
Connection failed
krb5_sendauth: No credentials cache found
*/

#include <libpq-fe.h>

int main()
	{
	system( "cp /tmp/krb5cc_1000 /tmp/krb5cc_first" );
	system( "cp /tmp/krb5cc_1000 /tmp/krb5cc_second" );
	system( "rm /tmp/krb5cc_1000" );

	// First
	putenv( "KRB5CCNAME=FILE:/tmp/krb5cc_first" );
	PGconn * Conn = PQconnectdb( "host=sauron dbname=tsf" );
	if (PQstatus(Conn) == CONNECTION_BAD)
		{
		printf( "Connection failed\n" );
		printf( PQerrorMessage( Conn ) );
		}
	else	printf( "Connection established\n" );
	PQfinish( Conn );
	system( "rm /tmp/krb5cc_first" );

	// Second
	putenv( "KRB5CCNAME=FILE:/tmp/krb5cc_second" );
	Conn = PQconnectdb( "host=sauron dbname=tsf" );
	if (PQstatus(Conn) == CONNECTION_BAD)
		{
		printf( "Connection failed\n" );
		printf( PQerrorMessage( Conn ) );
		}
	else	printf( "Connection established\n" );
	PQfinish( Conn );
	system( "rm /tmp/krb5cc_second" );
	}

Any help would be appreciated.

Thanks,
Brian

-- 
Brian C. DeRocher @ Mitretek Systems
This email was signed using OpenPGP.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20060202/0770f5bc/attachment.bin

More information about the Kerberos mailing list