AW: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Djihangiroff, Matthias (KC-DD) Matthias.Djihangiroff at persona.de
Tue Oct 10 02:40:55 EDT 2006 

But it doesnt work.
If they type in their user PrincipalName, i get an entry in my error log. (Specified realm `persona.de' not allowed by configuration)

My /etc/krb.conf

[libdefaults]
        default_realm = KONZERN.INTERN
        clockskew = 300

[realms]
        KONZERN.INTERN = {
                kdc = w2kroot.konzern.intern
                default_domain = konzern.intern
                admin_server = w2kroot
        }

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
[domain_realm]
        .konzern.intern = KONZERN.INTERN

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                try_first_pass = true
        }

-----Ursprüngliche Nachricht-----
Von: Michael B Allen [mailto:mba2000 at ioplex.com] 
Gesendet: Montag, 9. Oktober 2006 18:16
An: Djihangiroff, Matthias (KC-DD)
Betreff: Re: AW: AW: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Then it should work. Kerberos requires the userPrincipalName and not their "windowsusername" (aka sAMAccountName). Or am I missing something?

Mike

PS: I recommend steering this thread back onto the kerberos mailing list.

On Mon, 9 Oct 2006 09:14:51 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:

> The Users only use their usersPrincipalName (Matthias.Djihangiroff at persona.de), not their sAMAccountName(Matthias.Djihangirof).
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Michael B Allen [mailto:mba2000 at ioplex.com]
> Gesendet: Freitag, 6. Oktober 2006 18:04
> An: Djihangiroff, Matthias (KC-DD)
> Betreff: Re: AW: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?
> 
> So what you're saying is that users do not know their userPrincipalName and that they only know their sAMAccountName? For example, consider the following domain:
> 
> dnsRoot       example.com
> REALM         EXAMPLE.COM
> nETBIOSName   EXAMPLE
> 
> and the following example user account:
> 
> userPrincipalName alice at EXAMPLE.COM
> sAMAccountName    abaker
> 
> For kerberos to work with the above example one would need to use the UPN alice at EXAMPLE.COM. But people are using abaker at EXAMPLE.COM or abaker at EXAMPLE?
> 
> You could split the name and do an LDAP search on sAMAccountName=abaker for the userPrincipalName and then pass that to krb5_get_init_creds_password.
> 
> Mike
> 
> On Fri, 6 Oct 2006 07:27:06 +0200
> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:
> 
> >  
> > I just want to point out that you can use krb5_get_init_creds_password to do Basic so there's no reason to use LDAP at all <- The problem ist, that the loginname for a kerberos realm is realusername at KERBEROS.REALM. The users arent aware of their real windowsusername (it is limited for 21? Characters, so my name is matthias.djihangirof at KONZERN.INTERN).
> > 
> > Our users are loggin in with their email-adress: 
> > firstname.lastname at windowsdomain (e.g 
> > matthias.djihangiroff at persona.de, look at the double ff in my 
> > lastname, its different to my kerberos name)
> > 
> > If i try to type my email in the basic auth, mod_auth_kerb tries to 
> > get a ticket for matthias.djihangiroff at persona.de. But the realm 
> > persona.de doesnt exists (its konzern.intern) :-)
> > 
> > 
> > -----Ursprüngliche Nachricht-----
> > Von: Michael B Allen [mailto:mba2000 at ioplex.com]
> > Gesendet: Donnerstag, 5. Oktober 2006 17:09
> > An: Djihangiroff, Matthias (KC-DD)
> > Cc: kerberos at mit.edu
> > Betreff: Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?
> > 
> > On Thu, 5 Oct 2006 08:03:51 +0200
> > "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:
> > 
> > > Hello,
> > > 
> > > Anyone out there whos running an Apache with mod_auth_kerb and 
> > > mod_auth_ldap?
> > > Im running an Apache with mod_auth_kerb perfectly.
> > > 
> > > But we have users, which arent in our Windows AD, so they cant 
> > > load the websites protected through mod_auth_kerb.
> > > Is it possible to fall back to mod_auth_ldap, so they can manualy 
> > > type in their login? (The Apache than check the user against the LDAP).
> > 
> > I don't know the answer to this (my understanding is that trying to stack mod_auth_* modules together is not practical) but I just want to point out that you can use krb5_get_init_creds_password to do Basic so there's no reason to use LDAP at all. In fact using LDAP as a make-shift authentication service is crude and insecure. Wether or not mod_auth_kerb can do it I have no idea.
> > 
> > Mike
> > 
> > --
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> > ###########################################
> > 
> > This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
> > For more information, connect to http://www.f-secure.com/
> > 
> 
> 
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> ###########################################
> 
> This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
> For more information, connect to http://www.f-secure.com/
> 


--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/

More information about the Kerberos mailing list