Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?

Markus Moeller huaraz at moeller.plus.com
Fri Oct 13 17:14:21 EDT 2006


Matthias,

could you try and set  principal.type = 10 just before the following line in 
mod_auth_kerb and try to login with matthias.djihangiroff\\@persona.de


   ret = krb5_get_init_creds_password(context, &creds, principal,
                                      (char *)password, NULL,
                                      NULL, 0, NULL, NULL);

If this works you propably only need to check the if name includes a @ to 
add the two \\ for escaping call krb5_parse_name(context, new_name, 
principal) and set then principal.type=10 before 
krb5_get_init_creds_password is called.

I would be curious if that works.

Regards
Markus


"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote in 
message 
news:A4987E8FC1C6CD44805DDE5676EE262E0109DAE5 at w2kmail.konzern.intern...
But it doesnt work.
If they type in their user PrincipalName, i get an entry in my error log. 
(Specified realm `persona.de' not allowed by configuration)

My /etc/krb.conf

[libdefaults]
        default_realm = KONZERN.INTERN
        clockskew = 300

[realms]
        KONZERN.INTERN = {
                kdc = w2kroot.konzern.intern
                default_domain = konzern.intern
                admin_server = w2kroot
        }

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
[domain_realm]
        .konzern.intern = KONZERN.INTERN

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                try_first_pass = true
        }

-----Ursprüngliche Nachricht-----
Von: Michael B Allen [mailto:mba2000 at ioplex.com]
Gesendet: Montag, 9. Oktober 2006 18:16
An: Djihangiroff, Matthias (KC-DD)
Betreff: Re: AW: AW: Anyone has an apache running with mod_auth_kerb AND 
mod_auth_ldap?

Then it should work. Kerberos requires the userPrincipalName and not their 
"windowsusername" (aka sAMAccountName). Or am I missing something?

Mike

PS: I recommend steering this thread back onto the kerberos mailing list.

On Mon, 9 Oct 2006 09:14:51 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:

> The Users only use their usersPrincipalName 
> (Matthias.Djihangiroff at persona.de), not their 
> sAMAccountName(Matthias.Djihangirof).
>
>
> -----Ursprüngliche Nachricht-----
> Von: Michael B Allen [mailto:mba2000 at ioplex.com]
> Gesendet: Freitag, 6. Oktober 2006 18:04
> An: Djihangiroff, Matthias (KC-DD)
> Betreff: Re: AW: Anyone has an apache running with mod_auth_kerb AND 
> mod_auth_ldap?
>
> So what you're saying is that users do not know their userPrincipalName 
> and that they only know their sAMAccountName? For example, consider the 
> following domain:
>
> dnsRoot       example.com
> REALM         EXAMPLE.COM
> nETBIOSName   EXAMPLE
>
> and the following example user account:
>
> userPrincipalName alice at EXAMPLE.COM
> sAMAccountName    abaker
>
> For kerberos to work with the above example one would need to use the UPN 
> alice at EXAMPLE.COM. But people are using abaker at EXAMPLE.COM or 
> abaker at EXAMPLE?
>
> You could split the name and do an LDAP search on sAMAccountName=abaker 
> for the userPrincipalName and then pass that to 
> krb5_get_init_creds_password.
>
> Mike
>
> On Fri, 6 Oct 2006 07:27:06 +0200
> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:
>
> >
> > I just want to point out that you can use krb5_get_init_creds_password 
> > to do Basic so there's no reason to use LDAP at all <- The problem ist, 
> > that the loginname for a kerberos realm is realusername at KERBEROS.REALM. 
> > The users arent aware of their real windowsusername (it is limited for 
> > 21? Characters, so my name is matthias.djihangirof at KONZERN.INTERN).
> >
> > Our users are loggin in with their email-adress:
> > firstname.lastname at windowsdomain (e.g
> > matthias.djihangiroff at persona.de, look at the double ff in my
> > lastname, its different to my kerberos name)
> >
> > If i try to type my email in the basic auth, mod_auth_kerb tries to
> > get a ticket for matthias.djihangiroff at persona.de. But the realm
> > persona.de doesnt exists (its konzern.intern) :-)
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Michael B Allen [mailto:mba2000 at ioplex.com]
> > Gesendet: Donnerstag, 5. Oktober 2006 17:09
> > An: Djihangiroff, Matthias (KC-DD)
> > Cc: kerberos at mit.edu
> > Betreff: Re: Anyone has an apache running with mod_auth_kerb AND 
> > mod_auth_ldap?
> >
> > On Thu, 5 Oct 2006 08:03:51 +0200
> > "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> 
> > wrote:
> >
> > > Hello,
> > >
> > > Anyone out there whos running an Apache with mod_auth_kerb and
> > > mod_auth_ldap?
> > > Im running an Apache with mod_auth_kerb perfectly.
> > >
> > > But we have users, which arent in our Windows AD, so they cant
> > > load the websites protected through mod_auth_kerb.
> > > Is it possible to fall back to mod_auth_ldap, so they can manualy
> > > type in their login? (The Apache than check the user against the 
> > > LDAP).
> >
> > I don't know the answer to this (my understanding is that trying to 
> > stack mod_auth_* modules together is not practical) but I just want to 
> > point out that you can use krb5_get_init_creds_password to do Basic so 
> > there's no reason to use LDAP at all. In fact using LDAP as a make-shift 
> > authentication service is crude and insecure. Wether or not 
> > mod_auth_kerb can do it I have no idea.
> >
> > Mike
> >
> > --
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> > ###########################################
> >
> > This message has been scanned by F-Secure Anti-Virus for Microsoft 
> > Exchange.
> > For more information, connect to http://www.f-secure.com/
> >
>
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> ###########################################
>
> This message has been scanned by F-Secure Anti-Virus for Microsoft 
> Exchange.
> For more information, connect to http://www.f-secure.com/
>


--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos






More information about the Kerberos mailing list