[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Tue Aug 7 04:18:49 EDT 2007 

Hi Achim

As you can see the length of the token is different and in LWN the token
is not expired. I think Douglas is right that the token is not delegated
on firefox.


Log LWN:

[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1518): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1518): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1206): [client
130.226.36.170] Acquiring creds for HTTP at od.cbs.dk
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1330): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1346): [client
130.226.36.170] Verification returned code 0
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1364): [client
130.226.36.170] GSS-API token of length 114 bytes will be sent back
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1412): [client
130.226.36.170] set cached name mkj.lib at CBS.DK for connection
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1421): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1108): [client
130.226.36.170] Lifetime of delegated credential is 85951
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1120): [client
130.226.36.170] Display name (mkj.lib at CBS.DK)
[Tue Aug 07 09:28:28 2007] [debug] src/mod_auth_kerb.c(1125): [client
130.226.36.170] Cred Usage GSS_C_INITIATE


Log Firefox:

[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1518): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1518): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1206): [client
130.226.36.170] Acquiring creds for HTTP at od.cbs.dk
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1330): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1346): [client
130.226.36.170] Verification returned code 0
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1364): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1412): [client
130.226.36.170] set cached name mkj.lib at CBS.DK for connection
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1421): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1105): [client
130.226.36.170] Lifetime of delegated credential is expired
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1120): [client
130.226.36.170] Display name (mkj.lib at CBS.DK)
[Tue Aug 07 09:29:21 2007] [debug] src/mod_auth_kerb.c(1132): [client
130.226.36.170] Cred Usage GSS_C_BOTH
[Tue Aug 07 09:29:21 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))


/Mikkel


On Wed, 2007-08-01 at 21:47 +0200, Achim Grolms wrote: 

> On Wednesday 01 August 2007 09:52, Mikkel Kruse Johnsen wrote:
> 
> Hello Mikkel,
> please provide me some more information.
> 
> 1. You wrote you have successfully done delegation using another
>    Webclient. Please send me a ethereal-dump of that connection, too.
> 
> 2. On Firefox-box run 
> 
> krb5-config --version
> 
> and send me the output
> 
> 3. on mod_auth_kerb box run
> 
> krb5-config --version
> 
> and send me the output
> 
> 4. on "the other webclient doing successfull delegation" run
> 
> krb5-config --version
> 
> and send me the output
> 
> 5. On the Firefox box use Perl and LWP::Authen::Negotiate to
> do the HTTP-requet (if you need more information to do this please
> let me know)
> 
> Achim
> 
> !DSPAM:46b0e36476521354918587!

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk

More information about the Kerberos mailing list