[modauthkerb] Saving credential with KrbSaveCredentials

Mikkel Kruse Johnsen mikkel at linet.dk
Wed Aug 15 03:02:16 EDT 2007 

Hi All

I got it to work. It seems there is an error in the SPNEGO code on MIT
Kerberos. When compiling mod_auth_kerb to use it's internal SPNEGO code
everything works fine.

The error as I see it, is that autheticate works but saving the
credential fails.

...
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1553): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1553): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1206): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1364): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1380): [client
130.226.36.170] Verification returned code 0 lifetime 79137
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1398): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1447): [client
130.226.36.170] set cached name mkj.lib at CBS.DK for connection
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1456): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1105): [client
130.226.36.170] Lifetime of delegated credential is expired
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1120): [client
130.226.36.170] Display name (mkj.lib at CBS.DK)
[Tue Aug 14 15:21:32 2007] [debug] src/mod_auth_kerb.c(1132): [client
130.226.36.170] Cred Usage GSS_C_BOTH
[Tue Aug 14 15:21:32 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))
....

As you can see the credential is expired when using the SPNEGO in MIT
kerberos.


...
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1553): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1553): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1206): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1364): [client
130.226.36.170] Verifying client data using SPNEGO GSS-API
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1380): [client
130.226.36.170] Verification returned code 0 lifetime 27495
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1398): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1447): [client
130.226.36.170] set cached name mkj.lib at CBS.DK for connection
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1456): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1108): [client
130.226.36.170] Lifetime of delegated credential is 27495
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1120): [client
130.226.36.170] Display name (mkj.lib at CBS.DK)
[Wed Aug 15 08:41:46 2007] [debug] src/mod_auth_kerb.c(1125): [client
130.226.36.170] Cred Usage GSS_C_INITIATE
....

But using the SPNEGO in mod_auth_kerb it is not.


So is this an error in MIT kerberos or is mod_auth_kerb using the SPNEGO
wrong ?

/Mikkel




On Tue, 2007-08-14 at 19:30 +0200, Achim Grolms wrote:

> On Friday 10 August 2007 21:02, Henry B. Hotz wrote:
> 
> > > Is there anyone who has this working, saving the ticket from either
> > > Firefox/linux, Firefox/WinXP, IE7/WinXP ?
> >
> > Yes, I've had no problems with the two WinXP cases.  Have done
> > Firefox both with native Windows SSPI and with KfW GSSAPI. 
> 
> That means your requests use the SPNEGO mechtype in every case?
> 
> On your mod_auth_kerb side - what code does the SPNEGO processing,
> mod_auth_kerb itself or a SPNEGO-supporting Kerberosimplementation?
> 
> 
> Background of this question:
> I have asked Mikkel to run HTTP-Requests on the Firefoxmachine
> using Perl and LWP::Authen::Negotiate (from CPAN)
> because LWP::Authen::Negotiate can be easily modified.
> 
> The strange thing is:
> 
> If using GSSAPI-mechtype Kerberos5 everything works fine.
> If using GSSAPI-mechtype SPNEGO Mikkel gets the same results
> as if he uses his Firefox.
> 
> Any ideas?
> 
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.14 as permitted sender)
> 
> !DSPAM:46c1e6cb107062091219428!
> 

Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work: +45 21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-deleg.patch
Type: text/x-patch
Size: 10486 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070815/1e269c38/attachment.bin

More information about the Kerberos mailing list