problem obtaining tickets on a webserver

dk dk at kadenpartner.ch
Sun Feb 4 03:57:50 EST 2007 

Hello

I want to build a web based application where a client sends a  
request to server 1,
on which a php application resides. This application has to send a  
request to
a gateway. The gateway itself then calls the target application on  
server 3
which again is protected by kerberos:

Client (fTGT) ---> Server 1 (Apache, mod_auth_kerb) ---> Gateway --->  
Server 3 (Apache, mod_auth_kerb)

Everything should work as a single sign on application. The idea is:  
The client has a forwardable ticket
granting ticket. This ticket is forwarded to server 1. Server 1 takes  
the ticket and integrates it in
a request sent to a Gateway Server. This one (based on perl LWP) uses  
the ticket to send another
request to server 3.

So far everything works fine except the ticket transfer from the  
client to server 1.

If httpd.conf on server 1 is setup with

KrbMethodK5Passwd on
KrbSaveCredentials on

server 1 receives a ticket granting ticket that can be sent to the  
gateway.
The disadvantage is that the user has to enter username and password.

If on server 1 the KrbMethodK5Passwd is set to off, the  
authentication on server 1
works too, but server 1 does not save a ticket. The apache error log  
simply says:

[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client  
10.3.188.14] kerb_authenticate_user entered with user (NULL) and  
auth_type Kerberos
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client  
10.3.188.14] kerb_authenticate_user entered with user (NULL) and  
auth_type Kerberos
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1172): [client  
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1316): [client  
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1332): [client  
10.3.188.14] Verification returned code 0
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client  
10.3.188.14] kerb_authenticate_user entered with user (NULL) and  
auth_type Kerberos
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1172): [client  
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1316): [client  
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1332): [client  
10.3.188.14] Verification returned code 0

To find out a bit more I changed line 1394 in mod_auth_kerb.c from

   if (conf->krb_save_credentials && delegated_cred !=  
GSS_C_NO_CREDENTIAL)

to

   if (conf->krb_save_credentials)

Then the apache error log says:

[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client  
10.3.188.14] kerb_authenticate_user entered with user (NULL) and  
auth_type Kerberos
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client  
10.3.188.14] kerb_authenticate_user entered with user (NULL) and  
auth_type Kerberos
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1172): [client  
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1316): [client  
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1332): [client  
10.3.188.14] Verification returned code 0
[Sun Feb 04 08:33:36 2007] [error] [client 10.3.188.14] Cannot store  
delegated credential (gss_krb5_copy_ccache: Invalid credential was  
supplied (Unknown code ____ 255))
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client  
10.3.188.14] kerb_authenticate_user entered with user (NULL) and  
auth_type Kerberos
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1172): [client  
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1316): [client  
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1332): [client  
10.3.188.14] Verification returned code 0
[Sun Feb 04 08:33:36 2007] [error] [client 10.3.188.14] Cannot store  
delegated credential (gss_krb5_copy_ccache: Invalid credential was  
supplied (No error))

As it looks like there is a GSS_C_NO_CREDENTIAL flag set to true out  
of a reason I don't know.
I tried to find out where this flag comes from and how it could be  
set correctly, but I did not succeed.

To exclude that it is a Firefox problem I also used a simple perl  
script based on LWP (same result).

In the krb5.conf I tried different defaults, for example:

[libdefaults]
	default_realm = DK.CH
	forwardable = true
	proxiable = true	

I also tried "handmade" TGTs  (kinit -f ...)

Kerberos version is MIT krb5-1.6
Apache version is 2.2.3
mod_auth_kerb version is 5.3

In order to have a single sign on solution I need a fTGT on server 1.
Is that right? Is it possible at all? If yes, what would I have to  
change?

Thanks in advance

Donald Kaden
Kaden & Partner AG

More information about the Kerberos mailing list