[modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.
Douglas E. Engert
deengert at anl.gov
Mon Jul 23 09:03:30 EDT 2007
Mikkel Kruse Johnsen wrote:
> Hi Douglas
>
> Setting: "ksetup /SetRealmFlag CBS.DK Delegate" did not work. Still no
> KRB5CCNAME in apache.
>
> I have recompiled krb5-1.5 (RHEL5) with a patch to make it possible to
> set the ok-as-delegate flag. I then set the flag on
> "HTTP/sugi.cbs.dk at CBS.DK" <mailto:sugi.cbs.dk at CBS.DK> and windows
> kerbtray shows "Ok as delegate" checked. but there is still no
> KRB5CCNAME saved.
>
OK, the above two should have done the same thing let the client delegate
if it wanted to. Delegation is not done by default. The ok-to-delegate
is used to tell the client the KDC believes the server can be trusted,
it does not tell the client to delegate. There may be some other options
with the client mod-auth-kerb to tell it to delegate.
The next question is it delegating, but the server is not saving the ticket.
The wireshark (formally called ethereal) network trace program can print
many of the GSSAPI and Kerberos packets. Wireshark can run on Windows
and Unix and is very helpful with problems like this.
> 1) Just to be save, does mod_auth_kerb save KRB5CCNAME env. when running
> php as a module under apache ?
>
> 2) Where should I set the ok-as-delegate, is it on my own principle or
> the HTTP/sugi.cbs.dk ?
On the HTTP principal.
>
> Any other info is approciated.
Wireshark. http://www.wireshark.org/
>
> /Mikkel
>
> On Wed, 2007-07-18 at 13:14 -0500, Douglas E. Engert wrote:
>>
>> Stephen Frost wrote:
>> > * Mikkel Kruse Johnsen (mikkel at linet.dk <mailto:mikkel at linet.dk>) wrote:
>> >> Now I only have the problem that mod_auth_kerb don't write my
>> >> credentials to KRB5CCNAME (in PHP).
>> >>
>> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> >> delegate", So I guess that is the problem.
>>
>>
>> Have a look at the "ksetup /SetRealmFlag <realm> Delegate" command
>> as it will tell a Windows client to assume the KDC has set
>> the OK_AS_DELAGATE bit. This can be used where the KDC does support
>> setting of the bit. But this only works on a Windows client.
>>
>>
>> >>
>> >> Under linux they are forwardable.
>> > [...]
>> >> I found how to set ok-as-delegate for heimdal how is this done for MIT
>> >> kerberos ?
>> >
>> > The short answer is, you don't. For reasons unknown to me, the MIT
>> > Kerberos upstream folks have seen fit to implement something in their
>> > client libraries that's not done in their server. This means that even
>> > a completely MIT solution breaks. We've heard of some patches going
>> > around to implement the ok-as-delegate flag in the MIT KDC but havn't
>> > been able to actually get a hold of them yet.
>> >
>> > If we're unable to we might end up writing some ourselves as this is
>> > rather important to us. If we find or write patches to fix this glaring
>> > problem in the MIT KDC we'll be sure to post them.
>> >
>> > Thanks,
>> >
>> > Stephen
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
>
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
>
>
> ------------------------------------------------------------------------
>
> diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c
> --- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c 2006-06-15 00:27:54.000000000 +0200
> +++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c 2007-07-18 08:59:13.000000000 +0200
> @@ -34,7 +34,7 @@
> {
> *minor_status = 0;
>
> - if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
> + if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
> *mech_set = GSS_C_NO_OID_SET;
> *minor_status = ENOMEM;
> return(GSS_S_FAILURE);
>
>
> ------------------------------------------------------------------------
>
> diff -r -u krb5-1.5.orig/doc/admin.texinfo krb5-1.5/doc/admin.texinfo
> --- krb5-1.5.orig/doc/admin.texinfo 2007-07-23 10:10:42.000000000 +0200
> +++ krb5-1.5/doc/admin.texinfo 2007-07-23 10:33:43.000000000 +0200
> @@ -1747,6 +1747,13 @@
> sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
> database.
>
> + at itemx @{-|+@}ok_as_delegate
> +The ``+ok_as_delegate'' sets the OK-AS-DELEGATE flag on tickets issued for use
> +with this principal as the service, which clients may use as a hint that
> +credentials can and should be delegated when authenticating to the service.
> +Sets the KRB5_KDB_OK_AS_DELEGATE flag. ``-ok_as_delegate'' clears
> +this flag.
> +
> @item @{-|+@}allow_svr
> The ``-allow_svr'' flag prohibits the issuance of service tickets for
> this principal. ``+allow_svr'' clears this flag. In effect,
> diff -r -u krb5-1.5.orig/src/include/kdb.h krb5-1.5/src/include/kdb.h
> --- krb5-1.5.orig/src/include/kdb.h 2007-07-23 10:10:41.000000000 +0200
> +++ krb5-1.5/src/include/kdb.h 2007-07-23 10:34:18.000000000 +0200
> @@ -79,6 +79,7 @@
> #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
> #define KRB5_KDB_SUPPORT_DESMD5 0x00004000
> #define KRB5_KDB_NEW_PRINC 0x00008000
> +#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
>
> /* Creation flags */
> #define KRB5_KDB_CREATE_BTREE 0x00000001
> diff -r -u krb5-1.5.orig/src/kadmin/cli/kadmin.c krb5-1.5/src/kadmin/cli/kadmin.c
> --- krb5-1.5.orig/src/kadmin/cli/kadmin.c 2007-07-23 10:10:41.000000000 +0200
> +++ krb5-1.5/src/kadmin/cli/kadmin.c 2007-07-23 10:38:46.000000000 +0200
> @@ -61,7 +61,8 @@
> {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
> {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
> {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
> -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
> +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
> +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
> };
>
> static char *prflags[] = {
> @@ -81,6 +82,7 @@
> "PWCHANGE_SERVICE", /* 0x00002000 */
> "SUPPORT_DESMD5", /* 0x00004000 */
> "NEW_PRINC", /* 0x00008000 */
> + "OK_AS_DELEGATE", /* 0x00010000 */
> };
>
> char *getenv();
> @@ -1099,6 +1101,7 @@
> "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
> "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
> "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
> + "\t\tok_as_delegate\n"
> "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
> "\t\t\tLook at each database documentation for supported arguments\n");
> }
> @@ -1115,6 +1118,7 @@
> "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
> "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
> "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
> + "\t\tok_as_delegate\n"
> "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
> "\t\t\tLook at each database documentation for supported arguments\n"
> );
> diff -r -u krb5-1.5.orig/src/kadmin/cli/kadmin.M krb5-1.5/src/kadmin/cli/kadmin.M
> --- krb5-1.5.orig/src/kadmin/cli/kadmin.M 2007-07-23 10:10:41.000000000 +0200
> +++ krb5-1.5/src/kadmin/cli/kadmin.M 2007-07-23 10:40:03.000000000 +0200
> @@ -282,6 +282,16 @@
> .B -requires_hwauth
> clears this flag.
> .TP
> +{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
> +.B +ok_as_delegate
> +sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
> +as the service, which clients may use as a hint that credentials can and
> +should be delegated when authenticating to the service. (Sets the
> +.SM KRB5_KDB_OK_AS_DELEGATE
> +flag.)
> +.B -ok_as_delegate
> +clears this flag.
> +.TP
> {\fB\-\fP|\fB+\fP}\fBallow_svr\fP
> .B -allow_svr
> prohibits the issuance of service tickets for this principal. (Sets the
> diff -r -u krb5-1.5.orig/src/kdc/do_as_req.c krb5-1.5/src/kdc/do_as_req.c
> --- krb5-1.5.orig/src/kdc/do_as_req.c 2007-07-23 10:10:42.000000000 +0200
> +++ krb5-1.5/src/kdc/do_as_req.c 2007-07-23 10:35:57.000000000 +0200
> @@ -257,6 +257,10 @@
> enc_tkt_reply.caddrs = request->addresses;
> enc_tkt_reply.authorization_data = 0;
>
> + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
> + setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
> + }
> +
> /*
> * Check the preauthentication if it is there.
> */
> diff -r -u krb5-1.5.orig/src/kdc/do_tgs_req.c krb5-1.5/src/kdc/do_tgs_req.c
> --- krb5-1.5.orig/src/kdc/do_tgs_req.c 2007-07-23 10:10:42.000000000 +0200
> +++ krb5-1.5/src/kdc/do_tgs_req.c 2007-07-23 10:35:08.000000000 +0200
> @@ -532,6 +532,10 @@
> goto cleanup;
> }
>
> + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
> + setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
> + }
> +
> ticket_reply.enc_part2 = &enc_tkt_reply;
>
> /*
> diff -r -u krb5-1.5.orig/src/lib/kadm5/str_conv.c krb5-1.5/src/lib/kadm5/str_conv.c
> --- krb5-1.5.orig/src/lib/kadm5/str_conv.c 2007-07-23 10:10:42.000000000 +0200
> +++ krb5-1.5/src/lib/kadm5/str_conv.c 2007-07-23 10:54:10.000000000 +0200
> @@ -73,6 +73,7 @@
> static const char flags_tickets_in[] = "allow-tickets";
> static const char flags_preauth_in[] = "preauth";
> static const char flags_hwauth_in[] = "hwauth";
> +static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
> static const char flags_pwchange_in[] = "pwchange";
> static const char flags_service_in[] = "service";
> static const char flags_pwsvc_in[] = "pwservice";
> @@ -86,6 +87,7 @@
> static const char flags_tickets_out[] = "All Tickets Disallowed";
> static const char flags_preauth_out[] = "Preauthorization required";
> static const char flags_hwauth_out[] = "HW Authorization required";
> +static const char flags_ok_as_delegate_out[] = "OK as Delegate";
> static const char flags_pwchange_out[] = "Password Change required";
> static const char flags_service_out[] = "Service Disabled";
> static const char flags_pwsvc_out[] = "Password Changing Service";
> @@ -109,6 +111,7 @@
> { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
> { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
> { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
> +{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
> { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
> { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
> { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list