[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Douglas E. Engert deengert at anl.gov
Mon Jul 23 17:27:56 EDT 2007 


Mikkel Kruse Johnsen wrote:
> Hi Markus
> 
> Yes that is what I want. I need the KRB5CCNAME (the credential) so I can 
> login to my OpenLDAP SASL based server and PostgreSQL with kerberos.

So what you need is the Kerberos credentials. I have an older version
of mod_auth_kerb I assume  your version has the routine store_gss_creds()
which should be doing this for you and creating the name in the
create_krb5_ccache(). and calling
apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);

Is KrbSaveCredentials being set in the conf file?
This controls the saving of credentials:
  if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
    store_gss_creds(...)

Are the above routines being called.

Is the client actually delegating a credential.

Is the KRB5CCNAME being set in the environment of the subprocess.



> 
> /Mikkel
> 
> On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
>>  
>> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing 
>> to do with delegation.  You only need delegation if you wnat that 
>> Apache logs into a backend application with the users ID. Is that what 
>> you want ? If see you need to be very careful as iit gives yor apache 
>> server a lot of power if you don't use constraint delegation.  You 
>> need to protect it like a domain controller !!! 
>>   
>> Markus 
>>   
>>
>>     "Mikkel Kruse Johnsen" <mikkel at linet.dk <mailto:mikkel at linet.dk>>
>>     wrote in message news:1184745677.3078.5.camel at tux.lib.cbs.dk... 
>>
>>     Hi All
>>
>>     That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
>>     that patch.
>>
>>     Now I only have the problem that mod_auth_kerb don't write my
>>     credentials to KRB5CCNAME (in PHP).
>>
>>     My "kerbtray" under windows says it is Forwardable but no "Ok to
>>     delegate", So I guess that is the problem.
>>
>>     Under linux they are forwardable.
>>
>>     ------
>>     [mkj at tux ~]$ klist -f
>>     Ticket cache: FILE:/tmp/krb5cc_500
>>     Default principal: mkj.lib at HHK.DK <mailto:mkj.lib at HHK.DK>
>>
>>     Valid starting     Expires            Service principal
>>     07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK at HHK.DK
>>     <mailto:HHK.DK at HHK.DK>
>>             renew until 07/19/07 09:16:49, Flags: FRIA
>>     07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK at HHK.DK
>>     <mailto:CBS.DK at HHK.DK>
>>             renew until 07/19/07 09:16:49, Flags: FRAO
>>     07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk at CBS.DK
>>     <mailto:sugi.cbs.dk at CBS.DK>
>>             renew until 07/18/07 09:17:04, Flags: FRAT
>>     07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk at CBS.DK
>>     <mailto:sugi.cbs.dk at CBS.DK>
>>             renew until 07/18/07 09:35:35, Flags: FRAT
>>
>>
>>     Kerberos 4 ticket cache: /tmp/tkt500
>>     klist: You have no tickets cached
>>     --------
>>
>>
>>     I found how to set ok-as-delegate for heimdal how is this done for
>>     MIT kerberos ?
>>
>>     And how is it done under MS AD ?
>>
>>     /Mikkel
>>
>>
>>     On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
>>>     On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>>>
>>>     > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
>>>     > may provide more information (Cannot allocate memory)
>>>
>>>     What OS and what Kerberoslibs do you use?
>>>     Background of this question:
>>>
>>>     I've seen this errormessage "Cannot allocate memory"
>>>     (and it's solution) in
>>>
>>>     <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>
>>>
>>>     Achim
>>     Mikkel Kruse Johnsen
>>     Linet
>>     Ørholmgade 6 st tv
>>     2200 København N
>>
>>     Tlf: +45 2128 7793
>>     email: mikkel at linet.dk
>>     www: http://www.linet.dk
>>
>>
>>     ------------------------------------------------------------------------
>>
>>
>>     -------------------------------------------------------------------------
>>     This SF.net email is sponsored by DB2 Express
>>     Download DB2 Express C - the FREE version of DB2 express and take
>>     control of your XML. No limits. Just data. Click to get it now.
>>     http://sourceforge.net/powerbar/db2/
>>
>>     ------------------------------------------------------------------------
>>
>>
>>     _______________________________________________
>>     modauthkerb-help mailing list
>>     modauthkerb-help at lists.sourceforge.net
>>     https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>>
>> !DSPAM:46a4f4bb190711804284693!
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>
>> !DSPAM:46a4f4bb190711804284693!
>> _______________________________________________
>> modauthkerb-help mailing list
>> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>>
>>
>> !DSPAM:46a4f4bb190711804284693!
> *Mikkel Kruse Johnsen*
> Adm.Dir.
> 
> *Linet <http://www.linet.dk>*
> Ørholmgade 6 st tv 
> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> Copenhagen N 2200 Denmark 		*Work:* +45 21287793
> *Mobile:* +45 21287793
> *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk>
> *IM:* mikkel at linet.dk (MSN)
> *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> *Healthcare <http://www.xmedicus.dk>* 	
> 
> Network Consultant
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list