[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.
Douglas E. Engert
deengert at anl.gov
Wed Jul 25 10:36:13 EDT 2007
Looks like it should have worked.
A wireshark trace of the packets would show a lot, as long as
the session is not encrypted.
It could be a size issue. AD can produce very large tickets if you
are in many groups.
It could be an enc-type issue, which the server does not understand
It could be the client is not delegating.
Wireshark could answer these.
Mikkel Kruse Johnsen wrote:
>
>
> On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote:
>>
>> Mikkel Kruse Johnsen wrote:
>> > Hi Markus
>> >
>> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can
>> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
>>
>> So what you need is the Kerberos credentials. I have an older version
>> of mod_auth_kerb I assume your version has the routine store_gss_creds()
>> which should be doing this for you and creating the name in the
>> create_krb5_ccache(). and calling
>> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
>
> Yes it does contain that function, I'm using mod_auth_kerb 5.3
>
>>
>> Is KrbSaveCredentials being set in the conf file?
>
> Yes it is set. And I have set the:
>
> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
> network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
>
> (Have tryied all kinds of combinations. This must be the right one.
>
>> This controls the saving of credentials:
>> if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>> store_gss_creds(...)
>>
>> Are the above routines being called.
>
> It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the
> store_gss_creds is never called.
> Compiled the mod_auth_kerb with the attched and It is now called but I
> get in the log:
>
> [Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available, referer: http://od.cbs.dk/phpinfo.php
> [Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store
> delegated credential (gss_krb5_copy_ccache: Invalid credential was
> supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>
>>
>> Is the client actually delegating a credential.
>
> So it seems that the credential is never delegated.
>
>>
>> Is the KRB5CCNAME being set in the environment of the subprocess.
>
> Don't know how to check this. The KRB5CCNAME is in the env. with the
> attached patch but the credetials is never saved to that file.
>
>
> /Mikkel
>
>
>>
>>
>>
>> >
>> > /Mikkel
>> >
>> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
>> >>
>> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing
>> >> to do with delegation. You only need delegation if you wnat that
>> >> Apache logs into a backend application with the users ID. Is that what
>> >> you want ? If see you need to be very careful as iit gives yor apache
>> >> server a lot of power if you don't use constraint delegation. You
>> >> need to protect it like a domain controller !!!
>> >>
>> >> Markus
>> >>
>> >>
>> >> "Mikkel Kruse Johnsen" <mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>>
>> >> wrote in message news:1184745677.3078.5.camel at tux.lib.cbs.dk <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk>...
>> >>
>> >> Hi All
>> >>
>> >> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
>> >> that patch.
>> >>
>> >> Now I only have the problem that mod_auth_kerb don't write my
>> >> credentials to KRB5CCNAME (in PHP).
>> >>
>> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> >> delegate", So I guess that is the problem.
>> >>
>> >> Under linux they are forwardable.
>> >>
>> >> ------
>> >> [mkj at tux ~]$ klist -f
>> >> Ticket cache: FILE:/tmp/krb5cc_500
>> >> Default principal: mkj.lib at HHK.DK <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK>
>> >>
>> >> Valid starting Expires Service principal
>> >> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/HHK.DK at HHK.DK <mailto:HHK.DK at HHK.DK>
>> >> <mailto:HHK.DK at HHK.DK>
>> >> renew until 07/19/07 09:16:49, Flags: FRIA
>> >> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/CBS.DK at HHK.DK <mailto:CBS.DK at HHK.DK>
>> >> <mailto:CBS.DK at HHK.DK>
>> >> renew until 07/19/07 09:16:49, Flags: FRAO
>> >> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK>
>> >> <mailto:sugi.cbs.dk at CBS.DK>
>> >> renew until 07/18/07 09:17:04, Flags: FRAT
>> >> 07/18/07 09:35:35 07/18/07 19:16:55 host/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK>
>> >> <mailto:sugi.cbs.dk at CBS.DK>
>> >> renew until 07/18/07 09:35:35, Flags: FRAT
>> >>
>> >>
>> >> Kerberos 4 ticket cache: /tmp/tkt500
>> >> klist: You have no tickets cached
>> >> --------
>> >>
>> >>
>> >> I found how to set ok-as-delegate for heimdal how is this done for
>> >> MIT kerberos ?
>> >>
>> >> And how is it done under MS AD ?
>> >>
>> >> /Mikkel
>> >>
>> >>
>> >> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
>> >>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>> >>>
>> >>> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>> >>> > may provide more information (Cannot allocate memory)
>> >>>
>> >>> What OS and what Kerberoslibs do you use?
>> >>> Background of this question:
>> >>>
>> >>> I've seen this errormessage "Cannot allocate memory"
>> >>> (and it's solution) in
>> >>>
>> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>>
>> >>>
>> >>> Achim
>> >> Mikkel Kruse Johnsen
>> >> Linet
>> >> Ørholmgade 6 st tv
>> >> 2200 København N
>> >>
>> >> Tlf: +45 2128 7793
>> >> email: mikkel at linet.dk <mailto:mikkel at linet.dk>
>> >> www: http://www.linet.dk
>> >>
>> >>
>> >> ------------------------------------------------------------------------
>> >>
>> >>
>> >> -------------------------------------------------------------------------
>> >> This SF.net email is sponsored by DB2 Express
>> >> Download DB2 Express C - the FREE version of DB2 express and take
>> >> control of your XML. No limits. Just data. Click to get it now.
>> >> http://sourceforge.net/powerbar/db2/
>> >>
>> >> ------------------------------------------------------------------------
>> >>
>> >>
>> >> _______________________________________________
>> >> modauthkerb-help mailing list
>> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >>
>> >>
>> >> -------------------------------------------------------------------------
>> >> This SF.net email is sponsored by: Splunk Inc.
>> >> Still grepping through log files to find problems? Stop.
>> >> Now Search log events and configuration files using AJAX and a browser.
>> >> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >>
>> >> !DSPAM:46a4f4bb190711804284693!
>> >> _______________________________________________
>> >> modauthkerb-help mailing list
>> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >>
>> >>
>> >> !DSPAM:46a4f4bb190711804284693!
>> > *Mikkel Kruse Johnsen*
>> > Adm.Dir.
>> >
>> > *Linet <http://www.linet.dk>*
>> > Ørholmgade 6 st tv
>> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>>
>> > Copenhagen N 2200 Denmark *Work:* +45 21287793
>> > *Mobile:* +45 21287793
>> > *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> > *IM:* mikkel at linet.dk <mailto:mikkel at linet.dk> (MSN)
>> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
>> > *Healthcare <http://www.xmedicus.dk>*
>> >
>> > Network Consultant
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > -------------------------------------------------------------------------
>> > This SF.net email is sponsored by: Splunk Inc.
>> > Still grepping through log files to find problems? Stop.
>> > Now Search log events and configuration files using AJAX and a browser.
>> > Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > modauthkerb-help mailing list
>> > modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
>> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>>
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
>
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
>
>
> ------------------------------------------------------------------------
>
> diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
> --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200
> +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-25 11:42:40.000000000 +0200
> @@ -1215,6 +1215,8 @@
> spnego_oid.length = 6;
> spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
>
> + OM_uint32 acc_ret_flags;
> +
> if (conf->krb_5_keytab) {
> char *ktname;
> /* we don't use the ap_* calls here, since the string passed to putenv()
> @@ -1277,7 +1279,7 @@
> &client_name,
> NULL,
> &output_token,
> - NULL,
> + &acc_ret_flags,
> NULL,
> &delegated_cred);
> log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> @@ -1351,8 +1353,18 @@
> }
> #endif
>
> - if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
> - store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
> + if (conf->krb_save_credentials) {
> + if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {
> + log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
> + "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
> +
> + store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
> + }
> + else {
> + log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
> + "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
> + }
> + }
>
> gss_release_buffer(&minor_status, &output_token);
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list