[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Wed Jul 25 05:55:03 EDT 2007



On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote:

> 
> Mikkel Kruse Johnsen wrote:
> > Hi Markus
> > 
> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can 
> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
> 
> So what you need is the Kerberos credentials. I have an older version
> of mod_auth_kerb I assume  your version has the routine store_gss_creds()
> which should be doing this for you and creating the name in the
> create_krb5_ccache(). and calling
> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);


Yes it does contain that function, I'm using mod_auth_kerb 5.3


> 
> Is KrbSaveCredentials being set in the conf file?


Yes it is set. And I have set the:

network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk

(Have tryied all kinds of combinations. This must be the right one.


> This controls the saving of credentials:
>   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>     store_gss_creds(...)
> 
> Are the above routines being called.


It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the
store_gss_creds is never called.
Compiled the mod_auth_kerb with the attched and It is now called but I
get in the log:

[Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available, referer: http://od.cbs.dk/phpinfo.php
[Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error)), referer: http://od.cbs.dk/phpinfo.php


> 
> Is the client actually delegating a credential.


So it seems that the credential is never delegated.


> 
> Is the KRB5CCNAME being set in the environment of the subprocess.


Don't know how to check this. The KRB5CCNAME is in the env. with the
attached patch but the credetials is never saved to that file.


/Mikkel



> 
> 
> 
> > 
> > /Mikkel
> > 
> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
> >>  
> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing 
> >> to do with delegation.  You only need delegation if you wnat that 
> >> Apache logs into a backend application with the users ID. Is that what 
> >> you want ? If see you need to be very careful as iit gives yor apache 
> >> server a lot of power if you don't use constraint delegation.  You 
> >> need to protect it like a domain controller !!! 
> >>   
> >> Markus 
> >>   
> >>
> >>     "Mikkel Kruse Johnsen" <mikkel at linet.dk <mailto:mikkel at linet.dk>>
> >>     wrote in message news:1184745677.3078.5.camel at tux.lib.cbs.dk... 
> >>
> >>     Hi All
> >>
> >>     That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
> >>     that patch.
> >>
> >>     Now I only have the problem that mod_auth_kerb don't write my
> >>     credentials to KRB5CCNAME (in PHP).
> >>
> >>     My "kerbtray" under windows says it is Forwardable but no "Ok to
> >>     delegate", So I guess that is the problem.
> >>
> >>     Under linux they are forwardable.
> >>
> >>     ------
> >>     [mkj at tux ~]$ klist -f
> >>     Ticket cache: FILE:/tmp/krb5cc_500
> >>     Default principal: mkj.lib at HHK.DK <mailto:mkj.lib at HHK.DK>
> >>
> >>     Valid starting     Expires            Service principal
> >>     07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK at HHK.DK
> >>     <mailto:HHK.DK at HHK.DK>
> >>             renew until 07/19/07 09:16:49, Flags: FRIA
> >>     07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK at HHK.DK
> >>     <mailto:CBS.DK at HHK.DK>
> >>             renew until 07/19/07 09:16:49, Flags: FRAO
> >>     07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk at CBS.DK
> >>     <mailto:sugi.cbs.dk at CBS.DK>
> >>             renew until 07/18/07 09:17:04, Flags: FRAT
> >>     07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk at CBS.DK
> >>     <mailto:sugi.cbs.dk at CBS.DK>
> >>             renew until 07/18/07 09:35:35, Flags: FRAT
> >>
> >>
> >>     Kerberos 4 ticket cache: /tmp/tkt500
> >>     klist: You have no tickets cached
> >>     --------
> >>
> >>
> >>     I found how to set ok-as-delegate for heimdal how is this done for
> >>     MIT kerberos ?
> >>
> >>     And how is it done under MS AD ?
> >>
> >>     /Mikkel
> >>
> >>
> >>     On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
> >>>     On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
> >>>
> >>>     > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> >>>     > may provide more information (Cannot allocate memory)
> >>>
> >>>     What OS and what Kerberoslibs do you use?
> >>>     Background of this question:
> >>>
> >>>     I've seen this errormessage "Cannot allocate memory"
> >>>     (and it's solution) in
> >>>
> >>>     <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>
> >>>
> >>>     Achim
> >>     Mikkel Kruse Johnsen
> >>     Linet
> >>     Ørholmgade 6 st tv
> >>     2200 København N
> >>
> >>     Tlf: +45 2128 7793
> >>     email: mikkel at linet.dk
> >>     www: http://www.linet.dk
> >>
> >>
> >>     ------------------------------------------------------------------------
> >>
> >>
> >>     -------------------------------------------------------------------------
> >>     This SF.net email is sponsored by DB2 Express
> >>     Download DB2 Express C - the FREE version of DB2 express and take
> >>     control of your XML. No limits. Just data. Click to get it now.
> >>     http://sourceforge.net/powerbar/db2/
> >>
> >>     ------------------------------------------------------------------------
> >>
> >>
> >>     _______________________________________________
> >>     modauthkerb-help mailing list
> >>     modauthkerb-help at lists.sourceforge.net
> >>     https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> >>
> >> 
> >> -------------------------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc.
> >> Still grepping through log files to find problems?  Stop.
> >> Now Search log events and configuration files using AJAX and a browser.
> >> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >>
> >> !DSPAM:46a4f4bb190711804284693!
> >> _______________________________________________
> >> modauthkerb-help mailing list
> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> >>
> >>
> >> !DSPAM:46a4f4bb190711804284693!
> > *Mikkel Kruse Johnsen*
> > Adm.Dir.
> > 
> > *Linet <http://www.linet.dk>*
> > Ørholmgade 6 st tv 
> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> > Copenhagen N 2200 Denmark 		*Work:* +45 21287793
> > *Mobile:* +45 21287793
> > *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk>
> > *IM:* mikkel at linet.dk (MSN)
> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> > *Healthcare <http://www.xmedicus.dk>* 	
> > 
> > Network Consultant
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > _______________________________________________
> > modauthkerb-help mailing list
> > modauthkerb-help at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-deleg.patch
Type: text/x-patch
Size: 1413 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070725/db6076ed/attachment.bin


More information about the Kerberos mailing list