[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Thu Jul 26 10:16:58 EDT 2007


Hi Douglas

Im not sure what to look for, but here is the dump. If you are able to
see anything. Done with wireshark.

/Mikkel

On Wed, 2007-07-25 at 09:36 -0500, Douglas E. Engert wrote:

> Looks like it should have worked.
> 
> A wireshark trace of the packets would show a lot, as long as
> the session is not encrypted.
> 
> It could be a size issue. AD can produce very large tickets if you
> are in many groups.
> 
> It could be an enc-type issue, which the server does not understand
> 
> It could be the client is not delegating.
> 
> Wireshark could answer these.
> 
> 
> 
> Mikkel Kruse Johnsen wrote:
> > 
> > 
> > On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote:
> >>
> >> Mikkel Kruse Johnsen wrote:
> >> > Hi Markus
> >> > 
> >> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can 
> >> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
> >>
> >> So what you need is the Kerberos credentials. I have an older version
> >> of mod_auth_kerb I assume  your version has the routine store_gss_creds()
> >> which should be doing this for you and creating the name in the
> >> create_krb5_ccache(). and calling
> >> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
> > 
> > Yes it does contain that function, I'm using mod_auth_kerb 5.3
> > 
> >>
> >> Is KrbSaveCredentials being set in the conf file?
> > 
> > Yes it is set. And I have set the:
> > 
> > network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
> > network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
> > 
> > (Have tryied all kinds of combinations. This must be the right one.
> > 
> >> This controls the saving of credentials:
> >>   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
> >>     store_gss_creds(...)
> >>
> >> Are the above routines being called.
> > 
> > It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the 
> > store_gss_creds is never called.
> > Compiled the mod_auth_kerb with the attched and It is now called but I 
> > get in the log:
> > 
> > [Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client 
> > 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG 
> > available, referer: http://od.cbs.dk/phpinfo.php
> > [Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store 
> > delegated credential (gss_krb5_copy_ccache: Invalid credential was 
> > supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
> > 
> >>
> >> Is the client actually delegating a credential.
> > 
> > So it seems that the credential is never delegated.
> > 
> >>
> >> Is the KRB5CCNAME being set in the environment of the subprocess.
> > 
> > Don't know how to check this. The KRB5CCNAME is in the env. with the 
> > attached patch but the credetials is never saved to that file.
> > 
> > 
> > /Mikkel
> > 
> > 
> >>
> >>
> >>
> >> > 
> >> > /Mikkel
> >> > 
> >> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
> >> >>  
> >> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing 
> >> >> to do with delegation.  You only need delegation if you wnat that 
> >> >> Apache logs into a backend application with the users ID. Is that what 
> >> >> you want ? If see you need to be very careful as iit gives yor apache 
> >> >> server a lot of power if you don't use constraint delegation.  You 
> >> >> need to protect it like a domain controller !!! 
> >> >>   
> >> >> Markus 
> >> >>   
> >> >>
> >> >>     "Mikkel Kruse Johnsen" <mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>>
> >> >>     wrote in message news:1184745677.3078.5.camel at tux.lib.cbs.dk <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk>... 
> >> >>
> >> >>     Hi All
> >> >>
> >> >>     That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
> >> >>     that patch.
> >> >>
> >> >>     Now I only have the problem that mod_auth_kerb don't write my
> >> >>     credentials to KRB5CCNAME (in PHP).
> >> >>
> >> >>     My "kerbtray" under windows says it is Forwardable but no "Ok to
> >> >>     delegate", So I guess that is the problem.
> >> >>
> >> >>     Under linux they are forwardable.
> >> >>
> >> >>     ------
> >> >>     [mkj at tux ~]$ klist -f
> >> >>     Ticket cache: FILE:/tmp/krb5cc_500
> >> >>     Default principal: mkj.lib at HHK.DK <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK>
> >> >>
> >> >>     Valid starting     Expires            Service principal
> >> >>     07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK at HHK.DK <mailto:HHK.DK at HHK.DK>
> >> >>     <mailto:HHK.DK at HHK.DK>
> >> >>             renew until 07/19/07 09:16:49, Flags: FRIA
> >> >>     07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK at HHK.DK <mailto:CBS.DK at HHK.DK>
> >> >>     <mailto:CBS.DK at HHK.DK>
> >> >>             renew until 07/19/07 09:16:49, Flags: FRAO
> >> >>     07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK>
> >> >>     <mailto:sugi.cbs.dk at CBS.DK>
> >> >>             renew until 07/18/07 09:17:04, Flags: FRAT
> >> >>     07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK>
> >> >>     <mailto:sugi.cbs.dk at CBS.DK>
> >> >>             renew until 07/18/07 09:35:35, Flags: FRAT
> >> >>
> >> >>
> >> >>     Kerberos 4 ticket cache: /tmp/tkt500
> >> >>     klist: You have no tickets cached
> >> >>     --------
> >> >>
> >> >>
> >> >>     I found how to set ok-as-delegate for heimdal how is this done for
> >> >>     MIT kerberos ?
> >> >>
> >> >>     And how is it done under MS AD ?
> >> >>
> >> >>     /Mikkel
> >> >>
> >> >>
> >> >>     On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
> >> >>>     On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
> >> >>>
> >> >>>     > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> >> >>>     > may provide more information (Cannot allocate memory)
> >> >>>
> >> >>>     What OS and what Kerberoslibs do you use?
> >> >>>     Background of this question:
> >> >>>
> >> >>>     I've seen this errormessage "Cannot allocate memory"
> >> >>>     (and it's solution) in
> >> >>>
> >> >>>     <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>>
> >> >>>
> >> >>>     Achim
> >> >>     Mikkel Kruse Johnsen
> >> >>     Linet
> >> >>     Ørholmgade 6 st tv
> >> >>     2200 København N
> >> >>
> >> >>     Tlf: +45 2128 7793
> >> >>     email: mikkel at linet.dk <mailto:mikkel at linet.dk>
> >> >>     www: http://www.linet.dk
> >> >>
> >> >>
> >> >>     ------------------------------------------------------------------------
> >> >>
> >> >>
> >> >>     -------------------------------------------------------------------------
> >> >>     This SF.net email is sponsored by DB2 Express
> >> >>     Download DB2 Express C - the FREE version of DB2 express and take
> >> >>     control of your XML. No limits. Just data. Click to get it now.
> >> >>     http://sourceforge.net/powerbar/db2/
> >> >>
> >> >>     ------------------------------------------------------------------------
> >> >>
> >> >>
> >> >>     _______________________________________________
> >> >>     modauthkerb-help mailing list
> >> >>     modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
> >> >>     https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> >> >>
> >> >> 
> >> >> -------------------------------------------------------------------------
> >> >> This SF.net email is sponsored by: Splunk Inc.
> >> >> Still grepping through log files to find problems?  Stop.
> >> >> Now Search log events and configuration files using AJAX and a browser.
> >> >> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >> >>
> >> >> 
> >> >> _______________________________________________
> >> >> modauthkerb-help mailing list
> >> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> >> >>
> >> >>
> >> >> !DSPAM:46a4f4bb190711804284693!
> >> > *Mikkel Kruse Johnsen*
> >> > Adm.Dir.
> >> > 
> >> > *Linet <http://www.linet.dk>*
> >> > Ørholmgade 6 st tv 
> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>>
> >> > Copenhagen N 2200 Denmark 		*Work:* +45 21287793
> >> > *Mobile:* +45 21287793
> >> > *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
> >> > *IM:* mikkel at linet.dk <mailto:mikkel at linet.dk> (MSN)
> >> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> >> > *Healthcare <http://www.xmedicus.dk>* 	
> >> > 
> >> > Network Consultant
> >> > 
> >> > 
> >> > ------------------------------------------------------------------------
> >> > 
> >> > -------------------------------------------------------------------------
> >> > This SF.net email is sponsored by: Splunk Inc.
> >> > Still grepping through log files to find problems?  Stop.
> >> > Now Search log events and configuration files using AJAX and a browser.
> >> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >> > 
> >> > 
> >> > ------------------------------------------------------------------------
> >> > 
> >> > _______________________________________________
> >> > modauthkerb-help mailing list
> >> > modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
> >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> >>
> > Mikkel Kruse Johnsen
> > Linet
> > Ørholmgade 6 st tv
> > 2200 København N
> > 
> > Tlf: +45 2128 7793
> > email: mikkel at linet.dk
> > www: http://www.linet.dk
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
> > --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c	2007-07-25 11:38:20.000000000 +0200
> > +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2007-07-25 11:42:40.000000000 +0200
> > @@ -1215,6 +1215,8 @@
> >    spnego_oid.length = 6;
> >    spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
> >  
> > +  OM_uint32 acc_ret_flags;
> > +
> >    if (conf->krb_5_keytab) {
> >       char *ktname;
> >       /* we don't use the ap_* calls here, since the string passed to putenv()
> > @@ -1277,7 +1279,7 @@
> >  				  &client_name,
> >  				  NULL,
> >  				  &output_token,
> > -				  NULL,
> > +				  &acc_ret_flags,
> >  				  NULL,
> >  				  &delegated_cred);
> >    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> > @@ -1351,8 +1353,18 @@
> >    }
> >  #endif
> >  
> > -  if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
> > -     store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
> > +  if (conf->krb_save_credentials) {
> > +    if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {      
> > +      log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
> > +      	"krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
> > + 
> > +      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
> > +    }
> > +    else {
> > +      log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
> > +        "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
> > +    }
> > +  }	 
> >  
> >    gss_release_buffer(&minor_status, &output_token);
> >  
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk


More information about the Kerberos mailing list