[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.
Douglas E. Engert
deengert at anl.gov
Thu Jul 26 11:22:51 EDT 2007
Attached is the Wireshark print output of the GET request showing
the SPNEGO and GSSAPI
In original trace, the client does request a ticket to delegate
but it looks like it is not delegating it.
It looks like it is:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5\r\n
I Googled for:
FireFox SPNEGO delegation
and found among other articles:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_config_web.html
Complete the following steps to ensure that your Firefox browser is enabled to perform SPNEGO authentication.
At the desktop, log in to the windows active directory domain.
Activate Firefox.
At the address field, type about:config.
In the Filter, type network.n
Double click on network.negotiate-auth.trusted-uris. This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Enter a comma-delimited list of trusted domains or URLs.
Note: You must set the value for network.negotiate-auth.trusted-uris.
If the deployed SPNEGO solution is using the advanced Kerberos feature of Credential Delegation double click on network.negotiate-auth.delegation-uris. This preference lists the sites for which the browser may delegate user authorization to the server. Enter a comma-delimited list of trusted domains
or URLs.
Click OK. The configuration appears as updated.
Restart your Firefox browser to activate this configuration.
Mikkel Kruse Johnsen wrote:
> Hi Douglas
>
> Im not sure what to look for, but here is the dump. If you are able to
> see anything. Done with wireshark.
>
> /Mikkel
>
> On Wed, 2007-07-25 at 09:36 -0500, Douglas E. Engert wrote:
>> Looks like it should have worked.
>>
>> A wireshark trace of the packets would show a lot, as long as
>> the session is not encrypted.
>>
>> It could be a size issue. AD can produce very large tickets if you
>> are in many groups.
>>
>> It could be an enc-type issue, which the server does not understand
>>
>> It could be the client is not delegating.
>>
>> Wireshark could answer these.
>>
>>
>>
>> Mikkel Kruse Johnsen wrote:
>> >
>> >
>> > On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote:
>> >>
>> >> Mikkel Kruse Johnsen wrote:
>> >> > Hi Markus
>> >> >
>> >> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can
>> >> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
>> >>
>> >> So what you need is the Kerberos credentials. I have an older version
>> >> of mod_auth_kerb I assume your version has the routine store_gss_creds()
>> >> which should be doing this for you and creating the name in the
>> >> create_krb5_ccache(). and calling
>> >> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
>> >
>> > Yes it does contain that function, I'm using mod_auth_kerb 5.3
>> >
>> >>
>> >> Is KrbSaveCredentials being set in the conf file?
>> >
>> > Yes it is set. And I have set the:
>> >
>> > network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
>> > network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
>> >
>> > (Have tryied all kinds of combinations. This must be the right one.
>> >
>> >> This controls the saving of credentials:
>> >> if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>> >> store_gss_creds(...)
>> >>
>> >> Are the above routines being called.
>> >
>> > It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the
>> > store_gss_creds is never called.
>> > Compiled the mod_auth_kerb with the attched and It is now called but I
>> > get in the log:
>> >
>> > [Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client
>> > 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
>> > available, referer: http://od.cbs.dk/phpinfo.php
>> > [Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store
>> > delegated credential (gss_krb5_copy_ccache: Invalid credential was
>> > supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>> >
>> >>
>> >> Is the client actually delegating a credential.
>> >
>> > So it seems that the credential is never delegated.
>> >
>> >>
>> >> Is the KRB5CCNAME being set in the environment of the subprocess.
>> >
>> > Don't know how to check this. The KRB5CCNAME is in the env. with the
>> > attached patch but the credetials is never saved to that file.
>> >
>> >
>> > /Mikkel
>> >
>> >
>> >>
>> >>
>> >>
>> >> >
>> >> > /Mikkel
>> >> >
>> >> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
>> >> >>
>> >> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing
>> >> >> to do with delegation. You only need delegation if you wnat that
>> >> >> Apache logs into a backend application with the users ID. Is that what
>> >> >> you want ? If see you need to be very careful as iit gives yor apache
>> >> >> server a lot of power if you don't use constraint delegation. You
>> >> >> need to protect it like a domain controller !!!
>> >> >>
>> >> >> Markus
>> >> >>
>> >> >>
>> >> >> "Mikkel Kruse Johnsen" <mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>>
>> >> >> wrote in message news:1184745677.3078.5.camel at tux.lib.cbs.dk <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk> <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk>...
>> >> >>
>> >> >> Hi All
>> >> >>
>> >> >> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
>> >> >> that patch.
>> >> >>
>> >> >> Now I only have the problem that mod_auth_kerb don't write my
>> >> >> credentials to KRB5CCNAME (in PHP).
>> >> >>
>> >> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> >> >> delegate", So I guess that is the problem.
>> >> >>
>> >> >> Under linux they are forwardable.
>> >> >>
>> >> >> ------
>> >> >> [mkj at tux ~]$ klist -f
>> >> >> Ticket cache: FILE:/tmp/krb5cc_500
>> >> >> Default principal: mkj.lib at HHK.DK <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK>
>> >> >>
>> >> >> Valid starting Expires Service principal
>> >> >> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/HHK.DK at HHK.DK <mailto:HHK.DK at HHK.DK> <mailto:HHK.DK at HHK.DK>
>> >> >> <mailto:HHK.DK at HHK.DK>
>> >> >> renew until 07/19/07 09:16:49, Flags: FRIA
>> >> >> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/CBS.DK at HHK.DK <mailto:CBS.DK at HHK.DK> <mailto:CBS.DK at HHK.DK>
>> >> >> <mailto:CBS.DK at HHK.DK>
>> >> >> renew until 07/19/07 09:16:49, Flags: FRAO
>> >> >> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> renew until 07/18/07 09:17:04, Flags: FRAT
>> >> >> 07/18/07 09:35:35 07/18/07 19:16:55 host/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> renew until 07/18/07 09:35:35, Flags: FRAT
>> >> >>
>> >> >>
>> >> >> Kerberos 4 ticket cache: /tmp/tkt500
>> >> >> klist: You have no tickets cached
>> >> >> --------
>> >> >>
>> >> >>
>> >> >> I found how to set ok-as-delegate for heimdal how is this done for
>> >> >> MIT kerberos ?
>> >> >>
>> >> >> And how is it done under MS AD ?
>> >> >>
>> >> >> /Mikkel
>> >> >>
>> >> >>
>> >> >> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
>> >> >>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>> >> >>>
>> >> >>> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>> >> >>> > may provide more information (Cannot allocate memory)
>> >> >>>
>> >> >>> What OS and what Kerberoslibs do you use?
>> >> >>> Background of this question:
>> >> >>>
>> >> >>> I've seen this errormessage "Cannot allocate memory"
>> >> >>> (and it's solution) in
>> >> >>>
>> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http
://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>>>
>> >> >>>
>> >> >>> Achim
>> >> >> Mikkel Kruse Johnsen
>> >> >> Linet
>> >> >> Ørholmgade 6 st tv
>> >> >> 2200 København N
>> >> >>
>> >> >> Tlf: +45 2128 7793
>> >> >> email: mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> >> www: http://www.linet.dk
>> >> >>
>> >> >>
>> >> >> ------------------------------------------------------------------------
>> >> >>
>> >> >>
>> >> >> -------------------------------------------------------------------------
>> >> >> This SF.net email is sponsored by DB2 Express
>> >> >> Download DB2 Express C - the FREE version of DB2 express and take
>> >> >> control of your XML. No limits. Just data. Click to get it now.
>> >> >> http://sourceforge.net/powerbar/db2/
>> >> >>
>> >> >> ------------------------------------------------------------------------
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> modauthkerb-help mailing list
>> >> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >>
>> >> >>
>> >> >> -------------------------------------------------------------------------
>> >> >> This SF.net email is sponsored by: Splunk Inc.
>> >> >> Still grepping through log files to find problems? Stop.
>> >> >> Now Search log events and configuration files using AJAX and a browser.
>> >> >> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> modauthkerb-help mailing list
>> >> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >>
>> >> >>
>> >> >> !DSPAM:46a4f4bb190711804284693!
>> >> > *Mikkel Kruse Johnsen*
>> >> > Adm.Dir.
>> >> >
>> >> > *Linet <http://www.linet.dk>*
>> >> > Ørholmgade 6 st tv
>> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>>>
>> >> > Copenhagen N 2200 Denmark *Work:* +45 21287793
>> >> > *Mobile:* +45 21287793
>> >> > *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> > *IM:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> (MSN)
>> >> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
>> >> > *Healthcare <http://www.xmedicus.dk>*
>> >> >
>> >> > Network Consultant
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------
>> >> >
>> >> > -------------------------------------------------------------------------
>> >> > This SF.net email is sponsored by: Splunk Inc.
>> >> > Still grepping through log files to find problems? Stop.
>> >> > Now Search log events and configuration files using AJAX and a browser.
>> >> > Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------
>> >> >
>> >> > _______________________________________________
>> >> > modauthkerb-help mailing list
>> >> > modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >>
>> > Mikkel Kruse Johnsen
>> > Linet
>> > Ørholmgade 6 st tv
>> > 2200 København N
>> >
>> > Tlf: +45 2128 7793
>> > email: mikkel at linet.dk <mailto:mikkel at linet.dk>
>> > www: http://www.linet.dk
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
>> > --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200
>> > +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-25 11:42:40.000000000 +0200
>> > @@ -1215,6 +1215,8 @@
>> > spnego_oid.length = 6;
>> > spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
>> >
>> > + OM_uint32 acc_ret_flags;
>> > +
>> > if (conf->krb_5_keytab) {
>> > char *ktname;
>> > /* we don't use the ap_* calls here, since the string passed to putenv()
>> > @@ -1277,7 +1279,7 @@
>> > &client_name,
>> > NULL,
>> > &output_token,
>> > - NULL,
>> > + &acc_ret_flags,
>> > NULL,
>> > &delegated_cred);
>> > log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>> > @@ -1351,8 +1353,18 @@
>> > }
>> > #endif
>> >
>> > - if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>> > - store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
>> > + if (conf->krb_save_credentials) {
>> > + if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {
>> > + log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
>> > + "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
>> > +
>> > + store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
>> > + }
>> > + else {
>> > + log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
>> > + "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
>> > + }
>> > + }
>> >
>> > gss_release_buffer(&minor_status, &output_token);
>> >
>>
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
>
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: wireshark.txt
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20070726/2543f30d/attachment.txt
More information about the Kerberos
mailing list