[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.
Douglas E. Engert
deengert at anl.gov
Thu Jul 26 13:41:41 EDT 2007
Mikkel Kruse Johnsen wrote:
> Hi Douglas
>
> I have already done all these steps.
It still looks like the client is not delegating. and I am out of ideas.
>
> I'm currently on linux only to eliminate trust relations and the windows
> factor :)
>
> I'm on Fedora 7 getting a ticket from MIT kerberos and accessing a web
> site using the same MIT kerberos.
>
> I regularly try on windows, It don't work either (have done the steps on
> windows as well).
>
> /Mikkel
>
> On Thu, 2007-07-26 at 10:22 -0500, Douglas E. Engert wrote:
>> Attached is the Wireshark print output of the GET request showing
>> the SPNEGO and GSSAPI
>>
>> In original trace, the client does request a ticket to delegate
>> but it looks like it is not delegating it.
>>
>> It looks like it is:
>> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5\r\n
>>
>>
>> I Googled for:
>> FireFox SPNEGO delegation
>> and found among other articles:
>>
>> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_config_web.html
>>
>>
>> Complete the following steps to ensure that your Firefox browser is enabled to perform SPNEGO authentication.
>> At the desktop, log in to the windows active directory domain.
>> Activate Firefox.
>> At the address field, type about:config.
>> In the Filter, type network.n
>> Double click on network.negotiate-auth.trusted-uris. This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Enter a comma-delimited list of trusted domains or URLs.
>> Note: You must set the value for network.negotiate-auth.trusted-uris.
>> If the deployed SPNEGO solution is using the advanced Kerberos feature of Credential Delegation double click on network.negotiate-auth.delegation-uris. This preference lists the sites for which the browser may delegate user authorization to the server. Enter a comma-delimited list of trusted domains
>> or URLs.
>> Click OK. The configuration appears as updated.
>> Restart your Firefox browser to activate this configuration.
>>
>>
>> Mikkel Kruse Johnsen wrote:
>> > Hi Douglas
>> >
>> > Im not sure what to look for, but here is the dump. If you are able to
>> > see anything. Done with wireshark.
>> >
>> > /Mikkel
>> >
>> > On Wed, 2007-07-25 at 09:36 -0500, Douglas E. Engert wrote:
>> >> Looks like it should have worked.
>> >>
>> >> A wireshark trace of the packets would show a lot, as long as
>> >> the session is not encrypted.
>> >>
>> >> It could be a size issue. AD can produce very large tickets if you
>> >> are in many groups.
>> >>
>> >> It could be an enc-type issue, which the server does not understand
>> >>
>> >> It could be the client is not delegating.
>> >>
>> >> Wireshark could answer these.
>> >>
>> >>
>> >>
>> >> Mikkel Kruse Johnsen wrote:
>> >> >
>> >> >
>> >> > On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote:
>> >> >>
>> >> >> Mikkel Kruse Johnsen wrote:
>> >> >> > Hi Markus
>> >> >> >
>> >> >> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can
>> >> >> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
>> >> >>
>> >> >> So what you need is the Kerberos credentials. I have an older version
>> >> >> of mod_auth_kerb I assume your version has the routine store_gss_creds()
>> >> >> which should be doing this for you and creating the name in the
>> >> >> create_krb5_ccache(). and calling
>> >> >> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
>> >> >
>> >> > Yes it does contain that function, I'm using mod_auth_kerb 5.3
>> >> >
>> >> >>
>> >> >> Is KrbSaveCredentials being set in the conf file?
>> >> >
>> >> > Yes it is set. And I have set the:
>> >> >
>> >> > network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
>> >> > network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
>> >> >
>> >> > (Have tryied all kinds of combinations. This must be the right one.
>> >> >
>> >> >> This controls the saving of credentials:
>> >> >> if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>> >> >> store_gss_creds(...)
>> >> >>
>> >> >> Are the above routines being called.
>> >> >
>> >> > It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the
>> >> > store_gss_creds is never called.
>> >> > Compiled the mod_auth_kerb with the attched and It is now called but I
>> >> > get in the log:
>> >> >
>> >> > [Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client
>> >> > 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
>> >> > available, referer: http://od.cbs.dk/phpinfo.php
>> >> > [Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store
>> >> > delegated credential (gss_krb5_copy_ccache: Invalid credential was
>> >> > supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>> >> >
>> >> >>
>> >> >> Is the client actually delegating a credential.
>> >> >
>> >> > So it seems that the credential is never delegated.
>> >> >
>> >> >>
>> >> >> Is the KRB5CCNAME being set in the environment of the subprocess.
>> >> >
>> >> > Don't know how to check this. The KRB5CCNAME is in the env. with the
>> >> > attached patch but the credetials is never saved to that file.
>> >> >
>> >> >
>> >> > /Mikkel
>> >> >
>> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> >
>> >> >> > /Mikkel
>> >> >> >
>> >> >> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
>> >> >> >>
>> >> >> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing
>> >> >> >> to do with delegation. You only need delegation if you wnat that
>> >> >> >> Apache logs into a backend application with the users ID. Is that what
>> >> >> >> you want ? If see you need to be very careful as iit gives yor apache
>> >> >> >> server a lot of power if you don't use constraint delegation. You
>> >> >> >> need to protect it like a domain controller !!!
>> >> >> >>
>> >> >> >> Markus
>> >> >> >>
>> >> >> >>
>> >> >> >> "Mikkel Kruse Johnsen" <mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>>
>> >> >> >> wrote in message news:1184745677.3078.5.camel at tux.lib.cbs.dk <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk> <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk> <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk>...
>> >> >> >>
>> >> >> >> Hi All
>> >> >> >>
>> >> >> >> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
>> >> >> >> that patch.
>> >> >> >>
>> >> >> >> Now I only have the problem that mod_auth_kerb don't write my
>> >> >> >> credentials to KRB5CCNAME (in PHP).
>> >> >> >>
>> >> >> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> >> >> >> delegate", So I guess that is the problem.
>> >> >> >>
>> >> >> >> Under linux they are forwardable.
>> >> >> >>
>> >> >> >> ------
>> >> >> >> [mkj at tux ~]$ klist -f
>> >> >> >> Ticket cache: FILE:/tmp/krb5cc_500
>> >> >> >> Default principal: mkj.lib at HHK.DK <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK>
>> >> >> >>
>> >> >> >> Valid starting Expires Service principal
>> >> >> >> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/HHK.DK at HHK.DK <mailto:HHK.DK at HHK.DK> <mailto:HHK.DK at HHK.DK> <mailto:HHK.DK at HHK.DK>
>> >> >> >> <mailto:HHK.DK at HHK.DK>
>> >> >> >> renew until 07/19/07 09:16:49, Flags: FRIA
>> >> >> >> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/CBS.DK at HHK.DK <mailto:CBS.DK at HHK.DK> <mailto:CBS.DK at HHK.DK> <mailto:CBS.DK at HHK.DK>
>> >> >> >> <mailto:CBS.DK at HHK.DK>
>> >> >> >> renew until 07/19/07 09:16:49, Flags: FRAO
>> >> >> >> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >> renew until 07/18/07 09:17:04, Flags: FRAT
>> >> >> >> 07/18/07 09:35:35 07/18/07 19:16:55 host/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >> renew until 07/18/07 09:35:35, Flags: FRAT
>> >> >> >>
>> >> >> >>
>> >> >> >> Kerberos 4 ticket cache: /tmp/tkt500
>> >> >> >> klist: You have no tickets cached
>> >> >> >> --------
>> >> >> >>
>> >> >> >>
>> >> >> >> I found how to set ok-as-delegate for heimdal how is this done for
>> >> >> >> MIT kerberos ?
>> >> >> >>
>> >> >> >> And how is it done under MS AD ?
>> >> >> >>
>> >> >> >> /Mikkel
>> >> >> >>
>> >> >> >>
>> >> >> >> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
>> >> >> >>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>> >> >> >>>
>> >> >> >>> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>> >> >> >>> > may provide more information (Cannot allocate memory)
>> >> >> >>>
>> >> >> >>> What OS and what Kerberoslibs do you use?
>> >> >> >>> Background of this question:
>> >> >> >>>
>> >> >> >>> I've seen this errormessage "Cannot allocate memory"
>> >> >> >>> (and it's solution) in
>> >> >> >>>
>> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <h
ttp://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http
>> ://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>>>
>> >> >> >>>
>> >> >> >>> Achim
>> >> >> >> Mikkel Kruse Johnsen
>> >> >> >> Linet
>> >> >> >> Ørholmgade 6 st tv
>> >> >> >> 2200 København N
>> >> >> >>
>> >> >> >> Tlf: +45 2128 7793
>> >> >> >> email: mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> >> >> www: http://www.linet.dk
>> >> >> >>
>> >> >> >>
>> >> >> >> ------------------------------------------------------------------------
>> >> >> >>
>> >> >> >>
>> >> >> >> -------------------------------------------------------------------------
>> >> >> >> This SF.net email is sponsored by DB2 Express
>> >> >> >> Download DB2 Express C - the FREE version of DB2 express and take
>> >> >> >> control of your XML. No limits. Just data. Click to get it now.
>> >> >> >> http://sourceforge.net/powerbar/db2/
>> >> >> >>
>> >> >> >> ------------------------------------------------------------------------
>> >> >> >>
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> modauthkerb-help mailing list
>> >> >> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >> >>
>> >> >> >>
>> >> >> >> -------------------------------------------------------------------------
>> >> >> >> This SF.net email is sponsored by: Splunk Inc.
>> >> >> >> Still grepping through log files to find problems? Stop.
>> >> >> >> Now Search log events and configuration files using AJAX and a browser.
>> >> >> >> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >> >> >>
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> modauthkerb-help mailing list
>> >> >> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> > *Mikkel Kruse Johnsen*
>> >> >> > Adm.Dir.
>> >> >> >
>> >> >> > *Linet <http://www.linet.dk>*
>> >> >> > Ørholmgade 6 st tv
>> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>>>>
>> >> >> > Copenhagen N 2200 Denmark *Work:* +45 21287793
>> >> >> > *Mobile:* +45 21287793
>> >> >> > *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> >> > *IM:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> (MSN)
>> >> >> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
>> >> >> > *Healthcare <http://www.xmedicus.dk>*
>> >> >> >
>> >> >> > Network Consultant
>> >> >> >
>> >> >> >
>> >> >> > ------------------------------------------------------------------------
>> >> >> >
>> >> >> > -------------------------------------------------------------------------
>> >> >> > This SF.net email is sponsored by: Splunk Inc.
>> >> >> > Still grepping through log files to find problems? Stop.
>> >> >> > Now Search log events and configuration files using AJAX and a browser.
>> >> >> > Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >> >> >
>> >> >> >
>> >> >> > ------------------------------------------------------------------------
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > modauthkerb-help mailing list
>> >> >> > modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >>
>> >> > Mikkel Kruse Johnsen
>> >> > Linet
>> >> > Ørholmgade 6 st tv
>> >> > 2200 København N
>> >> >
>> >> > Tlf: +45 2128 7793
>> >> > email: mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> > www: http://www.linet.dk
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------
>> >> >
>> >> > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
>> >> > --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200
>> >> > +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-25 11:42:40.000000000 +0200
>> >> > @@ -1215,6 +1215,8 @@
>> >> > spnego_oid.length = 6;
>> >> > spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
>> >> >
>> >> > + OM_uint32 acc_ret_flags;
>> >> > +
>> >> > if (conf->krb_5_keytab) {
>> >> > char *ktname;
>> >> > /* we don't use the ap_* calls here, since the string passed to putenv()
>> >> > @@ -1277,7 +1279,7 @@
>> >> > &client_name,
>> >> > NULL,
>> >> > &output_token,
>> >> > - NULL,
>> >> > + &acc_ret_flags,
>> >> > NULL,
>> >> > &delegated_cred);
>> >> > log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>> >> > @@ -1351,8 +1353,18 @@
>> >> > }
>> >> > #endif
>> >> >
>> >> > - if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>> >> > - store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
>> >> > + if (conf->krb_save_credentials) {
>> >> > + if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {
>> >> > + log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
>> >> > + "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
>> >> > +
>> >> > + store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
>> >> > + }
>> >> > + else {
>> >> > + log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
>> >> > + "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
>> >> > + }
>> >> > + }
>> >> >
>> >> > gss_release_buffer(&minor_status, &output_token);
>> >> >
>> >>
>> > Mikkel Kruse Johnsen
>> > Linet
>> > Ørholmgade 6 st tv
>> > 2200 København N
>> >
>> > Tlf: +45 2128 7793
>> > email: mikkel at linet.dk <mailto:mikkel at linet.dk>
>> > www: http://www.linet.dk
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > -------------------------------------------------------------------------
>> > This SF.net email is sponsored by: Splunk Inc.
>> > Still grepping through log files to find problems? Stop.
>> > Now Search log events and configuration files using AJAX and a browser.
>> > Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > modauthkerb-help mailing list
>> > modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
>> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>>
>> plain text document attachment (wireshark.txt)
>>
>> No. Time Source Destination Protocol Info
>> 16 09:14:12.060179 130.226.36.170 130.226.36.191 HTTP GET /test.php HTTP/1.1
>>
>> Frame 16 (1514 bytes on wire, 1514 bytes captured)
>> Arrival Time: Jul 26, 2007 09:14:12.060179000
>> [Time delta from previous captured frame: 0.000053000 seconds]
>> [Time delta from previous displayed frame: 0.000053000 seconds]
>> [Time since reference or first frame: 0.058896000 seconds]
>> Frame Number: 16
>> Frame Length: 1514 bytes
>> Capture Length: 1514 bytes
>> [Frame is marked: False]
>> [Protocols in frame: eth:ip:tcp:http:gss-api:spnego:spnego-krb5]
>> [Coloring Rule Name: Checksum Errors]
>> [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
>> Ethernet II, Src: HewlettP_f1:fb:4a (00:11:85:f1:fb:4a), Dst: Ibm_a4:a7:30 (00:14:5e:a4:a7:30)
>> Internet Protocol, Src: 130.226.36.170 (130.226.36.170), Dst: 130.226.36.191 (130.226.36.191)
>> Transmission Control Protocol, Src Port: 59168 (59168), Dst Port: http (80), Seq: 1, Ack: 1, Len: 1448
>> Hypertext Transfer Protocol
>> GET /test.php HTTP/1.1\r\n
>> Request Method: GET
>> Request URI: /test.php
>> Request Version: HTTP/1.1
>> Host: od.cbs.dk\r\n
>> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5\r\n
>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
>> Accept-Language: da,en-us;q=0.7,en;q=0.3\r\n
>> Accept-Encoding: gzip,deflate\r\n
>> Accept-Charset: UTF-8,*\r\n
>> Keep-Alive: 300\r\n
>> Connection: keep-alive\r\n
>> Cookie: net.instadia.clientstep.persist.1=1 at 42@u/2b0b0b001ab63a9ddf5d0bc900aaf3322b15aed5; __utma=86912970.1938967652.1154513502.1185282347.1185453096.204; __utmz=86912970.1183459330.194.26.utmccn=(referral)|utmcsr=muhuhu.cbs.dk|utmcct=/om
>> Cache-Control: max-age=0, max-age=0\r\n
>> Authorization: Negotiate YIID7gYGKwYBBQUCoIID4jCCA96gHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKhBAMCAQKiggOzBIIDr2CCA6sGCSqGSIb3EgECAgEAboIDmjCCA5agAwIBBaEDAgEOogcDBQAAAAAAo4HjYYHgMIHdoAMCAQWhCBsGQ0JTLkRLoh4wHKADAgEDoRUwExsESFRUUBsLc3VnaS
>> GSS-API Generic Security Service Application Program Interface
>> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
>> SPNEGO
>> negTokenInit
>> mechTypes: 3 items
>> Item: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
>> Item: 1.3.5.1.5.2 (SNMPv2-SMI::org.5.1.5.2)
>> Item: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
>> Padding: 1
>> reqFlags: 02 (integFlag)
>> 0... .... = delegFlag: False
>> .0.. .... = mutualFlag: False
>> ..0. .... = replayFlag: False
>> ...0 .... = sequenceFlag: False
>> .... 0... = anonFlag: False
>> .... .0.. = confFlag: False
>> .... ..1. = integFlag: True
>> mechToken: 608203AB06092A864886F71201020201006E82039A308203...
>> krb5_blob: 608203AB06092A864886F71201020201006E82039A308203...
>> KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
>> krb5_tok_id: KRB5_AP_REQ (0x0001)
>> Kerberos AP-REQ
>> Pvno: 5
>> MSG Type: AP-REQ (14)
>> Padding: 0
>> APOptions: 00000000
>> .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
>> ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
>> Ticket
>> Tkt-vno: 5
>> Realm: CBS.DK
>> Server Name (Service and Host): HTTP/sugi.cbs.dk
>> Name-type: Service and Host (3)
>> Name: HTTP
>> Name: sugi.cbs.dk
>> enc-part des-cbc-crc
>> Encryption type: des-cbc-crc (1)
>> Kvno: 3
>> enc-part: CB835CF2DBFE16D024DB4F67A572BAC61C07B4389DF94CD6...
>> Authenticator des-cbc-crc
>> Encryption type: des-cbc-crc (1)
>> Authenticator data: CD64AF3F5353CFA94E0E7A52FF7269C404D1ED422AC9AD84...
>>
>> Frame (1514 bytes):
>>
>> 0000 00 14 5e a4 a7 30 00 11 85 f1 fb 4a 08 00 45 00 ..^..0.....J..E.
>> 0010 05 dc 37 8e 40 00 40 06 ae 60 82 e2 24 aa 82 e2 ..7. at .@..`..$...
>> 0020 24 bf e7 20 00 50 09 b3 42 d9 8e 3d 77 6c 80 10 $.. .P..B..=wl..
>> 0030 00 2e 54 fc 00 00 01 01 08 0a 01 99 75 55 2a 9e ..T.........uU*.
>> 0040 f2 59 47 45 54 20 2f 74 65 73 74 2e 70 68 70 20 .YGET /test.php
>> 0050 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 HTTP/1.1..Host:
>> 0060 6f 64 2e 63 62 73 2e 64 6b 0d 0a 55 73 65 72 2d od.cbs.dk..User-
>> 0070 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 Agent: Mozilla/5
>> 0080 2e 30 20 28 58 31 31 3b 20 55 3b 20 4c 69 6e 75 .0 (X11; U; Linu
>> 0090 78 20 69 36 38 36 3b 20 65 6e 2d 55 53 3b 20 72 x i686; en-US; r
>> 00a0 76 3a 31 2e 38 2e 31 2e 35 29 20 47 65 63 6b 6f v:1.8.1.5) Gecko
>> 00b0 2f 32 30 30 37 30 37 31 38 20 46 65 64 6f 72 61 /20070718 Fedora
>> 00c0 2f 32 2e 30 2e 30 2e 35 2d 31 2e 66 63 37 20 46 /2.0.0.5-1.fc7 F
>> 00d0 69 72 65 66 6f 78 2f 32 2e 30 2e 30 2e 35 0d 0a irefox/2.0.0.5..
>> 00e0 41 63 63 65 70 74 3a 20 74 65 78 74 2f 78 6d 6c Accept: text/xml
>> 00f0 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d 6c ,application/xml
>> 0100 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 ,application/xht
>> 0110 6d 6c 2b 78 6d 6c 2c 74 65 78 74 2f 68 74 6d 6c ml+xml,text/html
>> 0120 3b 71 3d 30 2e 39 2c 74 65 78 74 2f 70 6c 61 69 ;q=0.9,text/plai
>> 0130 6e 3b 71 3d 30 2e 38 2c 69 6d 61 67 65 2f 70 6e n;q=0.8,image/pn
>> 0140 67 2c 2a 2f 2a 3b 71 3d 30 2e 35 0d 0a 41 63 63 g,*/*;q=0.5..Acc
>> 0150 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 64 61 ept-Language: da
>> 0160 2c 65 6e 2d 75 73 3b 71 3d 30 2e 37 2c 65 6e 3b ,en-us;q=0.7,en;
>> 0170 71 3d 30 2e 33 0d 0a 41 63 63 65 70 74 2d 45 6e q=0.3..Accept-En
>> 0180 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 coding: gzip,def
>> 0190 6c 61 74 65 0d 0a 41 63 63 65 70 74 2d 43 68 61 late..Accept-Cha
>> 01a0 72 73 65 74 3a 20 55 54 46 2d 38 2c 2a 0d 0a 4b rset: UTF-8,*..K
>> 01b0 65 65 70 2d 41 6c 69 76 65 3a 20 33 30 30 0d 0a eep-Alive: 300..
>> 01c0 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 Connection: keep
>> 01d0 2d 61 6c 69 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20 -alive..Cookie:
>> 01e0 6e 65 74 2e 69 6e 73 74 61 64 69 61 2e 63 6c 69 net.instadia.cli
>> 01f0 65 6e 74 73 74 65 70 2e 70 65 72 73 69 73 74 2e entstep.persist.
>> 0200 31 3d 31 40 34 32 40 75 2f 32 62 30 62 30 62 30 1=1 at 42@u/2b0b0b0
>> 0210 30 31 61 62 36 33 61 39 64 64 66 35 64 30 62 63 01ab63a9ddf5d0bc
>> 0220 39 30 30 61 61 66 33 33 32 32 62 31 35 61 65 64 900aaf3322b15aed
>> 0230 35 3b 20 5f 5f 75 74 6d 61 3d 38 36 39 31 32 39 5; __utma=869129
>> 0240 37 30 2e 31 39 33 38 39 36 37 36 35 32 2e 31 31 70.1938967652.11
>> 0250 35 34 35 31 33 35 30 32 2e 31 31 38 35 32 38 32 54513502.1185282
>> 0260 33 34 37 2e 31 31 38 35 34 35 33 30 39 36 2e 32 347.1185453096.2
>> 0270 30 34 3b 20 5f 5f 75 74 6d 7a 3d 38 36 39 31 32 04; __utmz=86912
>> 0280 39 37 30 2e 31 31 38 33 34 35 39 33 33 30 2e 31 970.1183459330.1
>> 0290 39 34 2e 32 36 2e 75 74 6d 63 63 6e 3d 28 72 65 94.26.utmccn=(re
>> 02a0 66 65 72 72 61 6c 29 7c 75 74 6d 63 73 72 3d 6d ferral)|utmcsr=m
>> 02b0 75 68 75 68 75 2e 63 62 73 2e 64 6b 7c 75 74 6d uhuhu.cbs.dk|utm
>> 02c0 63 63 74 3d 2f 6f 6d 5f 63 62 73 2f 6f 6d 5f 77 cct=/om_cbs/om_w
>> 02d0 77 77 5f 63 62 73 5f 64 6b 2f 73 5f 67 5f 63 62 ww_cbs_dk/s_g_cb
>> 02e0 73 5f 64 6b 7c 75 74 6d 63 6d 64 3d 72 65 66 65 s_dk|utmcmd=refe
>> 02f0 72 72 61 6c 3b 20 50 48 50 53 45 53 53 49 44 3d rral; PHPSESSID=
>> 0300 31 30 63 65 36 65 37 37 63 30 64 35 63 64 39 33 10ce6e77c0d5cd93
>> 0310 37 33 63 33 64 65 30 66 33 65 38 66 33 66 32 32 73c3de0f3e8f3f22
>> 0320 3b 20 5f 5f 75 74 6d 63 3d 38 36 39 31 32 39 37 ; __utmc=8691297
>> 0330 30 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 0..Cache-Control
>> 0340 3a 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6d 61 78 : max-age=0, max
>> 0350 2d 61 67 65 3d 30 0d 0a 41 75 74 68 6f 72 69 7a -age=0..Authoriz
>> 0360 61 74 69 6f 6e 3a 20 4e 65 67 6f 74 69 61 74 65 ation: Negotiate
>> 0370 20 59 49 49 44 37 67 59 47 4b 77 59 42 42 51 55 YIID7gYGKwYBBQU
>> 0380 43 6f 49 49 44 34 6a 43 43 41 39 36 67 48 7a 41 CoIID4jCCA96gHzA
>> 0390 64 42 67 6b 71 68 6b 69 47 39 78 49 42 41 67 49 dBgkqhkiG9xIBAgI
>> 03a0 47 42 53 73 46 41 51 55 43 42 67 6b 71 68 6b 69 GBSsFAQUCBgkqhki
>> 03b0 43 39 78 49 42 41 67 4b 68 42 41 4d 43 41 51 4b C9xIBAgKhBAMCAQK
>> 03c0 69 67 67 4f 7a 42 49 49 44 72 32 43 43 41 36 73 iggOzBIIDr2CCA6s
>> 03d0 47 43 53 71 47 53 49 62 33 45 67 45 43 41 67 45 GCSqGSIb3EgECAgE
>> 03e0 41 62 6f 49 44 6d 6a 43 43 41 35 61 67 41 77 49 AboIDmjCCA5agAwI
>> 03f0 42 42 61 45 44 41 67 45 4f 6f 67 63 44 42 51 41 BBaEDAgEOogcDBQA
>> 0400 41 41 41 41 41 6f 34 48 6a 59 59 48 67 4d 49 48 AAAAAo4HjYYHgMIH
>> 0410 64 6f 41 4d 43 41 51 57 68 43 42 73 47 51 30 4a doAMCAQWhCBsGQ0J
>> 0420 54 4c 6b 52 4c 6f 68 34 77 48 4b 41 44 41 67 45 TLkRLoh4wHKADAgE
>> 0430 44 6f 52 55 77 45 78 73 45 53 46 52 55 55 42 73 DoRUwExsESFRUUBs
>> 0440 4c 63 33 56 6e 61 53 35 6a 59 6e 4d 75 5a 47 75 Lc3VnaS5jYnMuZGu
>> 0450 6a 67 61 73 77 67 61 69 67 41 77 49 42 41 61 45 jgaswgaigAwIBAaE
>> 0460 44 41 67 45 44 6f 6f 47 62 42 49 47 59 79 34 4e DAgEDooGbBIGYy4N
>> 0470 63 38 74 76 2b 46 74 41 6b 32 30 39 6e 70 58 4b c8tv+FtAk209npXK
>> 0480 36 78 68 77 48 74 44 69 64 2b 55 7a 57 30 4d 37 6xhwHtDid+UzW0M7
>> 0490 53 46 33 37 52 6d 4a 50 37 74 48 66 48 56 2b 2f SF37RmJP7tHfHV+/
>> 04a0 63 74 79 62 66 6a 6f 53 6d 47 45 77 79 64 36 59 ctybfjoSmGEwyd6Y
>> 04b0 4a 41 45 31 68 61 55 34 73 36 35 42 65 55 58 51 JAE1haU4s65BeUXQ
>> 04c0 39 4d 5a 53 6a 70 72 55 67 43 2b 6e 6b 57 41 4c 9MZSjprUgC+nkWAL
>> 04d0 76 67 4d 79 4e 57 33 34 70 4c 6c 37 5a 7a 37 6e vgMyNW34pLl7Zz7n
>> 04e0 69 56 41 49 78 65 73 67 7a 5a 4d 58 67 6e 36 6d iVAIxesgzZMXgn6m
>> 04f0 43 49 39 77 70 59 79 58 75 45 49 57 57 71 2f 58 CI9wpYyXuEIWWq/X
>> 0500 54 2b 4e 4f 43 7a 65 6c 47 6a 31 78 43 43 61 4c T+NOCzelGj1xCCaL
>> 0510 62 4a 58 68 34 4c 63 31 79 6f 6b 4b 35 32 79 6e bJXh4Lc1yokK52yn
>> 0520 64 31 35 45 78 7a 72 30 74 49 51 45 61 51 50 71 d15Exzr0tIQEaQPq
>> 0530 37 55 58 67 61 4a 71 79 6b 67 67 4b 5a 4d 49 49 7UXgaJqykggKZMII
>> 0540 43 6c 61 41 44 41 67 45 42 6f 6f 49 43 6a 41 53 ClaADAgEBooICjAS
>> 0550 43 41 6f 6a 4e 5a 4b 38 2f 55 31 50 50 71 55 34 CAojNZK8/U1PPqU4
>> 0560 4f 65 6c 4c 2f 63 6d 6e 45 42 4e 48 74 51 69 72 OelL/cmnEBNHtQir
>> 0570 4a 72 59 54 6e 32 6c 69 39 75 41 4a 43 43 6d 6c JrYTn2li9uAJCCml
>> 0580 41 57 75 48 76 57 67 57 66 35 48 75 44 2b 71 31 AWuHvWgWf5HuD+q1
>> 0590 30 73 7a 66 2b 38 6f 64 61 47 79 50 32 62 51 63 0szf+8odaGyP2bQc
>> 05a0 78 4a 57 77 44 74 49 64 50 6c 4f 77 70 55 7a 56 xJWwDtIdPlOwpUzV
>> 05b0 78 63 39 6e 2b 32 65 4d 4e 61 4b 32 70 64 76 34 xc9n+2eMNaK2pdv4
>> 05c0 2f 6a 43 4f 79 68 52 35 6c 37 57 44 76 66 34 6c /jCOyhR5l7WDvf4l
>> 05d0 65 53 71 70 4c 68 4e 71 47 39 4a 67 46 4c 59 6b eSqpLhNqG9JgFLYk
>> 05e0 76 52 2f 51 4a 63 46 74 46 31 vR/QJcFtF1
>>
>> NTLMSSP / GSSAPI Data (475 bytes):
>>
>> 0000 60 82 03 ee 06 06 2b 06 01 05 05 02 a0 82 03 e2 `.....+.........
>> 0010 30 82 03 de a0 1f 30 1d 06 09 2a 86 48 86 f7 12 0.....0...*.H...
>> 0020 01 02 02 06 05 2b 05 01 05 02 06 09 2a 86 48 82 .....+......*.H.
>> 0030 f7 12 01 02 02 a1 04 03 02 01 02 a2 82 03 b3 04 ................
>> 0040 82 03 af 60 82 03 ab 06 09 2a 86 48 86 f7 12 01 ...`.....*.H....
>> 0050 02 02 01 00 6e 82 03 9a 30 82 03 96 a0 03 02 01 ....n...0.......
>> 0060 05 a1 03 02 01 0e a2 07 03 05 00 00 00 00 00 a3 ................
>> 0070 81 e3 61 81 e0 30 81 dd a0 03 02 01 05 a1 08 1b ..a..0..........
>> 0080 06 43 42 53 2e 44 4b a2 1e 30 1c a0 03 02 01 03 .CBS.DK..0......
>> 0090 a1 15 30 13 1b 04 48 54 54 50 1b 0b 73 75 67 69 ..0...HTTP..sugi
>> 00a0 2e 63 62 73 2e 64 6b a3 81 ab 30 81 a8 a0 03 02 .cbs.dk...0.....
>> 00b0 01 01 a1 03 02 01 03 a2 81 9b 04 81 98 cb 83 5c ...............\
>> 00c0 f2 db fe 16 d0 24 db 4f 67 a5 72 ba c6 1c 07 b4 .....$.Og.r.....
>> 00d0 38 9d f9 4c d6 d0 ce d2 17 7e d1 98 93 fb b4 77 8..L.....~.....w
>> 00e0 c7 57 ef dc b7 26 df 8e 84 a6 18 4c 32 77 a6 09 .W...&.....L2w..
>> 00f0 00 4d 61 69 4e 2c eb 90 5e 51 74 3d 31 94 a3 a6 .MaiN,..^Qt=1...
>> 0100 b5 20 0b e9 e4 58 02 ef 80 cc 8d 5b 7e 29 2e 5e . ...X.....[~).^
>> 0110 d9 cf b9 e2 54 02 31 7a c8 33 64 c5 e0 9f a9 82 ....T.1z.3d.....
>> 0120 23 dc 29 63 25 ee 10 85 96 ab f5 d3 f8 d3 82 cd #.)c%...........
>> 0130 e9 46 8f 5c 42 09 a2 db 25 78 78 2d cd 72 a2 42 .F.\B...%xx-.r.B
>> 0140 b9 db 29 dd d7 91 31 ce bd 2d 21 01 1a 40 fa bb ..)...1..-!.. at ..
>> 0150 51 78 1a 26 ac a4 82 02 99 30 82 02 95 a0 03 02 Qx.&.....0......
>> 0160 01 01 a2 82 02 8c 04 82 02 88 cd 64 af 3f 53 53 ...........d.?SS
>> 0170 cf a9 4e 0e 7a 52 ff 72 69 c4 04 d1 ed 42 2a c9 ..N.zR.ri....B*.
>> 0180 ad 84 e7 da 58 bd b8 02 42 0a 69 40 5a e1 ef 5a ....X...B.i at Z..Z
>> 0190 05 9f e4 7b 83 fa ad 74 b3 37 fe f2 87 5a 1b 23 ...{...t.7...Z.#
>> 01a0 f6 6d 07 31 25 6c 03 b4 87 4f 94 ec 29 53 35 71 .m.1%l...O..)S5q
>> 01b0 73 d9 fe d9 e3 0d 68 ad a9 76 fe 3f 8c 23 b2 85 s.....h..v.?.#..
>> 01c0 1e 65 ed 60 ef 7f 89 5e 4a aa 4b 84 da 86 f4 98 .e.`...^J.K.....
>> 01d0 05 2d 89 2f 47 f4 09 70 5b 45 d4 .-./G..p[E.
>>
>> !DSPAM:46a8bc529361222716257!
> *Mikkel Kruse Johnsen*
> Adm.Dir.
>
> *Linet <http://www.linet.dk>*
> Ørholmgade 6 st tv
> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> Copenhagen N 2200 Denmark *Work:* +45 21287793
> *Mobile:* +45 21287793
> *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk>
> *IM:* mikkel at linet.dk (MSN)
> *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> *Healthcare <http://www.xmedicus.dk>*
>
> Network Consultant
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list