[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Douglas E. Engert deengert at anl.gov
Thu Jul 26 13:41:41 EDT 2007



Mikkel Kruse Johnsen wrote:
> Hi Douglas
> 
> I have already done all these steps.

It still looks like the client is not delegating. and I am out of ideas.

> 
> I'm currently on linux only to eliminate trust relations and the windows 
> factor :)
> 
> I'm on Fedora 7 getting a ticket from MIT kerberos and accessing a web 
> site using the same MIT kerberos.
> 
> I regularly try on windows, It don't work either (have done the steps on 
> windows as well).
> 
> /Mikkel
> 
> On Thu, 2007-07-26 at 10:22 -0500, Douglas E. Engert wrote:
>> Attached is the Wireshark print output of the GET request showing
>> the SPNEGO and GSSAPI
>>
>> In original trace, the client does request a ticket to delegate
>> but it looks like it is not delegating it.
>>
>> It looks like it is:
>> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5\r\n
>>
>>
>> I Googled for:
>> FireFox SPNEGO delegation
>> and found among other articles:
>>
>> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_config_web.html
>>
>>
>> Complete the following steps to ensure that your Firefox browser is enabled to perform SPNEGO authentication.
>> At the desktop, log in to the windows active directory domain.
>> Activate Firefox.
>> At the address field, type about:config.
>> In the Filter, type network.n
>> Double click on network.negotiate-auth.trusted-uris. This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Enter a comma-delimited list of trusted domains or URLs.
>> Note: You must set the value for network.negotiate-auth.trusted-uris.
>> If the deployed SPNEGO solution is using the advanced Kerberos feature of Credential Delegation double click on network.negotiate-auth.delegation-uris. This preference lists the sites for which the browser may delegate user authorization to the server. Enter a comma-delimited list of trusted domains 
>> or URLs.
>> Click OK. The configuration appears as updated.
>> Restart your Firefox browser to activate this configuration.
>>
>>
>> Mikkel Kruse Johnsen wrote:
>> > Hi Douglas
>> > 
>> > Im not sure what to look for, but here is the dump. If you are able to 
>> > see anything. Done with wireshark.
>> > 
>> > /Mikkel
>> > 
>> > On Wed, 2007-07-25 at 09:36 -0500, Douglas E. Engert wrote:
>> >> Looks like it should have worked.
>> >>
>> >> A wireshark trace of the packets would show a lot, as long as
>> >> the session is not encrypted.
>> >>
>> >> It could be a size issue. AD can produce very large tickets if you
>> >> are in many groups.
>> >>
>> >> It could be an enc-type issue, which the server does not understand
>> >>
>> >> It could be the client is not delegating.
>> >>
>> >> Wireshark could answer these.
>> >>
>> >>
>> >>
>> >> Mikkel Kruse Johnsen wrote:
>> >> > 
>> >> > 
>> >> > On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote:
>> >> >>
>> >> >> Mikkel Kruse Johnsen wrote:
>> >> >> > Hi Markus
>> >> >> > 
>> >> >> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can 
>> >> >> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
>> >> >>
>> >> >> So what you need is the Kerberos credentials. I have an older version
>> >> >> of mod_auth_kerb I assume  your version has the routine store_gss_creds()
>> >> >> which should be doing this for you and creating the name in the
>> >> >> create_krb5_ccache(). and calling
>> >> >> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
>> >> > 
>> >> > Yes it does contain that function, I'm using mod_auth_kerb 5.3
>> >> > 
>> >> >>
>> >> >> Is KrbSaveCredentials being set in the conf file?
>> >> > 
>> >> > Yes it is set. And I have set the:
>> >> > 
>> >> > network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
>> >> > network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
>> >> > 
>> >> > (Have tryied all kinds of combinations. This must be the right one.
>> >> > 
>> >> >> This controls the saving of credentials:
>> >> >>   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>> >> >>     store_gss_creds(...)
>> >> >>
>> >> >> Are the above routines being called.
>> >> > 
>> >> > It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the 
>> >> > store_gss_creds is never called.
>> >> > Compiled the mod_auth_kerb with the attched and It is now called but I 
>> >> > get in the log:
>> >> > 
>> >> > [Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client 
>> >> > 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG 
>> >> > available, referer: http://od.cbs.dk/phpinfo.php
>> >> > [Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store 
>> >> > delegated credential (gss_krb5_copy_ccache: Invalid credential was 
>> >> > supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>> >> > 
>> >> >>
>> >> >> Is the client actually delegating a credential.
>> >> > 
>> >> > So it seems that the credential is never delegated.
>> >> > 
>> >> >>
>> >> >> Is the KRB5CCNAME being set in the environment of the subprocess.
>> >> > 
>> >> > Don't know how to check this. The KRB5CCNAME is in the env. with the 
>> >> > attached patch but the credetials is never saved to that file.
>> >> > 
>> >> > 
>> >> > /Mikkel
>> >> > 
>> >> > 
>> >> >>
>> >> >>
>> >> >>
>> >> >> > 
>> >> >> > /Mikkel
>> >> >> > 
>> >> >> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
>> >> >> >>  
>> >> >> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing 
>> >> >> >> to do with delegation.  You only need delegation if you wnat that 
>> >> >> >> Apache logs into a backend application with the users ID. Is that what 
>> >> >> >> you want ? If see you need to be very careful as iit gives yor apache 
>> >> >> >> server a lot of power if you don't use constraint delegation.  You 
>> >> >> >> need to protect it like a domain controller !!! 
>> >> >> >>   
>> >> >> >> Markus 
>> >> >> >>   
>> >> >> >>
>> >> >> >>     "Mikkel Kruse Johnsen" <mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>>
>> >> >> >>     wrote in message news:1184745677.3078.5.camel at tux.lib.cbs.dk <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk> <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk> <mailto:1184745677.3078.5.camel at tux.lib.cbs.dk>... 
>> >> >> >>
>> >> >> >>     Hi All
>> >> >> >>
>> >> >> >>     That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
>> >> >> >>     that patch.
>> >> >> >>
>> >> >> >>     Now I only have the problem that mod_auth_kerb don't write my
>> >> >> >>     credentials to KRB5CCNAME (in PHP).
>> >> >> >>
>> >> >> >>     My "kerbtray" under windows says it is Forwardable but no "Ok to
>> >> >> >>     delegate", So I guess that is the problem.
>> >> >> >>
>> >> >> >>     Under linux they are forwardable.
>> >> >> >>
>> >> >> >>     ------
>> >> >> >>     [mkj at tux ~]$ klist -f
>> >> >> >>     Ticket cache: FILE:/tmp/krb5cc_500
>> >> >> >>     Default principal: mkj.lib at HHK.DK <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK> <mailto:mkj.lib at HHK.DK>
>> >> >> >>
>> >> >> >>     Valid starting     Expires            Service principal
>> >> >> >>     07/18/07 09:16:49  07/18/07 19:16:55  krbtgt/HHK.DK at HHK.DK <mailto:HHK.DK at HHK.DK> <mailto:HHK.DK at HHK.DK> <mailto:HHK.DK at HHK.DK>
>> >> >> >>     <mailto:HHK.DK at HHK.DK>
>> >> >> >>             renew until 07/19/07 09:16:49, Flags: FRIA
>> >> >> >>     07/18/07 09:17:06  07/18/07 19:16:55  krbtgt/CBS.DK at HHK.DK <mailto:CBS.DK at HHK.DK> <mailto:CBS.DK at HHK.DK> <mailto:CBS.DK at HHK.DK>
>> >> >> >>     <mailto:CBS.DK at HHK.DK>
>> >> >> >>             renew until 07/19/07 09:16:49, Flags: FRAO
>> >> >> >>     07/18/07 09:17:04  07/18/07 19:16:55  HTTP/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >>     <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >>             renew until 07/18/07 09:17:04, Flags: FRAT
>> >> >> >>     07/18/07 09:35:35  07/18/07 19:16:55  host/sugi.cbs.dk at CBS.DK <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK> <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >>     <mailto:sugi.cbs.dk at CBS.DK>
>> >> >> >>             renew until 07/18/07 09:35:35, Flags: FRAT
>> >> >> >>
>> >> >> >>
>> >> >> >>     Kerberos 4 ticket cache: /tmp/tkt500
>> >> >> >>     klist: You have no tickets cached
>> >> >> >>     --------
>> >> >> >>
>> >> >> >>
>> >> >> >>     I found how to set ok-as-delegate for heimdal how is this done for
>> >> >> >>     MIT kerberos ?
>> >> >> >>
>> >> >> >>     And how is it done under MS AD ?
>> >> >> >>
>> >> >> >>     /Mikkel
>> >> >> >>
>> >> >> >>
>> >> >> >>     On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
>> >> >> >>>     On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>> >> >> >>>
>> >> >> >>>     > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
>> >> >> >>>     > may provide more information (Cannot allocate memory)
>> >> >> >>>
>> >> >> >>>     What OS and what Kerberoslibs do you use?
>> >> >> >>>     Background of this question:
>> >> >> >>>
>> >> >> >>>     I've seen this errormessage "Cannot allocate memory"
>> >> >> >>>     (and it's solution) in
>> >> >> >>>
>> >> >> >>>     <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <h
ttp://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http
>> ://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>>>
>> >> >> >>>
>> >> >> >>>     Achim
>> >> >> >>     Mikkel Kruse Johnsen
>> >> >> >>     Linet
>> >> >> >>     Ørholmgade 6 st tv
>> >> >> >>     2200 København N
>> >> >> >>
>> >> >> >>     Tlf: +45 2128 7793
>> >> >> >>     email: mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> >> >>     www: http://www.linet.dk
>> >> >> >>
>> >> >> >>
>> >> >> >>     ------------------------------------------------------------------------
>> >> >> >>
>> >> >> >>
>> >> >> >>     -------------------------------------------------------------------------
>> >> >> >>     This SF.net email is sponsored by DB2 Express
>> >> >> >>     Download DB2 Express C - the FREE version of DB2 express and take
>> >> >> >>     control of your XML. No limits. Just data. Click to get it now.
>> >> >> >>     http://sourceforge.net/powerbar/db2/
>> >> >> >>
>> >> >> >>     ------------------------------------------------------------------------
>> >> >> >>
>> >> >> >>
>> >> >> >>     _______________________________________________
>> >> >> >>     modauthkerb-help mailing list
>> >> >> >>     modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> >>     https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >> >>
>> >> >> >> 
>> >> >> >> -------------------------------------------------------------------------
>> >> >> >> This SF.net email is sponsored by: Splunk Inc.
>> >> >> >> Still grepping through log files to find problems?  Stop.
>> >> >> >> Now Search log events and configuration files using AJAX and a browser.
>> >> >> >> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> >> >> >>
>> >> >> >> 
>> >> >> >> _______________________________________________
>> >> >> >> modauthkerb-help mailing list
>> >> >> >> modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >> >>
>> >> >> >>
>> >> >> >> 
>> >> >> > *Mikkel Kruse Johnsen*
>> >> >> > Adm.Dir.
>> >> >> > 
>> >> >> > *Linet <http://www.linet.dk>*
>> >> >> > Ørholmgade 6 st tv 
>> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>>>>
>> >> >> > Copenhagen N 2200 Denmark 		*Work:* +45 21287793
>> >> >> > *Mobile:* +45 21287793
>> >> >> > *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> >> > *IM:* mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk> (MSN)
>> >> >> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
>> >> >> > *Healthcare <http://www.xmedicus.dk>* 	
>> >> >> > 
>> >> >> > Network Consultant
>> >> >> > 
>> >> >> > 
>> >> >> > ------------------------------------------------------------------------
>> >> >> > 
>> >> >> > -------------------------------------------------------------------------
>> >> >> > This SF.net email is sponsored by: Splunk Inc.
>> >> >> > Still grepping through log files to find problems?  Stop.
>> >> >> > Now Search log events and configuration files using AJAX and a browser.
>> >> >> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> >> >> > 
>> >> >> > 
>> >> >> > ------------------------------------------------------------------------
>> >> >> > 
>> >> >> > _______________________________________________
>> >> >> > modauthkerb-help mailing list
>> >> >> > modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net> <mailto:modauthkerb-help at lists.sourceforge.net>
>> >> >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>> >> >>
>> >> > Mikkel Kruse Johnsen
>> >> > Linet
>> >> > Ørholmgade 6 st tv
>> >> > 2200 København N
>> >> > 
>> >> > Tlf: +45 2128 7793
>> >> > email: mikkel at linet.dk <mailto:mikkel at linet.dk> <mailto:mikkel at linet.dk>
>> >> > www: http://www.linet.dk
>> >> > 
>> >> > 
>> >> > ------------------------------------------------------------------------
>> >> > 
>> >> > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
>> >> > --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c	2007-07-25 11:38:20.000000000 +0200
>> >> > +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2007-07-25 11:42:40.000000000 +0200
>> >> > @@ -1215,6 +1215,8 @@
>> >> >    spnego_oid.length = 6;
>> >> >    spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
>> >> >  
>> >> > +  OM_uint32 acc_ret_flags;
>> >> > +
>> >> >    if (conf->krb_5_keytab) {
>> >> >       char *ktname;
>> >> >       /* we don't use the ap_* calls here, since the string passed to putenv()
>> >> > @@ -1277,7 +1279,7 @@
>> >> >  				  &client_name,
>> >> >  				  NULL,
>> >> >  				  &output_token,
>> >> > -				  NULL,
>> >> > +				  &acc_ret_flags,
>> >> >  				  NULL,
>> >> >  				  &delegated_cred);
>> >> >    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>> >> > @@ -1351,8 +1353,18 @@
>> >> >    }
>> >> >  #endif
>> >> >  
>> >> > -  if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
>> >> > -     store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
>> >> > +  if (conf->krb_save_credentials) {
>> >> > +    if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {      
>> >> > +      log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
>> >> > +      	"krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
>> >> > + 
>> >> > +      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
>> >> > +    }
>> >> > +    else {
>> >> > +      log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
>> >> > +        "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
>> >> > +    }
>> >> > +  }	 
>> >> >  
>> >> >    gss_release_buffer(&minor_status, &output_token);
>> >> >  
>> >>
>> > Mikkel Kruse Johnsen
>> > Linet
>> > Ørholmgade 6 st tv
>> > 2200 København N
>> > 
>> > Tlf: +45 2128 7793
>> > email: mikkel at linet.dk <mailto:mikkel at linet.dk>
>> > www: http://www.linet.dk
>> > 
>> > 
>> > ------------------------------------------------------------------------
>> > 
>> > -------------------------------------------------------------------------
>> > This SF.net email is sponsored by: Splunk Inc.
>> > Still grepping through log files to find problems?  Stop.
>> > Now Search log events and configuration files using AJAX and a browser.
>> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> > 
>> > 
>> > ------------------------------------------------------------------------
>> > 
>> > _______________________________________________
>> > modauthkerb-help mailing list
>> > modauthkerb-help at lists.sourceforge.net <mailto:modauthkerb-help at lists.sourceforge.net>
>> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>>
>> plain text document attachment (wireshark.txt)
>>
>> No.     Time            Source                Destination           Protocol Info
>>      16 09:14:12.060179 130.226.36.170        130.226.36.191        HTTP     GET /test.php HTTP/1.1
>>
>> Frame 16 (1514 bytes on wire, 1514 bytes captured)
>>     Arrival Time: Jul 26, 2007 09:14:12.060179000
>>     [Time delta from previous captured frame: 0.000053000 seconds]
>>     [Time delta from previous displayed frame: 0.000053000 seconds]
>>     [Time since reference or first frame: 0.058896000 seconds]
>>     Frame Number: 16
>>     Frame Length: 1514 bytes
>>     Capture Length: 1514 bytes
>>     [Frame is marked: False]
>>     [Protocols in frame: eth:ip:tcp:http:gss-api:spnego:spnego-krb5]
>>     [Coloring Rule Name: Checksum Errors]
>>     [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
>> Ethernet II, Src: HewlettP_f1:fb:4a (00:11:85:f1:fb:4a), Dst: Ibm_a4:a7:30 (00:14:5e:a4:a7:30)
>> Internet Protocol, Src: 130.226.36.170 (130.226.36.170), Dst: 130.226.36.191 (130.226.36.191)
>> Transmission Control Protocol, Src Port: 59168 (59168), Dst Port: http (80), Seq: 1, Ack: 1, Len: 1448
>> Hypertext Transfer Protocol
>>     GET /test.php HTTP/1.1\r\n
>>         Request Method: GET
>>         Request URI: /test.php
>>         Request Version: HTTP/1.1
>>     Host: od.cbs.dk\r\n
>>     User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5\r\n
>>     Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
>>     Accept-Language: da,en-us;q=0.7,en;q=0.3\r\n
>>     Accept-Encoding: gzip,deflate\r\n
>>     Accept-Charset: UTF-8,*\r\n
>>     Keep-Alive: 300\r\n
>>     Connection: keep-alive\r\n
>>     Cookie: net.instadia.clientstep.persist.1=1 at 42@u/2b0b0b001ab63a9ddf5d0bc900aaf3322b15aed5; __utma=86912970.1938967652.1154513502.1185282347.1185453096.204; __utmz=86912970.1183459330.194.26.utmccn=(referral)|utmcsr=muhuhu.cbs.dk|utmcct=/om
>>     Cache-Control: max-age=0, max-age=0\r\n
>>     Authorization: Negotiate YIID7gYGKwYBBQUCoIID4jCCA96gHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKhBAMCAQKiggOzBIIDr2CCA6sGCSqGSIb3EgECAgEAboIDmjCCA5agAwIBBaEDAgEOogcDBQAAAAAAo4HjYYHgMIHdoAMCAQWhCBsGQ0JTLkRLoh4wHKADAgEDoRUwExsESFRUUBsLc3VnaS
>>         GSS-API Generic Security Service Application Program Interface
>>             OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
>>             SPNEGO
>>                 negTokenInit
>>                     mechTypes: 3 items
>>                         Item: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
>>                         Item: 1.3.5.1.5.2 (SNMPv2-SMI::org.5.1.5.2)
>>                         Item: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
>>                     Padding: 1
>>                     reqFlags: 02 (integFlag)
>>                         0... .... = delegFlag: False
>>                         .0.. .... = mutualFlag: False
>>                         ..0. .... = replayFlag: False
>>                         ...0 .... = sequenceFlag: False
>>                         .... 0... = anonFlag: False
>>                         .... .0.. = confFlag: False
>>                         .... ..1. = integFlag: True
>>                     mechToken: 608203AB06092A864886F71201020201006E82039A308203...
>>                     krb5_blob: 608203AB06092A864886F71201020201006E82039A308203...
>>                         KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
>>                         krb5_tok_id: KRB5_AP_REQ (0x0001)
>>                         Kerberos AP-REQ
>>                             Pvno: 5
>>                             MSG Type: AP-REQ (14)
>>                             Padding: 0
>>                             APOptions: 00000000
>>                                 .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
>>                                 ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
>>                             Ticket
>>                                 Tkt-vno: 5
>>                                 Realm: CBS.DK
>>                                 Server Name (Service and Host): HTTP/sugi.cbs.dk
>>                                     Name-type: Service and Host (3)
>>                                     Name: HTTP
>>                                     Name: sugi.cbs.dk
>>                                 enc-part des-cbc-crc
>>                                     Encryption type: des-cbc-crc (1)
>>                                     Kvno: 3
>>                                     enc-part: CB835CF2DBFE16D024DB4F67A572BAC61C07B4389DF94CD6...
>>                             Authenticator des-cbc-crc
>>                                 Encryption type: des-cbc-crc (1)
>>                                 Authenticator data: CD64AF3F5353CFA94E0E7A52FF7269C404D1ED422AC9AD84...
>>
>> Frame (1514 bytes):
>>
>> 0000  00 14 5e a4 a7 30 00 11 85 f1 fb 4a 08 00 45 00   ..^..0.....J..E.
>> 0010  05 dc 37 8e 40 00 40 06 ae 60 82 e2 24 aa 82 e2   ..7. at .@..`..$...
>> 0020  24 bf e7 20 00 50 09 b3 42 d9 8e 3d 77 6c 80 10   $.. .P..B..=wl..
>> 0030  00 2e 54 fc 00 00 01 01 08 0a 01 99 75 55 2a 9e   ..T.........uU*.
>> 0040  f2 59 47 45 54 20 2f 74 65 73 74 2e 70 68 70 20   .YGET /test.php 
>> 0050  48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20   HTTP/1.1..Host: 
>> 0060  6f 64 2e 63 62 73 2e 64 6b 0d 0a 55 73 65 72 2d   od.cbs.dk..User-
>> 0070  41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35   Agent: Mozilla/5
>> 0080  2e 30 20 28 58 31 31 3b 20 55 3b 20 4c 69 6e 75   .0 (X11; U; Linu
>> 0090  78 20 69 36 38 36 3b 20 65 6e 2d 55 53 3b 20 72   x i686; en-US; r
>> 00a0  76 3a 31 2e 38 2e 31 2e 35 29 20 47 65 63 6b 6f   v:1.8.1.5) Gecko
>> 00b0  2f 32 30 30 37 30 37 31 38 20 46 65 64 6f 72 61   /20070718 Fedora
>> 00c0  2f 32 2e 30 2e 30 2e 35 2d 31 2e 66 63 37 20 46   /2.0.0.5-1.fc7 F
>> 00d0  69 72 65 66 6f 78 2f 32 2e 30 2e 30 2e 35 0d 0a   irefox/2.0.0.5..
>> 00e0  41 63 63 65 70 74 3a 20 74 65 78 74 2f 78 6d 6c   Accept: text/xml
>> 00f0  2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d 6c   ,application/xml
>> 0100  2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74   ,application/xht
>> 0110  6d 6c 2b 78 6d 6c 2c 74 65 78 74 2f 68 74 6d 6c   ml+xml,text/html
>> 0120  3b 71 3d 30 2e 39 2c 74 65 78 74 2f 70 6c 61 69   ;q=0.9,text/plai
>> 0130  6e 3b 71 3d 30 2e 38 2c 69 6d 61 67 65 2f 70 6e   n;q=0.8,image/pn
>> 0140  67 2c 2a 2f 2a 3b 71 3d 30 2e 35 0d 0a 41 63 63   g,*/*;q=0.5..Acc
>> 0150  65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 64 61   ept-Language: da
>> 0160  2c 65 6e 2d 75 73 3b 71 3d 30 2e 37 2c 65 6e 3b   ,en-us;q=0.7,en;
>> 0170  71 3d 30 2e 33 0d 0a 41 63 63 65 70 74 2d 45 6e   q=0.3..Accept-En
>> 0180  63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66   coding: gzip,def
>> 0190  6c 61 74 65 0d 0a 41 63 63 65 70 74 2d 43 68 61   late..Accept-Cha
>> 01a0  72 73 65 74 3a 20 55 54 46 2d 38 2c 2a 0d 0a 4b   rset: UTF-8,*..K
>> 01b0  65 65 70 2d 41 6c 69 76 65 3a 20 33 30 30 0d 0a   eep-Alive: 300..
>> 01c0  43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70   Connection: keep
>> 01d0  2d 61 6c 69 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20   -alive..Cookie: 
>> 01e0  6e 65 74 2e 69 6e 73 74 61 64 69 61 2e 63 6c 69   net.instadia.cli
>> 01f0  65 6e 74 73 74 65 70 2e 70 65 72 73 69 73 74 2e   entstep.persist.
>> 0200  31 3d 31 40 34 32 40 75 2f 32 62 30 62 30 62 30   1=1 at 42@u/2b0b0b0
>> 0210  30 31 61 62 36 33 61 39 64 64 66 35 64 30 62 63   01ab63a9ddf5d0bc
>> 0220  39 30 30 61 61 66 33 33 32 32 62 31 35 61 65 64   900aaf3322b15aed
>> 0230  35 3b 20 5f 5f 75 74 6d 61 3d 38 36 39 31 32 39   5; __utma=869129
>> 0240  37 30 2e 31 39 33 38 39 36 37 36 35 32 2e 31 31   70.1938967652.11
>> 0250  35 34 35 31 33 35 30 32 2e 31 31 38 35 32 38 32   54513502.1185282
>> 0260  33 34 37 2e 31 31 38 35 34 35 33 30 39 36 2e 32   347.1185453096.2
>> 0270  30 34 3b 20 5f 5f 75 74 6d 7a 3d 38 36 39 31 32   04; __utmz=86912
>> 0280  39 37 30 2e 31 31 38 33 34 35 39 33 33 30 2e 31   970.1183459330.1
>> 0290  39 34 2e 32 36 2e 75 74 6d 63 63 6e 3d 28 72 65   94.26.utmccn=(re
>> 02a0  66 65 72 72 61 6c 29 7c 75 74 6d 63 73 72 3d 6d   ferral)|utmcsr=m
>> 02b0  75 68 75 68 75 2e 63 62 73 2e 64 6b 7c 75 74 6d   uhuhu.cbs.dk|utm
>> 02c0  63 63 74 3d 2f 6f 6d 5f 63 62 73 2f 6f 6d 5f 77   cct=/om_cbs/om_w
>> 02d0  77 77 5f 63 62 73 5f 64 6b 2f 73 5f 67 5f 63 62   ww_cbs_dk/s_g_cb
>> 02e0  73 5f 64 6b 7c 75 74 6d 63 6d 64 3d 72 65 66 65   s_dk|utmcmd=refe
>> 02f0  72 72 61 6c 3b 20 50 48 50 53 45 53 53 49 44 3d   rral; PHPSESSID=
>> 0300  31 30 63 65 36 65 37 37 63 30 64 35 63 64 39 33   10ce6e77c0d5cd93
>> 0310  37 33 63 33 64 65 30 66 33 65 38 66 33 66 32 32   73c3de0f3e8f3f22
>> 0320  3b 20 5f 5f 75 74 6d 63 3d 38 36 39 31 32 39 37   ; __utmc=8691297
>> 0330  30 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c   0..Cache-Control
>> 0340  3a 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6d 61 78   : max-age=0, max
>> 0350  2d 61 67 65 3d 30 0d 0a 41 75 74 68 6f 72 69 7a   -age=0..Authoriz
>> 0360  61 74 69 6f 6e 3a 20 4e 65 67 6f 74 69 61 74 65   ation: Negotiate
>> 0370  20 59 49 49 44 37 67 59 47 4b 77 59 42 42 51 55    YIID7gYGKwYBBQU
>> 0380  43 6f 49 49 44 34 6a 43 43 41 39 36 67 48 7a 41   CoIID4jCCA96gHzA
>> 0390  64 42 67 6b 71 68 6b 69 47 39 78 49 42 41 67 49   dBgkqhkiG9xIBAgI
>> 03a0  47 42 53 73 46 41 51 55 43 42 67 6b 71 68 6b 69   GBSsFAQUCBgkqhki
>> 03b0  43 39 78 49 42 41 67 4b 68 42 41 4d 43 41 51 4b   C9xIBAgKhBAMCAQK
>> 03c0  69 67 67 4f 7a 42 49 49 44 72 32 43 43 41 36 73   iggOzBIIDr2CCA6s
>> 03d0  47 43 53 71 47 53 49 62 33 45 67 45 43 41 67 45   GCSqGSIb3EgECAgE
>> 03e0  41 62 6f 49 44 6d 6a 43 43 41 35 61 67 41 77 49   AboIDmjCCA5agAwI
>> 03f0  42 42 61 45 44 41 67 45 4f 6f 67 63 44 42 51 41   BBaEDAgEOogcDBQA
>> 0400  41 41 41 41 41 6f 34 48 6a 59 59 48 67 4d 49 48   AAAAAo4HjYYHgMIH
>> 0410  64 6f 41 4d 43 41 51 57 68 43 42 73 47 51 30 4a   doAMCAQWhCBsGQ0J
>> 0420  54 4c 6b 52 4c 6f 68 34 77 48 4b 41 44 41 67 45   TLkRLoh4wHKADAgE
>> 0430  44 6f 52 55 77 45 78 73 45 53 46 52 55 55 42 73   DoRUwExsESFRUUBs
>> 0440  4c 63 33 56 6e 61 53 35 6a 59 6e 4d 75 5a 47 75   Lc3VnaS5jYnMuZGu
>> 0450  6a 67 61 73 77 67 61 69 67 41 77 49 42 41 61 45   jgaswgaigAwIBAaE
>> 0460  44 41 67 45 44 6f 6f 47 62 42 49 47 59 79 34 4e   DAgEDooGbBIGYy4N
>> 0470  63 38 74 76 2b 46 74 41 6b 32 30 39 6e 70 58 4b   c8tv+FtAk209npXK
>> 0480  36 78 68 77 48 74 44 69 64 2b 55 7a 57 30 4d 37   6xhwHtDid+UzW0M7
>> 0490  53 46 33 37 52 6d 4a 50 37 74 48 66 48 56 2b 2f   SF37RmJP7tHfHV+/
>> 04a0  63 74 79 62 66 6a 6f 53 6d 47 45 77 79 64 36 59   ctybfjoSmGEwyd6Y
>> 04b0  4a 41 45 31 68 61 55 34 73 36 35 42 65 55 58 51   JAE1haU4s65BeUXQ
>> 04c0  39 4d 5a 53 6a 70 72 55 67 43 2b 6e 6b 57 41 4c   9MZSjprUgC+nkWAL
>> 04d0  76 67 4d 79 4e 57 33 34 70 4c 6c 37 5a 7a 37 6e   vgMyNW34pLl7Zz7n
>> 04e0  69 56 41 49 78 65 73 67 7a 5a 4d 58 67 6e 36 6d   iVAIxesgzZMXgn6m
>> 04f0  43 49 39 77 70 59 79 58 75 45 49 57 57 71 2f 58   CI9wpYyXuEIWWq/X
>> 0500  54 2b 4e 4f 43 7a 65 6c 47 6a 31 78 43 43 61 4c   T+NOCzelGj1xCCaL
>> 0510  62 4a 58 68 34 4c 63 31 79 6f 6b 4b 35 32 79 6e   bJXh4Lc1yokK52yn
>> 0520  64 31 35 45 78 7a 72 30 74 49 51 45 61 51 50 71   d15Exzr0tIQEaQPq
>> 0530  37 55 58 67 61 4a 71 79 6b 67 67 4b 5a 4d 49 49   7UXgaJqykggKZMII
>> 0540  43 6c 61 41 44 41 67 45 42 6f 6f 49 43 6a 41 53   ClaADAgEBooICjAS
>> 0550  43 41 6f 6a 4e 5a 4b 38 2f 55 31 50 50 71 55 34   CAojNZK8/U1PPqU4
>> 0560  4f 65 6c 4c 2f 63 6d 6e 45 42 4e 48 74 51 69 72   OelL/cmnEBNHtQir
>> 0570  4a 72 59 54 6e 32 6c 69 39 75 41 4a 43 43 6d 6c   JrYTn2li9uAJCCml
>> 0580  41 57 75 48 76 57 67 57 66 35 48 75 44 2b 71 31   AWuHvWgWf5HuD+q1
>> 0590  30 73 7a 66 2b 38 6f 64 61 47 79 50 32 62 51 63   0szf+8odaGyP2bQc
>> 05a0  78 4a 57 77 44 74 49 64 50 6c 4f 77 70 55 7a 56   xJWwDtIdPlOwpUzV
>> 05b0  78 63 39 6e 2b 32 65 4d 4e 61 4b 32 70 64 76 34   xc9n+2eMNaK2pdv4
>> 05c0  2f 6a 43 4f 79 68 52 35 6c 37 57 44 76 66 34 6c   /jCOyhR5l7WDvf4l
>> 05d0  65 53 71 70 4c 68 4e 71 47 39 4a 67 46 4c 59 6b   eSqpLhNqG9JgFLYk
>> 05e0  76 52 2f 51 4a 63 46 74 46 31                     vR/QJcFtF1
>>
>> NTLMSSP / GSSAPI Data (475 bytes):
>>
>> 0000  60 82 03 ee 06 06 2b 06 01 05 05 02 a0 82 03 e2   `.....+.........
>> 0010  30 82 03 de a0 1f 30 1d 06 09 2a 86 48 86 f7 12   0.....0...*.H...
>> 0020  01 02 02 06 05 2b 05 01 05 02 06 09 2a 86 48 82   .....+......*.H.
>> 0030  f7 12 01 02 02 a1 04 03 02 01 02 a2 82 03 b3 04   ................
>> 0040  82 03 af 60 82 03 ab 06 09 2a 86 48 86 f7 12 01   ...`.....*.H....
>> 0050  02 02 01 00 6e 82 03 9a 30 82 03 96 a0 03 02 01   ....n...0.......
>> 0060  05 a1 03 02 01 0e a2 07 03 05 00 00 00 00 00 a3   ................
>> 0070  81 e3 61 81 e0 30 81 dd a0 03 02 01 05 a1 08 1b   ..a..0..........
>> 0080  06 43 42 53 2e 44 4b a2 1e 30 1c a0 03 02 01 03   .CBS.DK..0......
>> 0090  a1 15 30 13 1b 04 48 54 54 50 1b 0b 73 75 67 69   ..0...HTTP..sugi
>> 00a0  2e 63 62 73 2e 64 6b a3 81 ab 30 81 a8 a0 03 02   .cbs.dk...0.....
>> 00b0  01 01 a1 03 02 01 03 a2 81 9b 04 81 98 cb 83 5c   ...............\
>> 00c0  f2 db fe 16 d0 24 db 4f 67 a5 72 ba c6 1c 07 b4   .....$.Og.r.....
>> 00d0  38 9d f9 4c d6 d0 ce d2 17 7e d1 98 93 fb b4 77   8..L.....~.....w
>> 00e0  c7 57 ef dc b7 26 df 8e 84 a6 18 4c 32 77 a6 09   .W...&.....L2w..
>> 00f0  00 4d 61 69 4e 2c eb 90 5e 51 74 3d 31 94 a3 a6   .MaiN,..^Qt=1...
>> 0100  b5 20 0b e9 e4 58 02 ef 80 cc 8d 5b 7e 29 2e 5e   . ...X.....[~).^
>> 0110  d9 cf b9 e2 54 02 31 7a c8 33 64 c5 e0 9f a9 82   ....T.1z.3d.....
>> 0120  23 dc 29 63 25 ee 10 85 96 ab f5 d3 f8 d3 82 cd   #.)c%...........
>> 0130  e9 46 8f 5c 42 09 a2 db 25 78 78 2d cd 72 a2 42   .F.\B...%xx-.r.B
>> 0140  b9 db 29 dd d7 91 31 ce bd 2d 21 01 1a 40 fa bb   ..)...1..-!.. at ..
>> 0150  51 78 1a 26 ac a4 82 02 99 30 82 02 95 a0 03 02   Qx.&.....0......
>> 0160  01 01 a2 82 02 8c 04 82 02 88 cd 64 af 3f 53 53   ...........d.?SS
>> 0170  cf a9 4e 0e 7a 52 ff 72 69 c4 04 d1 ed 42 2a c9   ..N.zR.ri....B*.
>> 0180  ad 84 e7 da 58 bd b8 02 42 0a 69 40 5a e1 ef 5a   ....X...B.i at Z..Z
>> 0190  05 9f e4 7b 83 fa ad 74 b3 37 fe f2 87 5a 1b 23   ...{...t.7...Z.#
>> 01a0  f6 6d 07 31 25 6c 03 b4 87 4f 94 ec 29 53 35 71   .m.1%l...O..)S5q
>> 01b0  73 d9 fe d9 e3 0d 68 ad a9 76 fe 3f 8c 23 b2 85   s.....h..v.?.#..
>> 01c0  1e 65 ed 60 ef 7f 89 5e 4a aa 4b 84 da 86 f4 98   .e.`...^J.K.....
>> 01d0  05 2d 89 2f 47 f4 09 70 5b 45 d4                  .-./G..p[E.
>>
>> !DSPAM:46a8bc529361222716257!
> *Mikkel Kruse Johnsen*
> Adm.Dir.
> 
> *Linet <http://www.linet.dk>*
> Ørholmgade 6 st tv 
> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> Copenhagen N 2200 Denmark 		*Work:* +45 21287793
> *Mobile:* +45 21287793
> *Email:* mikkel at linet.dk <mailto:mikkel at linet.dk>
> *IM:* mikkel at linet.dk (MSN)
> *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> *Healthcare <http://www.xmedicus.dk>* 	
> 
> Network Consultant
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list