[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Douglas E. Engert deengert at anl.gov
Fri Jul 27 12:11:09 EDT 2007 

I stil think you have a client problem, of the client not delegating.
Can you use IE, or FireFox on some other platform to connecto your
server?



Mikkel Kruse Johnsen wrote:
> Hi
> 
> Settings check:
> 
> network.negotiate-auth.allow-proxies = true
> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
> network.negotiate-auth.gsslib =
> network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
> network.negotiate-auth.using-native-gsslib = true
> 
> After the patch (attached) I get this. So it seems that status is
> GSS_S_COMPLETE:
> 
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store
> delegated credential (gss_krb5_copy_ccache: Invalid credential was
> supplied (No error))
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store
> delegated credential (gss_krb5_copy_ccache: Invalid credential was
> supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store
> delegated credential (gss_krb5_copy_ccache: Invalid credential was
> supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
> 
> /Mikkel
> 
> 
> On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:
> 
>> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
>>> Achim Grolms wrote:
>>>> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
>>>>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
>>>>>> would not be set in that case?
>>>>>>
>>>>>> Achim
>>>>> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
>>>>> valid until negotiation is complete.
>>>> That means before trying to store delegated credentials
>>>> and before checking GSS_C_DELEG_FLAG
>>>> mod_auth_kerb needs to check if gss_accept_sec_context ()
>>>> returns   major_status = GSS_S_COMPLETE
>> From my point of view this means that mod_auth_kerb
>> needs a change in code.
>> I needs to be of that style:
>>
>> the major_status of 
>> gss_accept_sec_context()
>>
>> needs to be checked before checking GSS_C_DELEG_FLAG.
>>
>> This can be done this way:
>>
>> if ( major_status_accept = GSS_S_COMPLETE ) {
>>     if (conf->krb_save_credentials) {
>>         if (delegated_cred != GSS_C_NO_CREDENTIAL) {
>>              .
>>              .
>>              .
>>         }
>>      }
>> }
>>
>>
>> major_status_accept is the major_status returned by
>> accept_sec_token
>>
>> Mikkel, can you give this a try?
>> Achim
>> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15 as permitted sender)
>>
>> !DSPAM:46a9068820551136180008!
>>
> 
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
> 
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
> 
> 
> ------------------------------------------------------------------------
> 
> diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
> --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c	2007-07-25 11:38:20.000000000 +0200
> +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2007-07-27 09:09:21.000000000 +0200
> @@ -1215,6 +1215,8 @@
>    spnego_oid.length = 6;
>    spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
>  
> +  OM_uint32 acc_ret_flags;
> +
>    if (conf->krb_5_keytab) {
>       char *ktname;
>       /* we don't use the ap_* calls here, since the string passed to putenv()
> @@ -1277,7 +1279,7 @@
>  				  &client_name,
>  				  NULL,
>  				  &output_token,
> -				  NULL,
> +				  &acc_ret_flags,
>  				  NULL,
>  				  &delegated_cred);
>    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> @@ -1351,8 +1353,30 @@
>    }
>  #endif
>  
> -  if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
> -     store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
> +  if (major_status == GSS_S_COMPLETE ) {
> +    if (conf->krb_save_credentials) {
> +      if (delegated_cred != GSS_C_NO_CREDENTIAL) {
> +        if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {      
> +          log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
> +       	    "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
> + 
> +          store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
> +        } 
> +        else {
> +          log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
> +            "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
> +        }
> +      } 
> +      else {
> +        log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
> +          "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );
> +      }
> +    }
> +  }
> +  else {
> +    log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
> +      "krb_save_credentials not activated, no GSS_S_COMPLETE", "" );
> +  }	 
>  
>    gss_release_buffer(&minor_status, &output_token);
>  
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list