[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Henry B. Hotz hotz at jpl.nasa.gov
Fri Jul 27 15:49:03 EDT 2007 

I think the Firefox pref overrides this, but if it's running on a  
Windows platform with the native Kerberos (gsslib) then do we need to  
check that the ok-as-delegate flag is set in the service ticket?  I  
seem to remember that it didn't matter except for IE.

On Jul 27, 2007, at 12:14 AM, Mikkel Kruse Johnsen wrote:

> Hi
>
> Settings check:
>
> network.negotiate-auth.allow-proxies = true
> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
> network.negotiate-auth.gsslib =
> network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
> network.negotiate-auth.using-native-gsslib = true
>
> After the patch (attached) I get this. So it seems that status is  
> GSS_S_COMPLETE:
>
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457):  
> [client 130.226.36.170] kerb_authenticate_user entered with user  
> (NULL) and auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457):  
> [client 130.226.36.170] kerb_authenticate_user entered with user  
> (NULL) and auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148):  
> [client 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269):  
> [client 130.226.36.170] Verifying client data using KRB5 GSS-API
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285):  
> [client 130.226.36.170] Verification returned code 0
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303):  
> [client 130.226.36.170] GSS-API token of length 22 bytes will be  
> sent back
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351):  
> [client 130.226.36.170] set cached name mkj.lib at CBS.DK for connection
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360):  
> [client 130.226.36.170] krb_save_credentials activated,  
> GSS_C_DELEG_FLAG available
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot  
> store delegated credential (gss_krb5_copy_ccache: Invalid  
> credential was supplied (No error))
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457):  
> [client 130.226.36.170] kerb_authenticate_user entered with user  
> (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457):  
> [client 130.226.36.170] kerb_authenticate_user entered with user  
> (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457):  
> [client 130.226.36.170] kerb_authenticate_user entered with user  
> (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148):  
> [client 130.226.36.170] Acquiring creds for HTTP/ 
> sugi.cbs.dk at CBS.DK, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269):  
> [client 130.226.36.170] Verifying client data using KRB5 GSS-API,  
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285):  
> [client 130.226.36.170] Verification returned code 0, referer:  
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303):  
> [client 130.226.36.170] GSS-API token of length 22 bytes will be  
> sent back, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351):  
> [client 130.226.36.170] set cached name mkj.lib at CBS.DK for  
> connection, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360):  
> [client 130.226.36.170] krb_save_credentials activated,  
> GSS_C_DELEG_FLAG available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot  
> store delegated credential (gss_krb5_copy_ccache: Invalid  
> credential was supplied (No error)), referer: http://od.cbs.dk/ 
> phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457):  
> [client 130.226.36.170] kerb_authenticate_user entered with user  
> (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148):  
> [client 130.226.36.170] Acquiring creds for HTTP/ 
> sugi.cbs.dk at CBS.DK, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269):  
> [client 130.226.36.170] Verifying client data using KRB5 GSS-API,  
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285):  
> [client 130.226.36.170] Verification returned code 0, referer:  
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303):  
> [client 130.226.36.170] GSS-API token of length 22 bytes will be  
> sent back, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351):  
> [client 130.226.36.170] set cached name mkj.lib at CBS.DK for  
> connection, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360):  
> [client 130.226.36.170] krb_save_credentials activated,  
> GSS_C_DELEG_FLAG available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot  
> store delegated credential (gss_krb5_copy_ccache: Invalid  
> credential was supplied (No error)), referer: http://od.cbs.dk/ 
> phpinfo.php
>
> /Mikkel
>
>
> On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:
>> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote: > Achim  
>> Grolms wrote: > > On Thursday 26 July 2007 20:40, Henry B. Hotz  
>> wrote: > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG >  
>> >>> would not be set in that case? > >>> > >>> Achim > >> > >>  
>> Agreed. That flag shouldn't be set AFAIK, though the value isn't >  
>> >> valid until negotiation is complete. > > > > That means before  
>> trying to store delegated credentials > > and before checking  
>> GSS_C_DELEG_FLAG > > mod_auth_kerb needs to check if  
>> gss_accept_sec_context () > > returns major_status =  
>> GSS_S_COMPLETE From my point of view this means that mod_auth_kerb  
>> needs a change in code. I needs to be of that style: the  
>> major_status of gss_accept_sec_context() needs to be checked  
>> before checking GSS_C_DELEG_FLAG. This can be done this way: if  
>> ( major_status_accept = GSS_S_COMPLETE ) { if (conf- 
>> >krb_save_credentials) {     if (delegated_cred !=  
>> GSS_C_NO_CREDENTIAL) { . . . } } } major_status_accept is the  
>> major_status returned by accept_sec_token Mikkel, can you give  
>> this a try? Achim Received-SPF: pass (0: SPF record at  
>> ispgateway.de designates 80.67.18.15 as permitted sender) !DSPAM: 
>> 46a9068820551136180008!
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
>
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
> <mod_auth_kerb-5.3-deleg.patch>



------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Kerberos mailing list