[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Douglas E. Engert deengert at anl.gov
Fri Jul 27 18:19:22 EDT 2007 


Henry B. Hotz wrote:
> I think the Firefox pref overrides this, but if it's running on a 
> Windows platform with the native Kerberos (gsslib) then do we need to 
> check that the ok-as-delegate flag is set in the service ticket?  I seem 
> to remember that it didn't matter except for IE.

It might if the client is using the Microsoft gss. But his client is on RedHat?


> 
> On Jul 27, 2007, at 12:14 AM, Mikkel Kruse Johnsen wrote:
> 
>> Hi
>>
>> Settings check:
>>
>> network.negotiate-auth.allow-proxies = true
>> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
>> network.negotiate-auth.gsslib =
>> network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
>> network.negotiate-auth.using-native-gsslib = true
>>
>> After the patch (attached) I get this. So it seems that status is 
>> GSS_S_COMPLETE:
>>
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client 
>> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and 
>> auth_type Kerberos
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client 
>> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and 
>> auth_type Kerberos
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client 
>> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client 
>> 130.226.36.170] Verifying client data using KRB5 GSS-API
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client 
>> 130.226.36.170] Verification returned code 0
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client 
>> 130.226.36.170] GSS-API token of length 22 bytes will be sent back
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client 
>> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client 
>> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG 
>> available
>> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot 
>> store delegated credential (gss_krb5_copy_ccache: Invalid credential 
>> was supplied (No error))
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client 
>> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and 
>> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client 
>> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and 
>> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client 
>> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and 
>> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client 
>> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK, referer: 
>> http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client 
>> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer: 
>> http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client 
>> 130.226.36.170] Verification returned code 0, referer: 
>> http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client 
>> 130.226.36.170] GSS-API token of length 22 bytes will be sent back, 
>> referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client 
>> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection, 
>> referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client 
>> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG 
>> available, referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot 
>> store delegated credential (gss_krb5_copy_ccache: Invalid credential 
>> was supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client 
>> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and 
>> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client 
>> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK, referer: 
>> http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client 
>> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer: 
>> http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client 
>> 130.226.36.170] Verification returned code 0, referer: 
>> http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client 
>> 130.226.36.170] GSS-API token of length 22 bytes will be sent back, 
>> referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client 
>> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection, 
>> referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client 
>> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG 
>> available, referer: http://od.cbs.dk/phpinfo.php
>> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot 
>> store delegated credential (gss_krb5_copy_ccache: Invalid credential 
>> was supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>>
>> /Mikkel
>>
>>
>> On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:
>>> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote: > Achim 
>>> Grolms wrote: > > On Thursday 26 July 2007 20:40, Henry B. Hotz 
>>> wrote: > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG > >>> 
>>> would not be set in that case? > >>> > >>> Achim > >> > >> Agreed. 
>>> That flag shouldn't be set AFAIK, though the value isn't > >> valid 
>>> until negotiation is complete. > > > > That means before trying to 
>>> store delegated credentials > > and before checking GSS_C_DELEG_FLAG 
>>> > > mod_auth_kerb needs to check if gss_accept_sec_context () > > 
>>> returns major_status = GSS_S_COMPLETE From my point of view this 
>>> means that mod_auth_kerb needs a change in code. I needs to be of 
>>> that style: the major_status of gss_accept_sec_context() needs to be 
>>> checked before checking GSS_C_DELEG_FLAG. This can be done this way: 
>>> if ( major_status_accept = GSS_S_COMPLETE ) { if 
>>> (conf->krb_save_credentials) {     if (delegated_cred != 
>>> GSS_C_NO_CREDENTIAL) { . . . } } } major_status_accept is the 
>>> major_status returned by accept_sec_token Mikkel, can you give this a 
>>> try? Achim Received-SPF: pass (0: SPF record at ispgateway.de 
>>> designates 80.67.18.15 as permitted sender) 
>>> !DSPAM:46a9068820551136180008!
>> Mikkel Kruse Johnsen
>> Linet
>> Ørholmgade 6 st tv
>> 2200 København N
>>
>> Tlf: +45 2128 7793
>> email: mikkel at linet.dk
>> www: http://www.linet.dk
>> <mod_auth_kerb-5.3-deleg.patch>
> 
> 
> 
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list