[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Mon Jul 30 04:53:20 EDT 2007 

Hi Achim

I see your point here is the ne patch. I still get this error:

[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1458): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1458): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1148): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1269): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1286): [client
130.226.36.170] Verification returned code 0
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1304): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1352): [client
130.226.36.170] set cached name mkj.lib at CBS.DK for connection
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1361): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Mon Jul 30 10:51:26 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))

/Mikkel


On Fri, 2007-07-27 at 20:19 +0200, Achim Grolms wrote:

> On Friday 27 July 2007 09:14, Mikkel Kruse Johnsen wrote:
> 
> > After the patch (attached) I get this.
> 
> I think your patch does my idea wrong.
> 
> Your patch checks
> 
> major_status == GSS_S_COMPLETE
> 
> but in your patch  major_status is the return-value of gss_display_name(),
> not of accept_sec_token.
> 
> You need to store the return-value of accept_sec_token
> in a 2nd variable, "major_status_accept" for example
> and check 
> 
> major_status_accept == GSS_S_COMPLETE
> (or move the delegation-store-code direct below the
> accept_sec_token() so major_status really holds the value
> of accept_sec_token.
> 
> Maybe the client tries to to mutual authentication and the
> TGT is only delegated *after* the mutual-auth-roundrip has finished?
> 
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.16 as permitted sender)
> 
> !DSPAM:46aa375b54622628239487!
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-deleg.patch
Type: text/x-patch
Size: 4093 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/3bad8874/attachment.bin

More information about the Kerberos mailing list