[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Mon Jul 30 09:22:43 EDT 2007 

Hi

Just found something. It seems that the ticket is expired, look at this
patch (thanks Achim for pointing this out)


[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1488): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1488): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1178): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1299): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1316): [client
130.226.36.170] Verification returned code 0
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1334): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1382): [client
130.226.36.170] set cached name mkj.lib at CBS.DK for connection
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1391): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Mon Jul 30 15:19:55 2007] [error] [client 130.226.36.170] Lifetime of
delegated credential is expired
[Mon Jul 30 15:19:55 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))


/Mikkel

---
[mkj at tux ~]$ klist 
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at CBS.DK

Valid starting     Expires            Service principal
07/30/07 15:19:49  07/31/07 15:19:49  krbtgt/CBS.DK at CBS.DK
07/30/07 15:19:55  07/31/07 15:19:49  HTTP/sugi.cbs.dk at CBS.DK


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
----


On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:

> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
> > Achim Grolms wrote:
> > > On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
> > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
> > >>> would not be set in that case?
> > >>>
> > >>> Achim
> > >>
> > >> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
> > >> valid until negotiation is complete.
> > >
> > > That means before trying to store delegated credentials
> > > and before checking GSS_C_DELEG_FLAG
> > > mod_auth_kerb needs to check if gss_accept_sec_context ()
> > > returns   major_status = GSS_S_COMPLETE
> 
> From my point of view this means that mod_auth_kerb
> needs a change in code.
> I needs to be of that style:
> 
> the major_status of 
> gss_accept_sec_context()
> 
> needs to be checked before checking GSS_C_DELEG_FLAG.
> 
> This can be done this way:
> 
> if ( major_status_accept = GSS_S_COMPLETE ) {
>     if (conf->krb_save_credentials) {
>         if (delegated_cred != GSS_C_NO_CREDENTIAL) {
>              .
>              .
>              .
>         }
>      }
> }
> 
> 
> major_status_accept is the major_status returned by
> accept_sec_token
> 
> Mikkel, can you give this a try?
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15 as permitted sender)
> 
> !DSPAM:46a9068820551136180008!
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-deleg.patch
Type: text/x-patch
Size: 5518 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/3fc57524/attachment.bin

More information about the Kerberos mailing list