[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Mon Jul 30 04:40:56 EDT 2007


Hi All

Here is the dump from Windows using firefox and IE7

I was thinking that maybe it could be a linking problem in
mod_auth_kerb. Using both gssapi (cyrus-sasl) and kerberos5 (mit krb5).

Here is the buidling process:


[mkj at sugi SPECS]$ rpmbuild -ba mod_auth_kerb.spec 
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.59548
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd /home/mkj/rpm/BUILD
+ rm -rf mod_auth_kerb-5.3
+ /bin/gzip -dc /home/mkj/rpm/SOURCES/mod_auth_kerb-5.3.tar.gz
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd mod_auth_kerb-5.3
+ echo 'Patch #2 (mod_auth_kerb-5.0-cache.patch):'
Patch #2 (mod_auth_kerb-5.0-cache.patch):
+ patch -p1 -b --suffix .cache -s
+ echo 'Patch #4 (mod_auth_kerb-5.0-gcc4.patch):'
Patch #4 (mod_auth_kerb-5.0-gcc4.patch):
+ patch -p1 -b --suffix .gcc4 -s
+ echo 'Patch #5 (mod_auth_kerb-5.3-exports.patch):'
Patch #5 (mod_auth_kerb-5.3-exports.patch):
+ patch -p0 -b --suffix .exports -s
+ echo 'Patch #7 (mod_auth_kerb-5.1-krb15.patch):'
Patch #7 (mod_auth_kerb-5.1-krb15.patch):
+ patch -p1 -b --suffix .krb15 -s
+ echo 'Patch #8 (mod_auth_kerb-5.3-fixes.patch):'
Patch #8 (mod_auth_kerb-5.3-fixes.patch):
+ patch -p0 -b --suffix .fixes -s
+ echo 'Patch #9 (mod_auth_kerb-5.3-deleg.patch):'
Patch #9 (mod_auth_kerb-5.3-deleg.patch):
+ patch -p1 -s
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.59548
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+ CFLAGS='-O2 -g'
+ export CFLAGS
+ CXXFLAGS='-O2 -g'
+ export CXXFLAGS
+ FFLAGS='-O2 -g'
+ export FFLAGS
+ ./configure --host=x86_64-redhat-linux-gnu
--build=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/usr/var --sharedstatedir=/usr/com --mandir=/usr/man
--infodir=/usr/info --without-krb4 --with-krb5=/usr/kerberos
--with-apache=/usr
checking for x86_64-redhat-linux-gnu-gcc... no
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables... 
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking whether make sets $(MAKE)... yes
checking for main in -lresolv... yes
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking for size_t... yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking for krb5_init_context in -lkrb5... yes
checking whether we are using Heimdal... no
checking whether the GSSAPI libraries support SPNEGO... yes
checking for apxs... /usr/sbin/apxs
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
+ make
/usr/sbin/apxs -c -I. -Ispnegokrb5 -I/usr/kerberos/include
-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -ldl  -lresolv
-Wl,-export-symbols-regex -Wl,auth_kerb_module  src/mod_auth_kerb.c 
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic
-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd
-I/usr/include/apr-1   -I/usr/include/apr-1  -I. -Ispnegokrb5
-I/usr/kerberos/include  -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c
&& touch src/mod_auth_kerb.slo
src/mod_auth_kerb.c: In function 'get_gss_creds':
src/mod_auth_kerb.c:1129: warning: passing argument 3 of
'gss_import_name' discards qualifiers from pointer target type
src/mod_auth_kerb.c: At top level:
src/mod_auth_kerb.c:1168: warning: 'cmp_gss_type' defined but not used
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o
src/mod_auth_kerb.la -export-symbols-regex auth_kerb_module
-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -ldl -lresolv
-rpath /usr/lib64/httpd/modules -module -avoid-version
src/mod_auth_kerb.lo
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.50426
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+ rm -rf /var/tmp/mod_auth_kerb-5.3-4-buildroot
+ mkdir
-p /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/lib64/httpd/modules /var/tmp/mod_auth_kerb-5.3-4-buildroot/etc/httpd/conf.d
+ install -m 755
src/.libs/mod_auth_kerb.so /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/lib64/httpd/modules/mod_auth_kerb.so
+ install -m
644 /home/mkj/rpm/SOURCES/auth_kerb.conf /var/tmp/mod_auth_kerb-5.3-4-buildroot/etc/httpd/conf.d/auth_kerb.conf
+ exit 0
Processing files: mod_auth_kerb-5.3-4
Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.50426
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+
DOCDIR=/var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ export DOCDIR
+ rm
-rf /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ /bin/mkdir
-p /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ cp -pr
README /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ exit 0
Provides: config(mod_auth_kerb) = 5.3-4 mod_auth_kerb.so()(64bit)
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: config(mod_auth_kerb) = 5.3-4 httpd-mmn = 20051115
libc.so.6()(64bit) libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit)
libcom_err.so.2()(64bit) libdl.so.2()(64bit)
libgssapi_krb5.so.2()(64bit)
libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) libk5crypto.so.3()(64bit)
libkrb5.so.3()(64bit) libkrb5.so.3(krb5_3_MIT)(64bit)
libresolv.so.2()(64bit) rtld(GNU_HASH)
Checking for unpackaged
file(s): /usr/lib/rpm/check-files /var/tmp/mod_auth_kerb-5.3-4-buildroot
Wrote: /home/mkj/rpm/SRPMS/mod_auth_kerb-5.3-4.src.rpm
Wrote: /home/mkj/rpm/RPMS/x86_64/mod_auth_kerb-5.3-4.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.50426
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+ rm -rf /var/tmp/mod_auth_kerb-5.3-4-buildroot
+ exit 0



On Fri, 2007-07-27 at 09:14 +0200, Mikkel Kruse Johnsen wrote:

> Hi
> 
> Settings check:
> 
> network.negotiate-auth.allow-proxies = true
> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
> network.negotiate-auth.gsslib =
> network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
> network.negotiate-auth.using-native-gsslib = true
> 
> After the patch (attached) I get this. So it seems that status is
> GSS_S_COMPLETE:
> 
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot
> store delegated credential (gss_krb5_copy_ccache: Invalid credential
> was supplied (No error))
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot
> store delegated credential (gss_krb5_copy_ccache: Invalid credential
> was supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name mkj.lib at CBS.DK for connection,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot
> store delegated credential (gss_krb5_copy_ccache: Invalid credential
> was supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
> 
> /Mikkel
> 
> 
> On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote: 
> 
> > On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
> > > Achim Grolms wrote:
> > > > On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
> > > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
> > > >>> would not be set in that case?
> > > >>>
> > > >>> Achim
> > > >>
> > > >> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
> > > >> valid until negotiation is complete.
> > > >
> > > > That means before trying to store delegated credentials
> > > > and before checking GSS_C_DELEG_FLAG
> > > > mod_auth_kerb needs to check if gss_accept_sec_context ()
> > > > returns   major_status = GSS_S_COMPLETE
> > 
> > From my point of view this means that mod_auth_kerb
> > needs a change in code.
> > I needs to be of that style:
> > 
> > the major_status of 
> > gss_accept_sec_context()
> > 
> > needs to be checked before checking GSS_C_DELEG_FLAG.
> > 
> > This can be done this way:
> > 
> > if ( major_status_accept = GSS_S_COMPLETE ) {
> >     if (conf->krb_save_credentials) {
> >         if (delegated_cred != GSS_C_NO_CREDENTIAL) {
> >              .
> >              .
> >              .
> >         }
> >      }
> > }
> > 
> > 
> > major_status_accept is the major_status returned by
> > accept_sec_token
> > 
> > Mikkel, can you give this a try?
> > Achim
> > Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15 as permitted sender)
> > 
> > 
> > 
> 
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
> 
> Tlf: +45 2128 7793
> email: mikkel at linet.dk
> www: http://www.linet.dk
> !DSPAM:46a99b5037111804284693! 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> !DSPAM:46a99b5037111804284693!
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> 
> 
> !DSPAM:46a99b5037111804284693!

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.0-cache.patch
Type: text/x-patch
Size: 2804 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/4c3f14a7/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.0-gcc4.patch
Type: text/x-patch
Size: 269 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/4c3f14a7/attachment-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.1-krb15.patch
Type: text/x-patch
Size: 2122 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/4c3f14a7/attachment-0002.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-deleg.patch
Type: text/x-patch
Size: 1843 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/4c3f14a7/attachment-0003.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-exports.patch
Type: text/x-patch
Size: 1011 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/4c3f14a7/attachment-0004.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_kerb-5.3-fixes.patch
Type: text/x-patch
Size: 2281 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070730/4c3f14a7/attachment-0005.bin


More information about the Kerberos mailing list