using UPN to auth

Markus Moeller huaraz at moeller.plus.com
Wed Mar 12 16:30:00 EDT 2008


OK Here is a patch I did some time ago for mod_auth_kerb, but you need to 
escape the @ .e.g. user\@mailaddress.com


Markus


--- mod_auth_kerb.c 2007-12-22 14:03:26.000000000 +0000
+++ mod_auth_kerb.c.new 2008-03-12 20:19:42.000000000 +0000
@@ -679,6 +679,13 @@
    if (ret == 0) {
       log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
           "Trying to get TGT for user %s", name);
+      if (!strstr(name, "\\@")) {
+#ifdef HEIMDAL
+         principal->name.name_type=10;
+#else
+         principal->type=10;
+#endif
+      }
       free(name);
    }

@@ -892,6 +899,7 @@
    char            *name = NULL;
    int             all_principals_unkown;
    char            *p = NULL;
+   char            *q = NULL;

    code = krb5_init_context(&kcontext);
    if (code) {
@@ -946,9 +954,22 @@
       *p++ = '\0';
       if (conf->krb_auth_realms && !ap_find_token(r->pool, 
conf->krb_auth_realms, p)) {
   log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-             "Specified realm `%s' not allowed by configuration", p);
-         ret = HTTP_UNAUTHORIZED;
-         goto end;
+                    "Specified realm `%s' is not defined by configuration 
assume it is an email addess", p);
+
+         q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
+         sent_name = apr_pstrdup (r->pool, q);
+         free(q);
+         p = strchr(p, '@');
+         if (p) {
+            *p++ = '\0';
+            if (conf->krb_auth_realms && !ap_find_token(r->pool, 
conf->krb_auth_realms, p)) {
+               log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "Specified realm `%s' not allowed by 
configuration", p);
+
+               ret = HTTP_UNAUTHORIZED;
+               goto end;
+            }
+         }
       }
    }




"Terry" <td3201 at gmail.com> wrote in message 
news:8ee061010803121254ra78c99fw402b152bfc15951b at mail.gmail.com...
> Man, this is a mess.  Not sure I want to dig this deep into the problem.
>
> On Wed, Mar 12, 2008 at 2:09 PM, Markus Moeller <huaraz at moeller.plus.com> 
> wrote:
>> Yes you need to modify mod_auth_kerb. One thing you need to aware of  is
>>  that the determination of the realm id more difficult as the email 
>> address
>>  uses @ and the REALM starts with @.
>>
>>  Markus
>>
>>  Source inserted below:
>>
>>   #include <stdio.h>
>>  #include <stdlib.h>
>>  #include <string.h>
>>  #include <krb5.h>
>>  #define REALM "WIN2003R2.HOME"
>>  #define      KDC_OPT_CANONICALIZE 0x00010000
>>  int main(int argc, char *argv[], char **envp) {
>>     char*  program_name=NULL;
>>     char*  principal_name=NULL;
>>     char*  realm_name=NULL;
>>
>>     krb5_context        kcontext;
>>     krb5_principal      kprincipal;
>>     krb5_ccache         kccache;
>>     krb5_error_code     code=0;
>>     krb5_creds   my_creds;
>>     krb5_get_init_creds_opt options;
>>
>>     int          i;
>>
>>
>>     program_name = argv[0];
>>     if (argc <= 1)
>>         exit(-1);
>>     if (argc > 1)
>>   principal_name=argv[1];
>>
>>     code = krb5_init_context(&kcontext);
>>     if (code) {
>>         com_err(program_name, code, "while initializing Kerberos 5
>>  library");
>>         exit(-2);
>>     }
>>     if ((code = krb5_cc_default(kcontext, &kccache))) {
>>   com_err(program_name, code, "while getting default ccache");
>>   exit(-3);
>>     }
>>
>>     krb5_get_init_creds_opt_init(&options);
>>     memset(&my_creds, 0, sizeof(my_creds));
>>
>>     if ( argc <= 2 ) {
>>  /*
>>   *  No realm give on command line use predefined realm
>>   */
>>   realm_name=strdup(REALM);
>>   if (strchr(principal_name,'@')){
>>  /*
>>   *  email address as principal name
>>   */
>>      char* enterprisename;
>>      char* p;
>> 
>> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>>      strcpy(enterprisename,principal_name);
>>      p=strchr(enterprisename,'@');
>>      *p='\\';
>>      *p++='\\';
>>      *p++='\0';
>>      strcat(enterprisename,strchr(principal_name,'@'));
>>             strcat(enterprisename,"@");
>>             strcat(enterprisename,realm_name);
>>      if ((code = krb5_parse_name(kcontext, enterprisename,
>>      &kprincipal))) {
>>   com_err(program_name, code, "when parsing name %s",
>>    enterprisename);
>>   if (enterprisename)
>>       free(enterprisename);
>>   exit(1);
>>      }
>>      if (enterprisename)
>>   free(enterprisename);
>>  #ifdef HEIMDAL
>>                 kprincipal->name.name_type=10;
>>  #else
>>                 kprincipal->type=10;
>>  #endif
>>
>>   }
>>   else
>>   {
>>  /*
>>   *  No email address as principal name
>>   */
>>             char* principal_realm_name;
>> 
>> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>>      strcpy(principal_realm_name,principal_name);
>>             strcat(principal_realm_name,"@");
>>             strcat(principal_realm_name,realm_name);
>>      if ((code = krb5_parse_name(kcontext, principal_realm_name,
>>      &kprincipal))) {
>>   com_err(program_name, code, "when parsing name %s",
>>    principal_realm_name);
>>   exit(1);
>>      }
>>      if (principal_realm_name)
>>   free(principal_realm_name);
>>   }
>>  /*
>>   *  Get TGT
>>   */
>>         code = krb5_get_init_creds_password(kcontext, &my_creds, 
>> kprincipal,
>>                                             0, krb5_prompter_posix, 0,
>>                                             0,
>>                                             0,
>>                                             &options);
>>
>>   if (code) {
>>      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>>   fprintf(stderr, "%s: Password incorrect while getting initial
>>  credentials\n", program_name);
>>      else
>>   com_err(program_name, code, "while getting initial credentials");
>>      krb5_free_cred_contents(kcontext, &my_creds);
>>      exit(999);
>>   }
>>   code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>>   if (code) {
>>      com_err(program_name, code, "when initializing cache");
>>      krb5_free_cred_contents(kcontext, &my_creds);
>>      exit(999);
>>   }
>>
>>   code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>>   if (code) {
>>      com_err(program_name, code, "while storing credentials");
>>      krb5_free_cred_contents(kcontext, &my_creds);
>>      exit(999);
>>   }
>>  /*
>>   *   Successful
>>   */
>>   krb5_free_cred_contents(kcontext, &my_creds);
>>   exit(0);
>>     }
>>     else
>>     {
>>  /*
>>   *  realms are given on command line loop over them
>>   */
>>   for (i=0;i<=argc-2;i++){
>>      realm_name=argv[2+i];
>>      if (strchr(principal_name,'@')){
>>  /*
>>   *  email address as principal name
>>   */
>>   char* enterprisename;
>>   char* p;
>>   enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>>   strcpy(enterprisename,principal_name);
>>   p=strchr(enterprisename,'@');
>>   *p='\\';
>>   *p++='\\';
>>   *p++='\0';
>>   strcat(enterprisename,strchr(principal_name,'@'));
>>                 strcat(enterprisename,"@");
>>                 strcat(enterprisename,realm_name);
>>   if ((code = krb5_parse_name(kcontext, enterprisename,
>>          &kprincipal))) {
>>       com_err(program_name, code, "when parsing name %s",
>>        enterprisename);
>>       if (enterprisename)
>>    free(enterprisename);
>>       exit(1);
>>   }
>>   if (enterprisename)
>>       free(enterprisename);
>>  #ifdef HEIMDAL
>>                 kprincipal->name.name_type=10;
>>  #else
>>                 kprincipal->type=10;
>>  #endif
>>
>>      }
>>      else
>>      {
>>  /*
>>   *  No email address as principal name
>>   */
>>   char* principal_realm_name;
>> 
>> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>>   strcpy(principal_realm_name,principal_name);
>>   strcat(principal_realm_name,"@");
>>   strcat(principal_realm_name,realm_name);
>>   if ((code = krb5_parse_name(kcontext, principal_realm_name,
>>          &kprincipal))) {
>>       com_err(program_name, code, "when parsing name %s",
>>        principal_realm_name);
>>       exit(1);
>>   }
>>   if (principal_realm_name)
>>       free(principal_realm_name);
>>
>>      }
>>      code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
>>       0, krb5_prompter_posix, 0,
>>       0,
>>       0,
>>       &options);
>>      if (code) {
>>   if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code == 
>> KRB5_REALM_UNKNOWN)
>>  /*
>>   *  Principal unknown in this realm try next
>>   */
>>                     continue;
>>   else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>>       fprintf(stderr, "%s: Password incorrect while getting initial
>>  credentials\n", program_name);
>>   else
>>       com_err(program_name, code, "while getting initial credentials");
>>   krb5_free_cred_contents(kcontext, &my_creds);
>>   exit(999);
>>      } else {
>>   code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>>   if (code) {
>>       com_err(program_name, code, "when initializing cache");
>>       krb5_free_cred_contents(kcontext, &my_creds);
>>       exit(999);
>>   }
>>
>>   code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>>   if (code) {
>>       com_err(program_name, code, "while storing credentials");
>>       krb5_free_cred_contents(kcontext, &my_creds);
>>       exit(999);
>>   }
>>  /*
>>   *   Successful
>>   */
>>   krb5_free_cred_contents(kcontext, &my_creds);
>>   exit(0);
>>      }
>>
>>   }
>>   if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>>      fprintf(stderr, "%s: Password incorrect while getting initial
>>  credentials\n", program_name);
>>   else
>>      com_err(program_name, code, "while getting initial credentials");
>>   krb5_free_cred_contents(kcontext, &my_creds);
>>   exit(999);
>>     }
>>     krb5_free_cred_contents(kcontext, &my_creds);
>>     exit(-999);
>>
>> }
>>
>>
>>
>>  "Terry" <td3201 at gmail.com> wrote in message
>>  news:mailman.33.1205339252.3372.kerberos at mit.edu...
>>
>> >I am not sure if this matters but the end result is to use
>>  > mod_auth_kerb to authenticate users.  You are saying I need to
>>  > recompile it to use type 10 (enterprise name type)?  I might be able
>>  > to figure that out.  :)
>>  >
>>  >
>>  >
>>
>> > On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller 
>> > <huaraz at moeller.plus.com>
>>  > wrote:
>>
>>
>> >> You need a modified kinit which sets the principal type  to 10
>>  >> (enterprise
>>  >>  name type). Windows will then use the UPN instead of the 
>> samaccountname
>>  >> to
>>  >>  authenticate. (See attached sample mkinit.c)
>>  >>
>>  >>  Markus.
>>  >>
>>  >>  BTW If your client support client canonicalisation you can 
>> authenticate
>>  >> as
>>  >>  jdoe at domain.com but get a ticket for samaccountname.
>>  >>
>>  >>  "Terry" <td3201 at gmail.com> wrote in message
>>  >>  news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
>>  >>
>>  >>
>>  >> > Hello,
>>  >>  >
>>  >>  > I am very new to this.  I have a FQDN in AD set to domain.foo. 
>> The
>>  >>  > UPN of a user is jdoe at domain.com.  (note the difference between 
>> foo
>>  >>  > and com).
>>  >>  >
>>  >>  > How can I authenticate with jdoe at domain.com?  I am able to auth
>>  >>  > correctly with the sAMAccountName.
>>  >>  >
>>  >>  > Thanks!
>>  >>  > ________________________________________________
>>  >>  > Kerberos mailing list           Kerberos at mit.edu
>>  >>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>>  >>  >
>>  >>
>>  >> ________________________________________________
>>  >>  Kerberos mailing list           Kerberos at mit.edu
>>  >>  https://mailman.mit.edu/mailman/listinfo/kerberos
>>  >>
>>  >>
>>
>>  ________________________________________________
>>  Kerberos mailing list           Kerberos at mit.edu
>>  https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list