using UPN to auth
Terry
td3201 at gmail.com
Thu Mar 13 11:50:05 EDT 2008
Thanks a lot for the patch. What version did you apply this patch to?
I was able to get it to compile but it dumps when I authenticate via
apache:
[Thu Mar 13 10:47:42 2008] [error] [client 192.168.100.103] Specified
realm `foobar.com' is not defined by configuration assume it is an
email addess
*** glibc detected *** /usr/sbin/httpd: munmap_chunk(): invalid
pointer: 0x000055555beafd90 ***
======= Backtrace: =========
Here are some more details:
realm == foobar.hms
email == jdoe at foobar.com
Thanks!
On Wed, Mar 12, 2008 at 3:30 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> OK Here is a patch I did some time ago for mod_auth_kerb, but you need to
> escape the @ .e.g. user\@mailaddress.com
>
>
> Markus
>
>
> --- mod_auth_kerb.c 2007-12-22 14:03:26.000000000 +0000
> +++ mod_auth_kerb.c.new 2008-03-12 20:19:42.000000000 +0000
> @@ -679,6 +679,13 @@
> if (ret == 0) {
> log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> "Trying to get TGT for user %s", name);
> + if (!strstr(name, "\\@")) {
> +#ifdef HEIMDAL
> + principal->name.name_type=10;
> +#else
> + principal->type=10;
> +#endif
> + }
> free(name);
> }
>
> @@ -892,6 +899,7 @@
> char *name = NULL;
> int all_principals_unkown;
> char *p = NULL;
> + char *q = NULL;
>
>
> code = krb5_init_context(&kcontext);
> if (code) {
> @@ -946,9 +954,22 @@
> *p++ = '\0';
> if (conf->krb_auth_realms && !ap_find_token(r->pool,
> conf->krb_auth_realms, p)) {
> log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> - "Specified realm `%s' not allowed by configuration", p);
> - ret = HTTP_UNAUTHORIZED;
> - goto end;
> + "Specified realm `%s' is not defined by configuration
> assume it is an email addess", p);
> +
> + q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
> + sent_name = apr_pstrdup (r->pool, q);
> + free(q);
> + p = strchr(p, '@');
> + if (p) {
> + *p++ = '\0';
> + if (conf->krb_auth_realms && !ap_find_token(r->pool,
> conf->krb_auth_realms, p)) {
> + log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "Specified realm `%s' not allowed by
> configuration", p);
> +
> + ret = HTTP_UNAUTHORIZED;
> + goto end;
> + }
> + }
>
> }
> }
>
>
>
>
> "Terry" <td3201 at gmail.com> wrote in message
> news:8ee061010803121254ra78c99fw402b152bfc15951b at mail.gmail.com...
>
>
> > Man, this is a mess. Not sure I want to dig this deep into the problem.
> >
> > On Wed, Mar 12, 2008 at 2:09 PM, Markus Moeller <huaraz at moeller.plus.com>
> > wrote:
> >> Yes you need to modify mod_auth_kerb. One thing you need to aware of is
> >> that the determination of the realm id more difficult as the email
> >> address
> >> uses @ and the REALM starts with @.
> >>
> >> Markus
> >>
> >> Source inserted below:
> >>
> >> #include <stdio.h>
> >> #include <stdlib.h>
> >> #include <string.h>
> >> #include <krb5.h>
> >> #define REALM "WIN2003R2.HOME"
> >> #define KDC_OPT_CANONICALIZE 0x00010000
> >> int main(int argc, char *argv[], char **envp) {
> >> char* program_name=NULL;
> >> char* principal_name=NULL;
> >> char* realm_name=NULL;
> >>
> >> krb5_context kcontext;
> >> krb5_principal kprincipal;
> >> krb5_ccache kccache;
> >> krb5_error_code code=0;
> >> krb5_creds my_creds;
> >> krb5_get_init_creds_opt options;
> >>
> >> int i;
> >>
> >>
> >> program_name = argv[0];
> >> if (argc <= 1)
> >> exit(-1);
> >> if (argc > 1)
> >> principal_name=argv[1];
> >>
> >> code = krb5_init_context(&kcontext);
> >> if (code) {
> >> com_err(program_name, code, "while initializing Kerberos 5
> >> library");
> >> exit(-2);
> >> }
> >> if ((code = krb5_cc_default(kcontext, &kccache))) {
> >> com_err(program_name, code, "while getting default ccache");
> >> exit(-3);
> >> }
> >>
> >> krb5_get_init_creds_opt_init(&options);
> >> memset(&my_creds, 0, sizeof(my_creds));
> >>
> >> if ( argc <= 2 ) {
> >> /*
> >> * No realm give on command line use predefined realm
> >> */
> >> realm_name=strdup(REALM);
> >> if (strchr(principal_name,'@')){
> >> /*
> >> * email address as principal name
> >> */
> >> char* enterprisename;
> >> char* p;
> >>
> >> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
> >> strcpy(enterprisename,principal_name);
> >> p=strchr(enterprisename,'@');
> >> *p='\\';
> >> *p++='\\';
> >> *p++='\0';
> >> strcat(enterprisename,strchr(principal_name,'@'));
> >> strcat(enterprisename,"@");
> >> strcat(enterprisename,realm_name);
> >> if ((code = krb5_parse_name(kcontext, enterprisename,
> >> &kprincipal))) {
> >> com_err(program_name, code, "when parsing name %s",
> >> enterprisename);
> >> if (enterprisename)
> >> free(enterprisename);
> >> exit(1);
> >> }
> >> if (enterprisename)
> >> free(enterprisename);
> >> #ifdef HEIMDAL
> >> kprincipal->name.name_type=10;
> >> #else
> >> kprincipal->type=10;
> >> #endif
> >>
> >> }
> >> else
> >> {
> >> /*
> >> * No email address as principal name
> >> */
> >> char* principal_realm_name;
> >>
> >> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
> >> strcpy(principal_realm_name,principal_name);
> >> strcat(principal_realm_name,"@");
> >> strcat(principal_realm_name,realm_name);
> >> if ((code = krb5_parse_name(kcontext, principal_realm_name,
> >> &kprincipal))) {
> >> com_err(program_name, code, "when parsing name %s",
> >> principal_realm_name);
> >> exit(1);
> >> }
> >> if (principal_realm_name)
> >> free(principal_realm_name);
> >> }
> >> /*
> >> * Get TGT
> >> */
> >> code = krb5_get_init_creds_password(kcontext, &my_creds,
> >> kprincipal,
> >> 0, krb5_prompter_posix, 0,
> >> 0,
> >> 0,
> >> &options);
> >>
> >> if (code) {
> >> if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
> >> fprintf(stderr, "%s: Password incorrect while getting initial
> >> credentials\n", program_name);
> >> else
> >> com_err(program_name, code, "while getting initial credentials");
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(999);
> >> }
> >> code = krb5_cc_initialize(kcontext, kccache, kprincipal);
> >> if (code) {
> >> com_err(program_name, code, "when initializing cache");
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(999);
> >> }
> >>
> >> code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
> >> if (code) {
> >> com_err(program_name, code, "while storing credentials");
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(999);
> >> }
> >> /*
> >> * Successful
> >> */
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(0);
> >> }
> >> else
> >> {
> >> /*
> >> * realms are given on command line loop over them
> >> */
> >> for (i=0;i<=argc-2;i++){
> >> realm_name=argv[2+i];
> >> if (strchr(principal_name,'@')){
> >> /*
> >> * email address as principal name
> >> */
> >> char* enterprisename;
> >> char* p;
> >> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
> >> strcpy(enterprisename,principal_name);
> >> p=strchr(enterprisename,'@');
> >> *p='\\';
> >> *p++='\\';
> >> *p++='\0';
> >> strcat(enterprisename,strchr(principal_name,'@'));
> >> strcat(enterprisename,"@");
> >> strcat(enterprisename,realm_name);
> >> if ((code = krb5_parse_name(kcontext, enterprisename,
> >> &kprincipal))) {
> >> com_err(program_name, code, "when parsing name %s",
> >> enterprisename);
> >> if (enterprisename)
> >> free(enterprisename);
> >> exit(1);
> >> }
> >> if (enterprisename)
> >> free(enterprisename);
> >> #ifdef HEIMDAL
> >> kprincipal->name.name_type=10;
> >> #else
> >> kprincipal->type=10;
> >> #endif
> >>
> >> }
> >> else
> >> {
> >> /*
> >> * No email address as principal name
> >> */
> >> char* principal_realm_name;
> >>
> >> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
> >> strcpy(principal_realm_name,principal_name);
> >> strcat(principal_realm_name,"@");
> >> strcat(principal_realm_name,realm_name);
> >> if ((code = krb5_parse_name(kcontext, principal_realm_name,
> >> &kprincipal))) {
> >> com_err(program_name, code, "when parsing name %s",
> >> principal_realm_name);
> >> exit(1);
> >> }
> >> if (principal_realm_name)
> >> free(principal_realm_name);
> >>
> >> }
> >> code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
> >> 0, krb5_prompter_posix, 0,
> >> 0,
> >> 0,
> >> &options);
> >> if (code) {
> >> if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code ==
> >> KRB5_REALM_UNKNOWN)
> >> /*
> >> * Principal unknown in this realm try next
> >> */
> >> continue;
> >> else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
> >> fprintf(stderr, "%s: Password incorrect while getting initial
> >> credentials\n", program_name);
> >> else
> >> com_err(program_name, code, "while getting initial credentials");
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(999);
> >> } else {
> >> code = krb5_cc_initialize(kcontext, kccache, kprincipal);
> >> if (code) {
> >> com_err(program_name, code, "when initializing cache");
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(999);
> >> }
> >>
> >> code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
> >> if (code) {
> >> com_err(program_name, code, "while storing credentials");
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(999);
> >> }
> >> /*
> >> * Successful
> >> */
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(0);
> >> }
> >>
> >> }
> >> if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
> >> fprintf(stderr, "%s: Password incorrect while getting initial
> >> credentials\n", program_name);
> >> else
> >> com_err(program_name, code, "while getting initial credentials");
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(999);
> >> }
> >> krb5_free_cred_contents(kcontext, &my_creds);
> >> exit(-999);
> >>
> >> }
> >>
> >>
> >>
> >> "Terry" <td3201 at gmail.com> wrote in message
> >> news:mailman.33.1205339252.3372.kerberos at mit.edu...
> >>
> >> >I am not sure if this matters but the end result is to use
> >> > mod_auth_kerb to authenticate users. You are saying I need to
> >> > recompile it to use type 10 (enterprise name type)? I might be able
> >> > to figure that out. :)
> >> >
> >> >
> >> >
> >>
> >> > On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller
> >> > <huaraz at moeller.plus.com>
> >> > wrote:
> >>
> >>
> >> >> You need a modified kinit which sets the principal type to 10
> >> >> (enterprise
> >> >> name type). Windows will then use the UPN instead of the
> >> samaccountname
> >> >> to
> >> >> authenticate. (See attached sample mkinit.c)
> >> >>
> >> >> Markus.
> >> >>
> >> >> BTW If your client support client canonicalisation you can
> >> authenticate
> >> >> as
> >> >> jdoe at domain.com but get a ticket for samaccountname.
> >> >>
> >> >> "Terry" <td3201 at gmail.com> wrote in message
> >> >> news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
> >> >>
> >> >>
> >> >> > Hello,
> >> >> >
> >> >> > I am very new to this. I have a FQDN in AD set to domain.foo.
> >> The
> >> >> > UPN of a user is jdoe at domain.com. (note the difference between
> >> foo
> >> >> > and com).
> >> >> >
> >> >> > How can I authenticate with jdoe at domain.com? I am able to auth
> >> >> > correctly with the sAMAccountName.
> >> >> >
> >> >> > Thanks!
> >> >> > ________________________________________________
> >> >> > Kerberos mailing list Kerberos at mit.edu
> >> >> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >> >> >
> >> >>
> >> >> ________________________________________________
> >> >> Kerberos mailing list Kerberos at mit.edu
> >> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >> >>
> >> >>
> >>
> >> ________________________________________________
> >> Kerberos mailing list Kerberos at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list