using UPN to auth
Markus Moeller
huaraz at moeller.plus.com
Thu Mar 13 16:55:27 EDT 2008
Oops it wasn't my final patch version. It is for mod_auth_kerb 5.3. Also you
don't need to escape the @.
Sorry
Markus
--- mod_auth_kerb.c 2008-03-13 20:51:38.000000000 +0000
+++ mod_auth_kerb.c.new 2008-03-13 20:51:19.000000000 +0000
@@ -679,6 +679,13 @@
if (ret == 0) {
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Trying to get TGT for user %s", name);
+ if (!strstr(name, "\\\\@")) {
+#ifdef HEIMDAL
+ principal->name.name_type=10;
+#else
+ principal->type=10;
+#endif
+ }
free(name);
}
@@ -892,6 +899,7 @@
char *name = NULL;
int all_principals_unkown;
char *p = NULL;
+ char *q = NULL;
code = krb5_init_context(&kcontext);
if (code) {
@@ -946,9 +954,21 @@
*p++ = '\0';
if (conf->krb_auth_realms && !ap_find_token(r->pool,
conf->krb_auth_realms, p)) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Specified realm `%s' not allowed by configuration", p);
- ret = HTTP_UNAUTHORIZED;
- goto end;
+ "Specified realm `%s' is not defined by configuration
assume it is an email addess", p);
+
+ q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
+ sent_name = apr_pstrdup (r->pool, q);
+ p = strchr(p, '@');
+ if (p) {
+ *p++ = '\0';
+ if (conf->krb_auth_realms && !ap_find_token(r->pool,
conf->krb_auth_realms, p) ) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Specified realm `%s' not allowed by
configuration", p);
+
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+ }
}
}
"Terry" <td3201 at gmail.com> wrote in message
news:8ee061010803130850i1571e314k35b30617ad92d2f9 at mail.gmail.com...
> Thanks a lot for the patch. What version did you apply this patch to?
> I was able to get it to compile but it dumps when I authenticate via
> apache:
>
> [Thu Mar 13 10:47:42 2008] [error] [client 192.168.100.103] Specified
> realm `foobar.com' is not defined by configuration assume it is an
> email addess
> *** glibc detected *** /usr/sbin/httpd: munmap_chunk(): invalid
> pointer: 0x000055555beafd90 ***
> ======= Backtrace: =========
>
> Here are some more details:
> realm == foobar.hms
> email == jdoe at foobar.com
>
>
> Thanks!
>
> On Wed, Mar 12, 2008 at 3:30 PM, Markus Moeller <huaraz at moeller.plus.com>
> wrote:
>> OK Here is a patch I did some time ago for mod_auth_kerb, but you need to
>> escape the @ .e.g. user\@mailaddress.com
>>
>>
>> Markus
>>
>>
>> --- mod_auth_kerb.c 2007-12-22 14:03:26.000000000 +0000
>> +++ mod_auth_kerb.c.new 2008-03-12 20:19:42.000000000 +0000
>> @@ -679,6 +679,13 @@
>> if (ret == 0) {
>> log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>> "Trying to get TGT for user %s", name);
>> + if (!strstr(name, "\\@")) {
>> +#ifdef HEIMDAL
>> + principal->name.name_type=10;
>> +#else
>> + principal->type=10;
>> +#endif
>> + }
>> free(name);
>> }
>>
>> @@ -892,6 +899,7 @@
>> char *name = NULL;
>> int all_principals_unkown;
>> char *p = NULL;
>> + char *q = NULL;
>>
>>
>> code = krb5_init_context(&kcontext);
>> if (code) {
>> @@ -946,9 +954,22 @@
>> *p++ = '\0';
>> if (conf->krb_auth_realms && !ap_find_token(r->pool,
>> conf->krb_auth_realms, p)) {
>> log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>> - "Specified realm `%s' not allowed by configuration", p);
>> - ret = HTTP_UNAUTHORIZED;
>> - goto end;
>> + "Specified realm `%s' is not defined by
>> configuration
>> assume it is an email addess", p);
>> +
>> + q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
>> + sent_name = apr_pstrdup (r->pool, q);
>> + free(q);
>> + p = strchr(p, '@');
>> + if (p) {
>> + *p++ = '\0';
>> + if (conf->krb_auth_realms && !ap_find_token(r->pool,
>> conf->krb_auth_realms, p)) {
>> + log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>> + "Specified realm `%s' not allowed by
>> configuration", p);
>> +
>> + ret = HTTP_UNAUTHORIZED;
>> + goto end;
>> + }
>> + }
>>
>> }
>> }
>>
>>
>>
>>
>> "Terry" <td3201 at gmail.com> wrote in message
>> news:8ee061010803121254ra78c99fw402b152bfc15951b at mail.gmail.com...
>>
>>
>> > Man, this is a mess. Not sure I want to dig this deep into the
>> > problem.
>> >
>> > On Wed, Mar 12, 2008 at 2:09 PM, Markus Moeller
>> <huaraz at moeller.plus.com>
>> > wrote:
>> >> Yes you need to modify mod_auth_kerb. One thing you need to aware of
>> is
>> >> that the determination of the realm id more difficult as the email
>> >> address
>> >> uses @ and the REALM starts with @.
>> >>
>> >> Markus
>> >>
>> >> Source inserted below:
>> >>
>> >> #include <stdio.h>
>> >> #include <stdlib.h>
>> >> #include <string.h>
>> >> #include <krb5.h>
>> >> #define REALM "WIN2003R2.HOME"
>> >> #define KDC_OPT_CANONICALIZE 0x00010000
>> >> int main(int argc, char *argv[], char **envp) {
>> >> char* program_name=NULL;
>> >> char* principal_name=NULL;
>> >> char* realm_name=NULL;
>> >>
>> >> krb5_context kcontext;
>> >> krb5_principal kprincipal;
>> >> krb5_ccache kccache;
>> >> krb5_error_code code=0;
>> >> krb5_creds my_creds;
>> >> krb5_get_init_creds_opt options;
>> >>
>> >> int i;
>> >>
>> >>
>> >> program_name = argv[0];
>> >> if (argc <= 1)
>> >> exit(-1);
>> >> if (argc > 1)
>> >> principal_name=argv[1];
>> >>
>> >> code = krb5_init_context(&kcontext);
>> >> if (code) {
>> >> com_err(program_name, code, "while initializing Kerberos 5
>> >> library");
>> >> exit(-2);
>> >> }
>> >> if ((code = krb5_cc_default(kcontext, &kccache))) {
>> >> com_err(program_name, code, "while getting default ccache");
>> >> exit(-3);
>> >> }
>> >>
>> >> krb5_get_init_creds_opt_init(&options);
>> >> memset(&my_creds, 0, sizeof(my_creds));
>> >>
>> >> if ( argc <= 2 ) {
>> >> /*
>> >> * No realm give on command line use predefined realm
>> >> */
>> >> realm_name=strdup(REALM);
>> >> if (strchr(principal_name,'@')){
>> >> /*
>> >> * email address as principal name
>> >> */
>> >> char* enterprisename;
>> >> char* p;
>> >>
>> >> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>> >> strcpy(enterprisename,principal_name);
>> >> p=strchr(enterprisename,'@');
>> >> *p='\\';
>> >> *p++='\\';
>> >> *p++='\0';
>> >> strcat(enterprisename,strchr(principal_name,'@'));
>> >> strcat(enterprisename,"@");
>> >> strcat(enterprisename,realm_name);
>> >> if ((code = krb5_parse_name(kcontext, enterprisename,
>> >> &kprincipal))) {
>> >> com_err(program_name, code, "when parsing name %s",
>> >> enterprisename);
>> >> if (enterprisename)
>> >> free(enterprisename);
>> >> exit(1);
>> >> }
>> >> if (enterprisename)
>> >> free(enterprisename);
>> >> #ifdef HEIMDAL
>> >> kprincipal->name.name_type=10;
>> >> #else
>> >> kprincipal->type=10;
>> >> #endif
>> >>
>> >> }
>> >> else
>> >> {
>> >> /*
>> >> * No email address as principal name
>> >> */
>> >> char* principal_realm_name;
>> >>
>> >>
>> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>> >> strcpy(principal_realm_name,principal_name);
>> >> strcat(principal_realm_name,"@");
>> >> strcat(principal_realm_name,realm_name);
>> >> if ((code = krb5_parse_name(kcontext, principal_realm_name,
>> >> &kprincipal))) {
>> >> com_err(program_name, code, "when parsing name %s",
>> >> principal_realm_name);
>> >> exit(1);
>> >> }
>> >> if (principal_realm_name)
>> >> free(principal_realm_name);
>> >> }
>> >> /*
>> >> * Get TGT
>> >> */
>> >> code = krb5_get_init_creds_password(kcontext, &my_creds,
>> >> kprincipal,
>> >> 0, krb5_prompter_posix,
>> 0,
>> >> 0,
>> >> 0,
>> >> &options);
>> >>
>> >> if (code) {
>> >> if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>> >> fprintf(stderr, "%s: Password incorrect while getting initial
>> >> credentials\n", program_name);
>> >> else
>> >> com_err(program_name, code, "while getting initial credentials");
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(999);
>> >> }
>> >> code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>> >> if (code) {
>> >> com_err(program_name, code, "when initializing cache");
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(999);
>> >> }
>> >>
>> >> code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>> >> if (code) {
>> >> com_err(program_name, code, "while storing credentials");
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(999);
>> >> }
>> >> /*
>> >> * Successful
>> >> */
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(0);
>> >> }
>> >> else
>> >> {
>> >> /*
>> >> * realms are given on command line loop over them
>> >> */
>> >> for (i=0;i<=argc-2;i++){
>> >> realm_name=argv[2+i];
>> >> if (strchr(principal_name,'@')){
>> >> /*
>> >> * email address as principal name
>> >> */
>> >> char* enterprisename;
>> >> char* p;
>> >>
>> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>> >> strcpy(enterprisename,principal_name);
>> >> p=strchr(enterprisename,'@');
>> >> *p='\\';
>> >> *p++='\\';
>> >> *p++='\0';
>> >> strcat(enterprisename,strchr(principal_name,'@'));
>> >> strcat(enterprisename,"@");
>> >> strcat(enterprisename,realm_name);
>> >> if ((code = krb5_parse_name(kcontext, enterprisename,
>> >> &kprincipal))) {
>> >> com_err(program_name, code, "when parsing name %s",
>> >> enterprisename);
>> >> if (enterprisename)
>> >> free(enterprisename);
>> >> exit(1);
>> >> }
>> >> if (enterprisename)
>> >> free(enterprisename);
>> >> #ifdef HEIMDAL
>> >> kprincipal->name.name_type=10;
>> >> #else
>> >> kprincipal->type=10;
>> >> #endif
>> >>
>> >> }
>> >> else
>> >> {
>> >> /*
>> >> * No email address as principal name
>> >> */
>> >> char* principal_realm_name;
>> >>
>> >>
>> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>> >> strcpy(principal_realm_name,principal_name);
>> >> strcat(principal_realm_name,"@");
>> >> strcat(principal_realm_name,realm_name);
>> >> if ((code = krb5_parse_name(kcontext, principal_realm_name,
>> >> &kprincipal))) {
>> >> com_err(program_name, code, "when parsing name %s",
>> >> principal_realm_name);
>> >> exit(1);
>> >> }
>> >> if (principal_realm_name)
>> >> free(principal_realm_name);
>> >>
>> >> }
>> >> code = krb5_get_init_creds_password(kcontext, &my_creds,
>> kprincipal,
>> >> 0, krb5_prompter_posix, 0,
>> >> 0,
>> >> 0,
>> >> &options);
>> >> if (code) {
>> >> if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code ==
>> >> KRB5_REALM_UNKNOWN)
>> >> /*
>> >> * Principal unknown in this realm try next
>> >> */
>> >> continue;
>> >> else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>> >> fprintf(stderr, "%s: Password incorrect while getting initial
>> >> credentials\n", program_name);
>> >> else
>> >> com_err(program_name, code, "while getting initial
>> credentials");
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(999);
>> >> } else {
>> >> code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>> >> if (code) {
>> >> com_err(program_name, code, "when initializing cache");
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(999);
>> >> }
>> >>
>> >> code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>> >> if (code) {
>> >> com_err(program_name, code, "while storing credentials");
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(999);
>> >> }
>> >> /*
>> >> * Successful
>> >> */
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(0);
>> >> }
>> >>
>> >> }
>> >> if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>> >> fprintf(stderr, "%s: Password incorrect while getting initial
>> >> credentials\n", program_name);
>> >> else
>> >> com_err(program_name, code, "while getting initial
>> credentials");
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(999);
>> >> }
>> >> krb5_free_cred_contents(kcontext, &my_creds);
>> >> exit(-999);
>> >>
>> >> }
>> >>
>> >>
>> >>
>> >> "Terry" <td3201 at gmail.com> wrote in message
>> >> news:mailman.33.1205339252.3372.kerberos at mit.edu...
>> >>
>> >> >I am not sure if this matters but the end result is to use
>> >> > mod_auth_kerb to authenticate users. You are saying I need to
>> >> > recompile it to use type 10 (enterprise name type)? I might be
>> able
>> >> > to figure that out. :)
>> >> >
>> >> >
>> >> >
>> >>
>> >> > On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller
>> >> > <huaraz at moeller.plus.com>
>> >> > wrote:
>> >>
>> >>
>> >> >> You need a modified kinit which sets the principal type to 10
>> >> >> (enterprise
>> >> >> name type). Windows will then use the UPN instead of the
>> >> samaccountname
>> >> >> to
>> >> >> authenticate. (See attached sample mkinit.c)
>> >> >>
>> >> >> Markus.
>> >> >>
>> >> >> BTW If your client support client canonicalisation you can
>> >> authenticate
>> >> >> as
>> >> >> jdoe at domain.com but get a ticket for samaccountname.
>> >> >>
>> >> >> "Terry" <td3201 at gmail.com> wrote in message
>> >> >>
>> news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
>> >> >>
>> >> >>
>> >> >> > Hello,
>> >> >> >
>> >> >> > I am very new to this. I have a FQDN in AD set to domain.foo.
>> >> The
>> >> >> > UPN of a user is jdoe at domain.com. (note the difference
>> between
>> >> foo
>> >> >> > and com).
>> >> >> >
>> >> >> > How can I authenticate with jdoe at domain.com? I am able to
>> auth
>> >> >> > correctly with the sAMAccountName.
>> >> >> >
>> >> >> > Thanks!
>> >> >> > ________________________________________________
>> >> >> > Kerberos mailing list Kerberos at mit.edu
>> >> >> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >> >> >
>> >> >>
>> >> >> ________________________________________________
>> >> >> Kerberos mailing list Kerberos at mit.edu
>> >> >> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >> >>
>> >> >>
>> >>
>> >> ________________________________________________
>> >> Kerberos mailing list Kerberos at mit.edu
>> >> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list