using UPN to auth

Terry td3201 at gmail.com
Thu Mar 13 21:59:05 EDT 2008


I am not sure if this is too much off topic to be on the list, please
remove the list in your reply if it is but it might be helpful for
others.  The patch is failing for me.  I just downloaded 5.3 source of
mod_auth_kerb and tried applying the patch:

[root at omajelut03 src]# patch -p0 <patch
patching file mod_auth_kerb.c
Hunk #1 FAILED at 679.
Hunk #2 FAILED at 899.
Hunk #3 FAILED at 954.
3 out of 3 hunks FAILED -- saving rejects to file mod_auth_kerb.c.rej

I really appreciate your diligence.

On Thu, Mar 13, 2008 at 3:55 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> Oops it wasn't my final patch version. It is for mod_auth_kerb 5.3. Also you
>  don't need to escape the @.
>
>  Sorry
>  Markus
>
>  --- mod_auth_kerb.c     2008-03-13 20:51:38.000000000 +0000
>  +++ mod_auth_kerb.c.new 2008-03-13 20:51:19.000000000 +0000
>
> @@ -679,6 +679,13 @@
>     if (ret == 0) {
>        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>                  "Trying to get TGT for user %s", name);
>  +      if (!strstr(name, "\\\\@")) {
>  +#ifdef HEIMDAL
>  +         principal->name.name_type=10;
>  +#else
>  +         principal->type=10;
>  +#endif
>  +      }
>        free(name);
>     }
>
>  @@ -892,6 +899,7 @@
>     char            *name = NULL;
>     int             all_principals_unkown;
>     char            *p = NULL;
>  +   char            *q = NULL;
>
>     code = krb5_init_context(&kcontext);
>     if (code) {
>  @@ -946,9 +954,21 @@
>
>        *p++ = '\0';
>        if (conf->krb_auth_realms && !ap_find_token(r->pool,
>  conf->krb_auth_realms, p)) {
>          log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>  -                   "Specified realm `%s' not allowed by configuration", p);
>  -         ret = HTTP_UNAUTHORIZED;
>  -         goto end;
>  +                    "Specified realm `%s' is not defined by configuration
>  assume it is an email addess", p);
>  +
>  +         q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
>  +         sent_name = apr_pstrdup (r->pool, q);
>
> +         p = strchr(p, '@');
>  +         if (p) {
>  +            *p++ = '\0';
>  +            if (conf->krb_auth_realms && !ap_find_token(r->pool,
>  conf->krb_auth_realms, p)  ) {
>  +               log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>  +                          "Specified realm `%s' not allowed by
>  configuration", p);
>  +
>  +               ret = HTTP_UNAUTHORIZED;
>  +               goto end;
>  +            }
>  +         }
>        }
>     }
>
>
>
>  "Terry" <td3201 at gmail.com> wrote in message
>  news:8ee061010803130850i1571e314k35b30617ad92d2f9 at mail.gmail.com...
>
>
> > Thanks a lot for the patch.  What version did you apply this patch to?
>  > I was able to get it to compile but it dumps when I authenticate via
>  > apache:
>  >
>  > [Thu Mar 13 10:47:42 2008] [error] [client 192.168.100.103] Specified
>  > realm `foobar.com' is not defined by configuration assume it is an
>  > email addess
>  > *** glibc detected *** /usr/sbin/httpd: munmap_chunk(): invalid
>  > pointer: 0x000055555beafd90 ***
>  > ======= Backtrace: =========
>  >
>  > Here are some more details:
>  > realm == foobar.hms
>  > email == jdoe at foobar.com
>  >
>  >
>  > Thanks!
>  >
>  > On Wed, Mar 12, 2008 at 3:30 PM, Markus Moeller <huaraz at moeller.plus.com>
>  > wrote:
>  >> OK Here is a patch I did some time ago for mod_auth_kerb, but you need to
>  >>  escape the @ .e.g. user\@mailaddress.com
>  >>
>  >>
>  >>  Markus
>  >>
>  >>
>  >>  --- mod_auth_kerb.c 2007-12-22 14:03:26.000000000 +0000
>  >>  +++ mod_auth_kerb.c.new 2008-03-12 20:19:42.000000000 +0000
>  >>  @@ -679,6 +679,13 @@
>  >>     if (ret == 0) {
>  >>        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>  >>            "Trying to get TGT for user %s", name);
>  >>  +      if (!strstr(name, "\\@")) {
>  >>  +#ifdef HEIMDAL
>  >>  +         principal->name.name_type=10;
>  >>  +#else
>  >>  +         principal->type=10;
>  >>  +#endif
>  >>  +      }
>  >>        free(name);
>  >>     }
>  >>
>  >>  @@ -892,6 +899,7 @@
>  >>     char            *name = NULL;
>  >>     int             all_principals_unkown;
>  >>     char            *p = NULL;
>  >>  +   char            *q = NULL;
>  >>
>  >>
>  >>     code = krb5_init_context(&kcontext);
>  >>     if (code) {
>  >>  @@ -946,9 +954,22 @@
>  >>        *p++ = '\0';
>  >>        if (conf->krb_auth_realms && !ap_find_token(r->pool,
>  >>  conf->krb_auth_realms, p)) {
>  >>    log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>  >>  -             "Specified realm `%s' not allowed by configuration", p);
>  >>  -         ret = HTTP_UNAUTHORIZED;
>  >>  -         goto end;
>  >>  +                    "Specified realm `%s' is not defined by
>  >> configuration
>  >>  assume it is an email addess", p);
>  >>  +
>  >>  +         q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
>  >>  +         sent_name = apr_pstrdup (r->pool, q);
>  >>  +         free(q);
>  >>  +         p = strchr(p, '@');
>  >>  +         if (p) {
>  >>  +            *p++ = '\0';
>  >>  +            if (conf->krb_auth_realms && !ap_find_token(r->pool,
>  >>  conf->krb_auth_realms, p)) {
>  >>  +               log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>  >>  +                          "Specified realm `%s' not allowed by
>  >>  configuration", p);
>  >>  +
>  >>  +               ret = HTTP_UNAUTHORIZED;
>  >>  +               goto end;
>  >>  +            }
>  >>  +         }
>  >>
>  >>        }
>  >>     }
>  >>
>  >>
>  >>
>  >>
>  >>  "Terry" <td3201 at gmail.com> wrote in message
>  >>  news:8ee061010803121254ra78c99fw402b152bfc15951b at mail.gmail.com...
>  >>
>  >>
>  >> > Man, this is a mess.  Not sure I want to dig this deep into the
>  >> > problem.
>  >>  >
>  >>  > On Wed, Mar 12, 2008 at 2:09 PM, Markus Moeller
>  >> <huaraz at moeller.plus.com>
>  >>  > wrote:
>  >>  >> Yes you need to modify mod_auth_kerb. One thing you need to aware of
>  >> is
>  >>  >>  that the determination of the realm id more difficult as the email
>  >>  >> address
>  >>  >>  uses @ and the REALM starts with @.
>  >>  >>
>  >>  >>  Markus
>  >>  >>
>  >>  >>  Source inserted below:
>  >>  >>
>  >>  >>   #include <stdio.h>
>  >>  >>  #include <stdlib.h>
>  >>  >>  #include <string.h>
>  >>  >>  #include <krb5.h>
>  >>  >>  #define REALM "WIN2003R2.HOME"
>  >>  >>  #define      KDC_OPT_CANONICALIZE 0x00010000
>  >>  >>  int main(int argc, char *argv[], char **envp) {
>  >>  >>     char*  program_name=NULL;
>  >>  >>     char*  principal_name=NULL;
>  >>  >>     char*  realm_name=NULL;
>  >>  >>
>  >>  >>     krb5_context        kcontext;
>  >>  >>     krb5_principal      kprincipal;
>  >>  >>     krb5_ccache         kccache;
>  >>  >>     krb5_error_code     code=0;
>  >>  >>     krb5_creds   my_creds;
>  >>  >>     krb5_get_init_creds_opt options;
>  >>  >>
>  >>  >>     int          i;
>  >>  >>
>  >>  >>
>  >>  >>     program_name = argv[0];
>  >>  >>     if (argc <= 1)
>  >>  >>         exit(-1);
>  >>  >>     if (argc > 1)
>  >>  >>   principal_name=argv[1];
>  >>  >>
>  >>  >>     code = krb5_init_context(&kcontext);
>  >>  >>     if (code) {
>  >>  >>         com_err(program_name, code, "while initializing Kerberos 5
>  >>  >>  library");
>  >>  >>         exit(-2);
>  >>  >>     }
>  >>  >>     if ((code = krb5_cc_default(kcontext, &kccache))) {
>  >>  >>   com_err(program_name, code, "while getting default ccache");
>  >>  >>   exit(-3);
>  >>  >>     }
>  >>  >>
>  >>  >>     krb5_get_init_creds_opt_init(&options);
>  >>  >>     memset(&my_creds, 0, sizeof(my_creds));
>  >>  >>
>  >>  >>     if ( argc <= 2 ) {
>  >>  >>  /*
>  >>  >>   *  No realm give on command line use predefined realm
>  >>  >>   */
>  >>  >>   realm_name=strdup(REALM);
>  >>  >>   if (strchr(principal_name,'@')){
>  >>  >>  /*
>  >>  >>   *  email address as principal name
>  >>  >>   */
>  >>  >>      char* enterprisename;
>  >>  >>      char* p;
>  >>  >>
>  >>  >> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>  >>  >>      strcpy(enterprisename,principal_name);
>  >>  >>      p=strchr(enterprisename,'@');
>  >>  >>      *p='\\';
>  >>  >>      *p++='\\';
>  >>  >>      *p++='\0';
>  >>  >>      strcat(enterprisename,strchr(principal_name,'@'));
>  >>  >>             strcat(enterprisename,"@");
>  >>  >>             strcat(enterprisename,realm_name);
>  >>  >>      if ((code = krb5_parse_name(kcontext, enterprisename,
>  >>  >>      &kprincipal))) {
>  >>  >>   com_err(program_name, code, "when parsing name %s",
>  >>  >>    enterprisename);
>  >>  >>   if (enterprisename)
>  >>  >>       free(enterprisename);
>  >>  >>   exit(1);
>  >>  >>      }
>  >>  >>      if (enterprisename)
>  >>  >>   free(enterprisename);
>  >>  >>  #ifdef HEIMDAL
>  >>  >>                 kprincipal->name.name_type=10;
>  >>  >>  #else
>  >>  >>                 kprincipal->type=10;
>  >>  >>  #endif
>  >>  >>
>  >>  >>   }
>  >>  >>   else
>  >>  >>   {
>  >>  >>  /*
>  >>  >>   *  No email address as principal name
>  >>  >>   */
>  >>  >>             char* principal_realm_name;
>  >>  >>
>  >>  >>
>  >> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>  >>  >>      strcpy(principal_realm_name,principal_name);
>  >>  >>             strcat(principal_realm_name,"@");
>  >>  >>             strcat(principal_realm_name,realm_name);
>  >>  >>      if ((code = krb5_parse_name(kcontext, principal_realm_name,
>  >>  >>      &kprincipal))) {
>  >>  >>   com_err(program_name, code, "when parsing name %s",
>  >>  >>    principal_realm_name);
>  >>  >>   exit(1);
>  >>  >>      }
>  >>  >>      if (principal_realm_name)
>  >>  >>   free(principal_realm_name);
>  >>  >>   }
>  >>  >>  /*
>  >>  >>   *  Get TGT
>  >>  >>   */
>  >>  >>         code = krb5_get_init_creds_password(kcontext, &my_creds,
>  >>  >> kprincipal,
>  >>  >>                                             0, krb5_prompter_posix,
>  >> 0,
>  >>  >>                                             0,
>  >>  >>                                             0,
>  >>  >>                                             &options);
>  >>  >>
>  >>  >>   if (code) {
>  >>  >>      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>  >>  >>   fprintf(stderr, "%s: Password incorrect while getting initial
>  >>  >>  credentials\n", program_name);
>  >>  >>      else
>  >>  >>   com_err(program_name, code, "while getting initial credentials");
>  >>  >>      krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>      exit(999);
>  >>  >>   }
>  >>  >>   code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>  >>  >>   if (code) {
>  >>  >>      com_err(program_name, code, "when initializing cache");
>  >>  >>      krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>      exit(999);
>  >>  >>   }
>  >>  >>
>  >>  >>   code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>  >>  >>   if (code) {
>  >>  >>      com_err(program_name, code, "while storing credentials");
>  >>  >>      krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>      exit(999);
>  >>  >>   }
>  >>  >>  /*
>  >>  >>   *   Successful
>  >>  >>   */
>  >>  >>   krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>   exit(0);
>  >>  >>     }
>  >>  >>     else
>  >>  >>     {
>  >>  >>  /*
>  >>  >>   *  realms are given on command line loop over them
>  >>  >>   */
>  >>  >>   for (i=0;i<=argc-2;i++){
>  >>  >>      realm_name=argv[2+i];
>  >>  >>      if (strchr(principal_name,'@')){
>  >>  >>  /*
>  >>  >>   *  email address as principal name
>  >>  >>   */
>  >>  >>   char* enterprisename;
>  >>  >>   char* p;
>  >>  >>
>  >> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>  >>  >>   strcpy(enterprisename,principal_name);
>  >>  >>   p=strchr(enterprisename,'@');
>  >>  >>   *p='\\';
>  >>  >>   *p++='\\';
>  >>  >>   *p++='\0';
>  >>  >>   strcat(enterprisename,strchr(principal_name,'@'));
>  >>  >>                 strcat(enterprisename,"@");
>  >>  >>                 strcat(enterprisename,realm_name);
>  >>  >>   if ((code = krb5_parse_name(kcontext, enterprisename,
>  >>  >>          &kprincipal))) {
>  >>  >>       com_err(program_name, code, "when parsing name %s",
>  >>  >>        enterprisename);
>  >>  >>       if (enterprisename)
>  >>  >>    free(enterprisename);
>  >>  >>       exit(1);
>  >>  >>   }
>  >>  >>   if (enterprisename)
>  >>  >>       free(enterprisename);
>  >>  >>  #ifdef HEIMDAL
>  >>  >>                 kprincipal->name.name_type=10;
>  >>  >>  #else
>  >>  >>                 kprincipal->type=10;
>  >>  >>  #endif
>  >>  >>
>  >>  >>      }
>  >>  >>      else
>  >>  >>      {
>  >>  >>  /*
>  >>  >>   *  No email address as principal name
>  >>  >>   */
>  >>  >>   char* principal_realm_name;
>  >>  >>
>  >>  >>
>  >> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>  >>  >>   strcpy(principal_realm_name,principal_name);
>  >>  >>   strcat(principal_realm_name,"@");
>  >>  >>   strcat(principal_realm_name,realm_name);
>  >>  >>   if ((code = krb5_parse_name(kcontext, principal_realm_name,
>  >>  >>          &kprincipal))) {
>  >>  >>       com_err(program_name, code, "when parsing name %s",
>  >>  >>        principal_realm_name);
>  >>  >>       exit(1);
>  >>  >>   }
>  >>  >>   if (principal_realm_name)
>  >>  >>       free(principal_realm_name);
>  >>  >>
>  >>  >>      }
>  >>  >>      code = krb5_get_init_creds_password(kcontext, &my_creds,
>  >> kprincipal,
>  >>  >>       0, krb5_prompter_posix, 0,
>  >>  >>       0,
>  >>  >>       0,
>  >>  >>       &options);
>  >>  >>      if (code) {
>  >>  >>   if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code ==
>  >>  >> KRB5_REALM_UNKNOWN)
>  >>  >>  /*
>  >>  >>   *  Principal unknown in this realm try next
>  >>  >>   */
>  >>  >>                     continue;
>  >>  >>   else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>  >>  >>       fprintf(stderr, "%s: Password incorrect while getting initial
>  >>  >>  credentials\n", program_name);
>  >>  >>   else
>  >>  >>       com_err(program_name, code, "while getting initial
>  >> credentials");
>  >>  >>   krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>   exit(999);
>  >>  >>      } else {
>  >>  >>   code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>  >>  >>   if (code) {
>  >>  >>       com_err(program_name, code, "when initializing cache");
>  >>  >>       krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>       exit(999);
>  >>  >>   }
>  >>  >>
>  >>  >>   code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>  >>  >>   if (code) {
>  >>  >>       com_err(program_name, code, "while storing credentials");
>  >>  >>       krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>       exit(999);
>  >>  >>   }
>  >>  >>  /*
>  >>  >>   *   Successful
>  >>  >>   */
>  >>  >>   krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>   exit(0);
>  >>  >>      }
>  >>  >>
>  >>  >>   }
>  >>  >>   if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>  >>  >>      fprintf(stderr, "%s: Password incorrect while getting initial
>  >>  >>  credentials\n", program_name);
>  >>  >>   else
>  >>  >>      com_err(program_name, code, "while getting initial
>  >> credentials");
>  >>  >>   krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>   exit(999);
>  >>  >>     }
>  >>  >>     krb5_free_cred_contents(kcontext, &my_creds);
>  >>  >>     exit(-999);
>  >>  >>
>  >>  >> }
>  >>  >>
>  >>  >>
>  >>  >>
>  >>  >>  "Terry" <td3201 at gmail.com> wrote in message
>  >>  >>  news:mailman.33.1205339252.3372.kerberos at mit.edu...
>  >>  >>
>  >>  >> >I am not sure if this matters but the end result is to use
>  >>  >>  > mod_auth_kerb to authenticate users.  You are saying I need to
>  >>  >>  > recompile it to use type 10 (enterprise name type)?  I might be
>  >> able
>  >>  >>  > to figure that out.  :)
>  >>  >>  >
>  >>  >>  >
>  >>  >>  >
>  >>  >>
>  >>  >> > On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller
>  >>  >> > <huaraz at moeller.plus.com>
>  >>  >>  > wrote:
>  >>  >>
>  >>  >>
>  >>  >> >> You need a modified kinit which sets the principal type  to 10
>  >>  >>  >> (enterprise
>  >>  >>  >>  name type). Windows will then use the UPN instead of the
>  >>  >> samaccountname
>  >>  >>  >> to
>  >>  >>  >>  authenticate. (See attached sample mkinit.c)
>  >>  >>  >>
>  >>  >>  >>  Markus.
>  >>  >>  >>
>  >>  >>  >>  BTW If your client support client canonicalisation you can
>  >>  >> authenticate
>  >>  >>  >> as
>  >>  >>  >>  jdoe at domain.com but get a ticket for samaccountname.
>  >>  >>  >>
>  >>  >>  >>  "Terry" <td3201 at gmail.com> wrote in message
>  >>  >>  >>
>  >> news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
>  >>  >>  >>
>  >>  >>  >>
>  >>  >>  >> > Hello,
>  >>  >>  >>  >
>  >>  >>  >>  > I am very new to this.  I have a FQDN in AD set to domain.foo.
>  >>  >> The
>  >>  >>  >>  > UPN of a user is jdoe at domain.com.  (note the difference
>  >> between
>  >>  >> foo
>  >>  >>  >>  > and com).
>  >>  >>  >>  >
>  >>  >>  >>  > How can I authenticate with jdoe at domain.com?  I am able to
>  >> auth
>  >>  >>  >>  > correctly with the sAMAccountName.
>  >>  >>  >>  >
>  >>  >>  >>  > Thanks!
>  >>  >>  >>  > ________________________________________________
>  >>  >>  >>  > Kerberos mailing list           Kerberos at mit.edu
>  >>  >>  >>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>  >>  >>  >>  >
>  >>  >>  >>
>  >>  >>  >> ________________________________________________
>  >>  >>  >>  Kerberos mailing list           Kerberos at mit.edu
>  >>  >>  >>  https://mailman.mit.edu/mailman/listinfo/kerberos
>  >>  >>  >>
>  >>  >>  >>
>  >>  >>
>  >>  >>  ________________________________________________
>  >>  >>  Kerberos mailing list           Kerberos at mit.edu
>  >>  >>  https://mailman.mit.edu/mailman/listinfo/kerberos
>  >>  >>
>  >>  > ________________________________________________
>  >>  > Kerberos mailing list           Kerberos at mit.edu
>  >>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>  >>  >
>  >>
>  >>
>  >>  ________________________________________________
>  >>  Kerberos mailing list           Kerberos at mit.edu
>  >>  https://mailman.mit.edu/mailman/listinfo/kerberos
>  >>
>  > ________________________________________________
>  > Kerberos mailing list           Kerberos at mit.edu
>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>  >
>
>
>  ________________________________________________
>  Kerberos mailing list           Kerberos at mit.edu
>  https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list