using UPN to auth
Terry
td3201 at gmail.com
Thu Mar 13 22:32:36 EDT 2008
Disregard, compiles fine. I manually entered the patch and had to
modify the Makefile to include /usr/include/kerberosIV to find krb.h.
Works great. :) VERY good work and thank you.
On Thu, Mar 13, 2008 at 8:59 PM, Terry <td3201 at gmail.com> wrote:
> I am not sure if this is too much off topic to be on the list, please
> remove the list in your reply if it is but it might be helpful for
> others. The patch is failing for me. I just downloaded 5.3 source of
> mod_auth_kerb and tried applying the patch:
>
> [root at omajelut03 src]# patch -p0 <patch
> patching file mod_auth_kerb.c
> Hunk #1 FAILED at 679.
> Hunk #2 FAILED at 899.
> Hunk #3 FAILED at 954.
> 3 out of 3 hunks FAILED -- saving rejects to file mod_auth_kerb.c.rej
>
> I really appreciate your diligence.
>
>
>
> On Thu, Mar 13, 2008 at 3:55 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> > Oops it wasn't my final patch version. It is for mod_auth_kerb 5.3. Also you
> > don't need to escape the @.
> >
> > Sorry
> > Markus
> >
> > --- mod_auth_kerb.c 2008-03-13 20:51:38.000000000 +0000
> > +++ mod_auth_kerb.c.new 2008-03-13 20:51:19.000000000 +0000
> >
> > @@ -679,6 +679,13 @@
> > if (ret == 0) {
> > log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> > "Trying to get TGT for user %s", name);
> > + if (!strstr(name, "\\\\@")) {
> > +#ifdef HEIMDAL
> > + principal->name.name_type=10;
> > +#else
> > + principal->type=10;
> > +#endif
> > + }
> > free(name);
> > }
> >
> > @@ -892,6 +899,7 @@
> > char *name = NULL;
> > int all_principals_unkown;
> > char *p = NULL;
> > + char *q = NULL;
> >
> > code = krb5_init_context(&kcontext);
> > if (code) {
> > @@ -946,9 +954,21 @@
> >
> > *p++ = '\0';
> > if (conf->krb_auth_realms && !ap_find_token(r->pool,
> > conf->krb_auth_realms, p)) {
> > log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> > - "Specified realm `%s' not allowed by configuration", p);
> > - ret = HTTP_UNAUTHORIZED;
> > - goto end;
> > + "Specified realm `%s' is not defined by configuration
> > assume it is an email addess", p);
> > +
> > + q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
> > + sent_name = apr_pstrdup (r->pool, q);
> >
> > + p = strchr(p, '@');
> > + if (p) {
> > + *p++ = '\0';
> > + if (conf->krb_auth_realms && !ap_find_token(r->pool,
> > conf->krb_auth_realms, p) ) {
> > + log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> > + "Specified realm `%s' not allowed by
> > configuration", p);
> > +
> > + ret = HTTP_UNAUTHORIZED;
> > + goto end;
> > + }
> > + }
> > }
> > }
> >
> >
> >
> > "Terry" <td3201 at gmail.com> wrote in message
> > news:8ee061010803130850i1571e314k35b30617ad92d2f9 at mail.gmail.com...
> >
> >
> > > Thanks a lot for the patch. What version did you apply this patch to?
> > > I was able to get it to compile but it dumps when I authenticate via
> > > apache:
> > >
> > > [Thu Mar 13 10:47:42 2008] [error] [client 192.168.100.103] Specified
> > > realm `foobar.com' is not defined by configuration assume it is an
> > > email addess
> > > *** glibc detected *** /usr/sbin/httpd: munmap_chunk(): invalid
> > > pointer: 0x000055555beafd90 ***
> > > ======= Backtrace: =========
> > >
> > > Here are some more details:
> > > realm == foobar.hms
> > > email == jdoe at foobar.com
> > >
> > >
> > > Thanks!
> > >
> > > On Wed, Mar 12, 2008 at 3:30 PM, Markus Moeller <huaraz at moeller.plus.com>
> > > wrote:
> > >> OK Here is a patch I did some time ago for mod_auth_kerb, but you need to
> > >> escape the @ .e.g. user\@mailaddress.com
> > >>
> > >>
> > >> Markus
> > >>
> > >>
> > >> --- mod_auth_kerb.c 2007-12-22 14:03:26.000000000 +0000
> > >> +++ mod_auth_kerb.c.new 2008-03-12 20:19:42.000000000 +0000
> > >> @@ -679,6 +679,13 @@
> > >> if (ret == 0) {
> > >> log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> > >> "Trying to get TGT for user %s", name);
> > >> + if (!strstr(name, "\\@")) {
> > >> +#ifdef HEIMDAL
> > >> + principal->name.name_type=10;
> > >> +#else
> > >> + principal->type=10;
> > >> +#endif
> > >> + }
> > >> free(name);
> > >> }
> > >>
> > >> @@ -892,6 +899,7 @@
> > >> char *name = NULL;
> > >> int all_principals_unkown;
> > >> char *p = NULL;
> > >> + char *q = NULL;
> > >>
> > >>
> > >> code = krb5_init_context(&kcontext);
> > >> if (code) {
> > >> @@ -946,9 +954,22 @@
> > >> *p++ = '\0';
> > >> if (conf->krb_auth_realms && !ap_find_token(r->pool,
> > >> conf->krb_auth_realms, p)) {
> > >> log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> > >> - "Specified realm `%s' not allowed by configuration", p);
> > >> - ret = HTTP_UNAUTHORIZED;
> > >> - goto end;
> > >> + "Specified realm `%s' is not defined by
> > >> configuration
> > >> assume it is an email addess", p);
> > >> +
> > >> + q=apr_psprintf(r->pool, "%s\\@%s", sent_name, p);
> > >> + sent_name = apr_pstrdup (r->pool, q);
> > >> + free(q);
> > >> + p = strchr(p, '@');
> > >> + if (p) {
> > >> + *p++ = '\0';
> > >> + if (conf->krb_auth_realms && !ap_find_token(r->pool,
> > >> conf->krb_auth_realms, p)) {
> > >> + log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> > >> + "Specified realm `%s' not allowed by
> > >> configuration", p);
> > >> +
> > >> + ret = HTTP_UNAUTHORIZED;
> > >> + goto end;
> > >> + }
> > >> + }
> > >>
> > >> }
> > >> }
> > >>
> > >>
> > >>
> > >>
> > >> "Terry" <td3201 at gmail.com> wrote in message
> > >> news:8ee061010803121254ra78c99fw402b152bfc15951b at mail.gmail.com...
> > >>
> > >>
> > >> > Man, this is a mess. Not sure I want to dig this deep into the
> > >> > problem.
> > >> >
> > >> > On Wed, Mar 12, 2008 at 2:09 PM, Markus Moeller
> > >> <huaraz at moeller.plus.com>
> > >> > wrote:
> > >> >> Yes you need to modify mod_auth_kerb. One thing you need to aware of
> > >> is
> > >> >> that the determination of the realm id more difficult as the email
> > >> >> address
> > >> >> uses @ and the REALM starts with @.
> > >> >>
> > >> >> Markus
> > >> >>
> > >> >> Source inserted below:
> > >> >>
> > >> >> #include <stdio.h>
> > >> >> #include <stdlib.h>
> > >> >> #include <string.h>
> > >> >> #include <krb5.h>
> > >> >> #define REALM "WIN2003R2.HOME"
> > >> >> #define KDC_OPT_CANONICALIZE 0x00010000
> > >> >> int main(int argc, char *argv[], char **envp) {
> > >> >> char* program_name=NULL;
> > >> >> char* principal_name=NULL;
> > >> >> char* realm_name=NULL;
> > >> >>
> > >> >> krb5_context kcontext;
> > >> >> krb5_principal kprincipal;
> > >> >> krb5_ccache kccache;
> > >> >> krb5_error_code code=0;
> > >> >> krb5_creds my_creds;
> > >> >> krb5_get_init_creds_opt options;
> > >> >>
> > >> >> int i;
> > >> >>
> > >> >>
> > >> >> program_name = argv[0];
> > >> >> if (argc <= 1)
> > >> >> exit(-1);
> > >> >> if (argc > 1)
> > >> >> principal_name=argv[1];
> > >> >>
> > >> >> code = krb5_init_context(&kcontext);
> > >> >> if (code) {
> > >> >> com_err(program_name, code, "while initializing Kerberos 5
> > >> >> library");
> > >> >> exit(-2);
> > >> >> }
> > >> >> if ((code = krb5_cc_default(kcontext, &kccache))) {
> > >> >> com_err(program_name, code, "while getting default ccache");
> > >> >> exit(-3);
> > >> >> }
> > >> >>
> > >> >> krb5_get_init_creds_opt_init(&options);
> > >> >> memset(&my_creds, 0, sizeof(my_creds));
> > >> >>
> > >> >> if ( argc <= 2 ) {
> > >> >> /*
> > >> >> * No realm give on command line use predefined realm
> > >> >> */
> > >> >> realm_name=strdup(REALM);
> > >> >> if (strchr(principal_name,'@')){
> > >> >> /*
> > >> >> * email address as principal name
> > >> >> */
> > >> >> char* enterprisename;
> > >> >> char* p;
> > >> >>
> > >> >> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
> > >> >> strcpy(enterprisename,principal_name);
> > >> >> p=strchr(enterprisename,'@');
> > >> >> *p='\\';
> > >> >> *p++='\\';
> > >> >> *p++='\0';
> > >> >> strcat(enterprisename,strchr(principal_name,'@'));
> > >> >> strcat(enterprisename,"@");
> > >> >> strcat(enterprisename,realm_name);
> > >> >> if ((code = krb5_parse_name(kcontext, enterprisename,
> > >> >> &kprincipal))) {
> > >> >> com_err(program_name, code, "when parsing name %s",
> > >> >> enterprisename);
> > >> >> if (enterprisename)
> > >> >> free(enterprisename);
> > >> >> exit(1);
> > >> >> }
> > >> >> if (enterprisename)
> > >> >> free(enterprisename);
> > >> >> #ifdef HEIMDAL
> > >> >> kprincipal->name.name_type=10;
> > >> >> #else
> > >> >> kprincipal->type=10;
> > >> >> #endif
> > >> >>
> > >> >> }
> > >> >> else
> > >> >> {
> > >> >> /*
> > >> >> * No email address as principal name
> > >> >> */
> > >> >> char* principal_realm_name;
> > >> >>
> > >> >>
> > >> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
> > >> >> strcpy(principal_realm_name,principal_name);
> > >> >> strcat(principal_realm_name,"@");
> > >> >> strcat(principal_realm_name,realm_name);
> > >> >> if ((code = krb5_parse_name(kcontext, principal_realm_name,
> > >> >> &kprincipal))) {
> > >> >> com_err(program_name, code, "when parsing name %s",
> > >> >> principal_realm_name);
> > >> >> exit(1);
> > >> >> }
> > >> >> if (principal_realm_name)
> > >> >> free(principal_realm_name);
> > >> >> }
> > >> >> /*
> > >> >> * Get TGT
> > >> >> */
> > >> >> code = krb5_get_init_creds_password(kcontext, &my_creds,
> > >> >> kprincipal,
> > >> >> 0, krb5_prompter_posix,
> > >> 0,
> > >> >> 0,
> > >> >> 0,
> > >> >> &options);
> > >> >>
> > >> >> if (code) {
> > >> >> if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
> > >> >> fprintf(stderr, "%s: Password incorrect while getting initial
> > >> >> credentials\n", program_name);
> > >> >> else
> > >> >> com_err(program_name, code, "while getting initial credentials");
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(999);
> > >> >> }
> > >> >> code = krb5_cc_initialize(kcontext, kccache, kprincipal);
> > >> >> if (code) {
> > >> >> com_err(program_name, code, "when initializing cache");
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(999);
> > >> >> }
> > >> >>
> > >> >> code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
> > >> >> if (code) {
> > >> >> com_err(program_name, code, "while storing credentials");
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(999);
> > >> >> }
> > >> >> /*
> > >> >> * Successful
> > >> >> */
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(0);
> > >> >> }
> > >> >> else
> > >> >> {
> > >> >> /*
> > >> >> * realms are given on command line loop over them
> > >> >> */
> > >> >> for (i=0;i<=argc-2;i++){
> > >> >> realm_name=argv[2+i];
> > >> >> if (strchr(principal_name,'@')){
> > >> >> /*
> > >> >> * email address as principal name
> > >> >> */
> > >> >> char* enterprisename;
> > >> >> char* p;
> > >> >>
> > >> enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
> > >> >> strcpy(enterprisename,principal_name);
> > >> >> p=strchr(enterprisename,'@');
> > >> >> *p='\\';
> > >> >> *p++='\\';
> > >> >> *p++='\0';
> > >> >> strcat(enterprisename,strchr(principal_name,'@'));
> > >> >> strcat(enterprisename,"@");
> > >> >> strcat(enterprisename,realm_name);
> > >> >> if ((code = krb5_parse_name(kcontext, enterprisename,
> > >> >> &kprincipal))) {
> > >> >> com_err(program_name, code, "when parsing name %s",
> > >> >> enterprisename);
> > >> >> if (enterprisename)
> > >> >> free(enterprisename);
> > >> >> exit(1);
> > >> >> }
> > >> >> if (enterprisename)
> > >> >> free(enterprisename);
> > >> >> #ifdef HEIMDAL
> > >> >> kprincipal->name.name_type=10;
> > >> >> #else
> > >> >> kprincipal->type=10;
> > >> >> #endif
> > >> >>
> > >> >> }
> > >> >> else
> > >> >> {
> > >> >> /*
> > >> >> * No email address as principal name
> > >> >> */
> > >> >> char* principal_realm_name;
> > >> >>
> > >> >>
> > >> principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
> > >> >> strcpy(principal_realm_name,principal_name);
> > >> >> strcat(principal_realm_name,"@");
> > >> >> strcat(principal_realm_name,realm_name);
> > >> >> if ((code = krb5_parse_name(kcontext, principal_realm_name,
> > >> >> &kprincipal))) {
> > >> >> com_err(program_name, code, "when parsing name %s",
> > >> >> principal_realm_name);
> > >> >> exit(1);
> > >> >> }
> > >> >> if (principal_realm_name)
> > >> >> free(principal_realm_name);
> > >> >>
> > >> >> }
> > >> >> code = krb5_get_init_creds_password(kcontext, &my_creds,
> > >> kprincipal,
> > >> >> 0, krb5_prompter_posix, 0,
> > >> >> 0,
> > >> >> 0,
> > >> >> &options);
> > >> >> if (code) {
> > >> >> if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code ==
> > >> >> KRB5_REALM_UNKNOWN)
> > >> >> /*
> > >> >> * Principal unknown in this realm try next
> > >> >> */
> > >> >> continue;
> > >> >> else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
> > >> >> fprintf(stderr, "%s: Password incorrect while getting initial
> > >> >> credentials\n", program_name);
> > >> >> else
> > >> >> com_err(program_name, code, "while getting initial
> > >> credentials");
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(999);
> > >> >> } else {
> > >> >> code = krb5_cc_initialize(kcontext, kccache, kprincipal);
> > >> >> if (code) {
> > >> >> com_err(program_name, code, "when initializing cache");
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(999);
> > >> >> }
> > >> >>
> > >> >> code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
> > >> >> if (code) {
> > >> >> com_err(program_name, code, "while storing credentials");
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(999);
> > >> >> }
> > >> >> /*
> > >> >> * Successful
> > >> >> */
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(0);
> > >> >> }
> > >> >>
> > >> >> }
> > >> >> if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
> > >> >> fprintf(stderr, "%s: Password incorrect while getting initial
> > >> >> credentials\n", program_name);
> > >> >> else
> > >> >> com_err(program_name, code, "while getting initial
> > >> credentials");
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(999);
> > >> >> }
> > >> >> krb5_free_cred_contents(kcontext, &my_creds);
> > >> >> exit(-999);
> > >> >>
> > >> >> }
> > >> >>
> > >> >>
> > >> >>
> > >> >> "Terry" <td3201 at gmail.com> wrote in message
> > >> >> news:mailman.33.1205339252.3372.kerberos at mit.edu...
> > >> >>
> > >> >> >I am not sure if this matters but the end result is to use
> > >> >> > mod_auth_kerb to authenticate users. You are saying I need to
> > >> >> > recompile it to use type 10 (enterprise name type)? I might be
> > >> able
> > >> >> > to figure that out. :)
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >>
> > >> >> > On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller
> > >> >> > <huaraz at moeller.plus.com>
> > >> >> > wrote:
> > >> >>
> > >> >>
> > >> >> >> You need a modified kinit which sets the principal type to 10
> > >> >> >> (enterprise
> > >> >> >> name type). Windows will then use the UPN instead of the
> > >> >> samaccountname
> > >> >> >> to
> > >> >> >> authenticate. (See attached sample mkinit.c)
> > >> >> >>
> > >> >> >> Markus.
> > >> >> >>
> > >> >> >> BTW If your client support client canonicalisation you can
> > >> >> authenticate
> > >> >> >> as
> > >> >> >> jdoe at domain.com but get a ticket for samaccountname.
> > >> >> >>
> > >> >> >> "Terry" <td3201 at gmail.com> wrote in message
> > >> >> >>
> > >> news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
> > >> >> >>
> > >> >> >>
> > >> >> >> > Hello,
> > >> >> >> >
> > >> >> >> > I am very new to this. I have a FQDN in AD set to domain.foo.
> > >> >> The
> > >> >> >> > UPN of a user is jdoe at domain.com. (note the difference
> > >> between
> > >> >> foo
> > >> >> >> > and com).
> > >> >> >> >
> > >> >> >> > How can I authenticate with jdoe at domain.com? I am able to
> > >> auth
> > >> >> >> > correctly with the sAMAccountName.
> > >> >> >> >
> > >> >> >> > Thanks!
> > >> >> >> > ________________________________________________
> > >> >> >> > Kerberos mailing list Kerberos at mit.edu
> > >> >> >> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >> >> >> >
> > >> >> >>
> > >> >> >> ________________________________________________
> > >> >> >> Kerberos mailing list Kerberos at mit.edu
> > >> >> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> > >> >> >>
> > >> >> >>
> > >> >>
> > >> >> ________________________________________________
> > >> >> Kerberos mailing list Kerberos at mit.edu
> > >> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> > >> >>
> > >> > ________________________________________________
> > >> > Kerberos mailing list Kerberos at mit.edu
> > >> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >> >
> > >>
> > >>
> > >> ________________________________________________
> > >> Kerberos mailing list Kerberos at mit.edu
> > >> https://mailman.mit.edu/mailman/listinfo/kerberos
> > >>
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
More information about the Kerberos
mailing list