[modauthkerb]: KRB5CCNAME only set for subprocesses

Michael B Allen ioplex at gmail.com
Wed Sep 17 22:20:39 EDT 2008


On Wed, Sep 17, 2008 at 8:25 AM, Andreas Roth <aroth at arsoft-online.com> wrote:
> Hello,
>
> i'm using mod_auth_kerb version 5.3 (from ubuntu intrepid) and apache2 on a
> ubuntu hardy machine. I set up the kerberos authentication using mod_auth_kerb
> and it works well, but i have one problem: When i use a CGI-Script (e.g. shell
> script) set environment variable KRB5CCNAME is set, but when i use a PHP-
> Script (just calling phpinfo() ) the environment variable is not set.
> Is this the correct behaviour? I would like to use the kerberos cache within
> my PHP scripts; how can i do this?

Andreas,

I don't have a definitive answer for you but here are a few thoughts:

Try adding KRB5CCNAME to the safe_mode_allowed_env_vars INI property.
However, instinct tells me this is probably not the problem.

Note that the $_ENV global and getenv() function can return different
results - try running a simple script that uses getenv instead to see
if KRB5CCNAME is set. I have a feeling this is going to be the issue
which is to say there is no issue since any Kerberos aware client will
use getenv().

Also, I think you have to set a mod_auth_kerb option to indicate that
you want KRB5CCNAME set (although apparently you have already done
this if it works under a cgi script).

Finally, if your KDC is AD you might want to checkout our Plexcel
product (see signature). Plexcel for PHP does SPNEGO or explicit
Kerberos logons, delegation, script-level group based access control,
setting / changing passwords, account management w/ name
canonicalization, "Sites and Services" support, DNS caching,
redundancy / fail-over, support for multiple SPNs in your keytab for
virtual hosting, plugins for popular PHP applications and more. Many
of these details are impossible or very difficult to implement with
the standard OSS stack. Anyway, if you try Plexcel or have any
questions about it, please contact IOPLEX Software support directly
and I'll help you in whatever way I can.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/



More information about the Kerberos mailing list