question about apache mod_auth_kerb

Guillaume Rousse Guillaume.Rousse at inria.fr
Wed May 27 09:50:18 EDT 2009 

Hello list.

We use mod_auth_kerb 5.4 to protect nagios access. This application 
automatically refresh the screen every 30s.

By looking at the logs, we just discovered each refresh lead to multiple 
connections to the KDC, for forwarding tickets:
2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from 
IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded]
2009-05-27T15:34:18 Request to forward non-forwardable ticket
2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212
2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212
2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from 
IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded]
2009-05-27T15:34:18 Request to forward non-forwardable ticket
2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212
2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212

Using a forwardable TGT, this changes to:
2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from 
IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR 
[proxiable, forwarded, forwardable]
2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 
2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset
2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49
2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from 
IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR 
[proxiable, forwarded, forwardable]
2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 
2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset
2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49

The multiple attempts seems to result from the multiple resources 
fetched each time (html page, CSS stylesheets, icons...). However, why 
does the client (firefox here) apparently attempt to forward its ticket, 
  or to renew it each time it attempts to reconnect ?

Here is apache configuration:
<Location />
     AuthType Kerberos
     AuthName "Kerberos autentication required"
     KrbAuthRealm SACLAY.INRIA.FR
     Krb5Keytab /etc/krb5.keytab
     KrbMethodK5Passwd on
     KrbMethodNegotiate on
     KrbLocalUserMapping on
     Require valid-user
</Location>
-- 
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Île-de-France
Parc Orsay Université, 4 rue J. Monod
91893 Orsay Cedex France
Tel: 01 69 35 69 62

More information about the Kerberos mailing list