question about apache mod_auth_kerb

Douglas E. Engert deengert at anl.gov
Wed May 27 10:44:07 EDT 2009 


Guillaume Rousse wrote:
> Hello list.
> 
> We use mod_auth_kerb 5.4 to protect nagios access. This application 
> automatically refresh the screen every 30s.
> 
> By looking at the logs, we just discovered each refresh lead to multiple 
> connections to the KDC, for forwarding tickets:
> 2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from 
> IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded]
> 2009-05-27T15:34:18 Request to forward non-forwardable ticket
> 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212
> 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212
> 2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from 
> IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded]
> 2009-05-27T15:34:18 Request to forward non-forwardable ticket
> 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212
> 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212
> 
> Using a forwardable TGT, this changes to:
> 2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from 
> IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR 
> [proxiable, forwarded, forwardable]
> 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 
> 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset
> 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49
> 2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from 
> IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR 
> [proxiable, forwarded, forwardable]
> 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 
> 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset
> 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49
> 
> The multiple attempts seems to result from the multiple resources 
> fetched each time (html page, CSS stylesheets, icons...). However, why 
> does the client (firefox here) apparently attempt to forward its ticket, 
>   or to renew it each time it attempts to reconnect ?

You may have told FireFox to do this.  Enter about:config and look for the

network.negotiate-auth.delegation-uris     user set   string  https://inria.fr

This would sat to try and delegate to any website in inria.fr

> 
> Here is apache configuration:
> <Location />
>      AuthType Kerberos
>      AuthName "Kerberos autentication required"
>      KrbAuthRealm SACLAY.INRIA.FR
>      Krb5Keytab /etc/krb5.keytab
>      KrbMethodK5Passwd on
>      KrbMethodNegotiate on
>      KrbLocalUserMapping on
>      Require valid-user
> </Location>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list