Problem disabling replay cache

Jakub Czuchnowski jakub.czuchnowski at gmail.com
Thu Oct 17 06:42:41 EDT 2019


Hi,

I'm setting up a service (web application) that is using Kerberos to
authenticate users. I want to disable the replay cache for it but for some
reason I can't.

The web app is served from the Nginx server built with
'spnego-http-auth-nginx-module' (
https://github.com/stnoonan/spnego-http-auth-nginx-module ) for handling
Kerberos authentication. To be precise, I'm building a docker image with
these:

   - Debian 10.1
   - Nginx 1.17.4
   - libkrb5-dev 1.17-3

Because of libkrb5-dev, I assume I'm using MIT Kerberos. According to the
documentation it should suffice to set the environment
variable KRB5RCACHETYPE=none, but it doesn't work. printenv shows that it
is set, but the replay cache file is still created as /var/tmp/http_33.
Thhe first request is fine, but the logs show that subsequent requests with
the same ticket are causing gss_accept_sec_context() to fail with "Request
is a replay".
Now, I'm not sure if the problem is in MIT Kerberos, the Nginx module, or
my lack of understanding, so I'm looking for any clues and clarifications.

Thanks,
Jakub Czuchnowski
Scalac


More information about the Kerberos mailing list