Mikkel Kruse Johnsen wrote:
> Hi Markus
>
> Yes that is what I want. I need the KRB5CCNAME (the credential) so I can
> login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
So what you need is the Kerberos credentials. I have an older version
of mod_auth_kerb I assume your version has the routine store_gss_creds()
which should be doing this for you and creating the name in the
create_krb5_ccache(). and calling
apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
Is KrbSaveCredentials being set in the conf file?
This controls the saving of credentials:
if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
store_gss_creds(...)
Are the above routines being called.
Is the client actually delegating a credential.
Is the KRB5CCNAME being set in the environment of the subprocess.
>
> /Mikkel
>
> On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
>>
>> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing
>> to do with delegation. You only need delegation if you wnat that
>> Apache logs into a backend application with the users ID. Is that what
>> you want ? If see you need to be very careful as iit gives yor apache
>> server a lot of power if you don't use constraint delegation. You
>> need to protect it like a domain controller !!!
>>
>> Markus
>>
>>
>> "Mikkel Kruse Johnsen" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
>> wrote in message news:[EMAIL PROTECTED]
>>
>> Hi All
>>
>> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
>> that patch.
>>
>> Now I only have the problem that mod_auth_kerb don't write my
>> credentials to KRB5CCNAME (in PHP).
>>
>> My "kerbtray" under windows says it is Forwardable but no "Ok to
>> delegate", So I guess that is the problem.
>>
>> Under linux they are forwardable.
>>
>> ------
>> [EMAIL PROTECTED] ~]$ klist -f
>> Ticket cache: FILE:/tmp/krb5cc_500
>> Default principal: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>>
>> Valid starting Expires Service principal
>> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>
>> renew until 07/19/07 09:16:49, Flags: FRIA
>> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>
>> renew until 07/19/07 09:16:49, Flags: FRAO
>> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>
>> renew until 07/18/07 09:17:04, Flags: FRAT
>> 07/18/07 09:35:35 07/18/07 19:16:55 host/[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>
>> renew until 07/18/07 09:35:35, Flags: FRAT
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt500
>> klist: You have no tickets cached
>> --------
>>
>>
>> I found how to set ok-as-delegate for heimdal how is this done for
>> MIT kerberos ?
>>
>> And how is it done under MS AD ?
>>
>> /Mikkel
>>
>>
>> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
>>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
>>>
>>> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
>>> > may provide more information (Cannot allocate memory)
>>>
>>> What OS and what Kerberoslibs do you use?
>>> Background of this question:
>>>
>>> I've seen this errormessage "Cannot allocate memory"
>>> (and it's solution) in
>>>
>>>
>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help
>>>
>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>
>>>
>>> Achim
>> Mikkel Kruse Johnsen
>> Linet
>> Ørholmgade 6 st tv
>> 2200 København N
>>
>> Tlf: +45 2128 7793
>> email: [EMAIL PROTECTED]
>> www: http://www.linet.dk
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> modauthkerb-help mailing list
>> [EMAIL PROTECTED]
>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>>
>> !DSPAM:46a4f4bb190711804284693!
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems? Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>
>> !DSPAM:46a4f4bb190711804284693!
>> _______________________________________________
>> modauthkerb-help mailing list
>> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>>
>>
>> !DSPAM:46a4f4bb190711804284693!
> *Mikkel Kruse Johnsen*
> Adm.Dir.
>
> *Linet <http://www.linet.dk>*
> Ørholmgade 6 st tv
> <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> Copenhagen N 2200 Denmark *Work:* +45 21287793
> *Mobile:* +45 21287793
> *Email:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> *IM:* [EMAIL PROTECTED] (MSN)
> *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> *Healthcare <http://www.xmedicus.dk>*
>
> Network Consultant
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> modauthkerb-help mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
