Looks like it should have worked. A wireshark trace of the packets would show a lot, as long as the session is not encrypted.
It could be a size issue. AD can produce very large tickets if you are in many groups. It could be an enc-type issue, which the server does not understand It could be the client is not delegating. Wireshark could answer these. Mikkel Kruse Johnsen wrote: > > > On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote: >> >> Mikkel Kruse Johnsen wrote: >> > Hi Markus >> > >> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can >> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos. >> >> So what you need is the Kerberos credentials. I have an older version >> of mod_auth_kerb I assume your version has the routine store_gss_creds() >> which should be doing this for you and creating the name in the >> create_krb5_ccache(). and calling >> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); > > Yes it does contain that function, I'm using mod_auth_kerb 5.3 > >> >> Is KrbSaveCredentials being set in the conf file? > > Yes it is set. And I have set the: > > network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk > network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk > > (Have tryied all kinds of combinations. This must be the right one. > >> This controls the saving of credentials: >> if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) >> store_gss_creds(...) >> >> Are the above routines being called. > > It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the > store_gss_creds is never called. > Compiled the mod_auth_kerb with the attched and It is now called but I > get in the log: > > [Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client > 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG > available, referer: http://od.cbs.dk/phpinfo.php > [Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store > delegated credential (gss_krb5_copy_ccache: Invalid credential was > supplied (No error)), referer: http://od.cbs.dk/phpinfo.php > >> >> Is the client actually delegating a credential. > > So it seems that the credential is never delegated. > >> >> Is the KRB5CCNAME being set in the environment of the subprocess. > > Don't know how to check this. The KRB5CCNAME is in the env. with the > attached patch but the credetials is never saved to that file. > > > /Mikkel > > >> >> >> >> > >> > /Mikkel >> > >> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote: >> >> >> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing >> >> to do with delegation. You only need delegation if you wnat that >> >> Apache logs into a backend application with the users ID. Is that what >> >> you want ? If see you need to be very careful as iit gives yor apache >> >> server a lot of power if you don't use constraint delegation. You >> >> need to protect it like a domain controller !!! >> >> >> >> Markus >> >> >> >> >> >> "Mikkel Kruse Johnsen" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> <mailto:[EMAIL PROTECTED]>> >> >> wrote in message news:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>... >> >> >> >> Hi All >> >> >> >> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with >> >> that patch. >> >> >> >> Now I only have the problem that mod_auth_kerb don't write my >> >> credentials to KRB5CCNAME (in PHP). >> >> >> >> My "kerbtray" under windows says it is Forwardable but no "Ok to >> >> delegate", So I guess that is the problem. >> >> >> >> Under linux they are forwardable. >> >> >> >> ------ >> >> [EMAIL PROTECTED] ~]$ klist -f >> >> Ticket cache: FILE:/tmp/krb5cc_500 >> >> Default principal: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> Valid starting Expires Service principal >> >> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED] >> >> <mailto:[EMAIL PROTECTED]> >> >> <mailto:[EMAIL PROTECTED]> >> >> renew until 07/19/07 09:16:49, Flags: FRIA >> >> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED] >> >> <mailto:[EMAIL PROTECTED]> >> >> <mailto:[EMAIL PROTECTED]> >> >> renew until 07/19/07 09:16:49, Flags: FRAO >> >> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/[EMAIL PROTECTED] >> >> <mailto:[EMAIL PROTECTED]> >> >> <mailto:[EMAIL PROTECTED]> >> >> renew until 07/18/07 09:17:04, Flags: FRAT >> >> 07/18/07 09:35:35 07/18/07 19:16:55 host/[EMAIL PROTECTED] >> >> <mailto:[EMAIL PROTECTED]> >> >> <mailto:[EMAIL PROTECTED]> >> >> renew until 07/18/07 09:35:35, Flags: FRAT >> >> >> >> >> >> Kerberos 4 ticket cache: /tmp/tkt500 >> >> klist: You have no tickets cached >> >> -------- >> >> >> >> >> >> I found how to set ok-as-delegate for heimdal how is this done for >> >> MIT kerberos ? >> >> >> >> And how is it done under MS AD ? >> >> >> >> /Mikkel >> >> >> >> >> >> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote: >> >>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote: >> >>> >> >>> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor >> >>> code >> >>> > may provide more information (Cannot allocate memory) >> >>> >> >>> What OS and what Kerberoslibs do you use? >> >>> Background of this question: >> >>> >> >>> I've seen this errormessage "Cannot allocate memory" >> >>> (and it's solution) in >> >>> >> >>> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help >> >>> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> >> >>> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help >> >>> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>> >> >>> >> >>> Achim >> >> Mikkel Kruse Johnsen >> >> Linet >> >> Ørholmgade 6 st tv >> >> 2200 København N >> >> >> >> Tlf: +45 2128 7793 >> >> email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> www: http://www.linet.dk >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> This SF.net email is sponsored by DB2 Express >> >> Download DB2 Express C - the FREE version of DB2 express and take >> >> control of your XML. No limits. Just data. Click to get it now. >> >> http://sourceforge.net/powerbar/db2/ >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> >> >> >> >> _______________________________________________ >> >> modauthkerb-help mailing list >> >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> This SF.net email is sponsored by: Splunk Inc. >> >> Still grepping through log files to find problems? Stop. >> >> Now Search log events and configuration files using AJAX and a browser. >> >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> >> >> >> !DSPAM:46a4f4bb190711804284693! >> >> _______________________________________________ >> >> modauthkerb-help mailing list >> >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> >> !DSPAM:46a4f4bb190711804284693! >> > *Mikkel Kruse Johnsen* >> > Adm.Dir. >> > >> > *Linet <http://www.linet.dk>* >> > Ørholmgade 6 st tv >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en >> > >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>> >> > Copenhagen N 2200 Denmark *Work:* +45 21287793 >> > *Mobile:* +45 21287793 >> > *Email:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> > PROTECTED]> >> > *IM:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> (MSN) >> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>* >> > *Healthcare <http://www.xmedicus.dk>* >> > >> > Network Consultant >> > >> > >> > ------------------------------------------------------------------------ >> > >> > ------------------------------------------------------------------------- >> > This SF.net email is sponsored by: Splunk Inc. >> > Still grepping through log files to find problems? Stop. >> > Now Search log events and configuration files using AJAX and a browser. >> > Download your FREE copy of Splunk now >> http://get.splunk.com/ >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > modauthkerb-help mailing list >> > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> > Mikkel Kruse Johnsen > Linet > Ørholmgade 6 st tv > 2200 København N > > Tlf: +45 2128 7793 > email: [EMAIL PROTECTED] > www: http://www.linet.dk > > > ------------------------------------------------------------------------ > > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c > mod_auth_kerb-5.3/src/mod_auth_kerb.c > --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 > 11:38:20.000000000 +0200 > +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-25 11:42:40.000000000 > +0200 > @@ -1215,6 +1215,8 @@ > spnego_oid.length = 6; > spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02"; > > + OM_uint32 acc_ret_flags; > + > if (conf->krb_5_keytab) { > char *ktname; > /* we don't use the ap_* calls here, since the string passed to putenv() > @@ -1277,7 +1279,7 @@ > &client_name, > NULL, > &output_token, > - NULL, > + &acc_ret_flags, > NULL, > &delegated_cred); > log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > @@ -1351,8 +1353,18 @@ > } > #endif > > - if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) > - store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); > + if (conf->krb_save_credentials) { > + if ( acc_ret_flags & GSS_C_DELEG_FLAG ) { > + log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r, > + "krb_save_credentials activated, GSS_C_DELEG_FLAG available", > "" ); > + > + store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); > + } > + else { > + log_rerror( APLOG_MARK, APLOG_ERR, 0, r, > + "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" ); > + } > + } > > gss_release_buffer(&minor_status, &output_token); > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos