On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote:
>
> Mikkel Kruse Johnsen wrote:
> > Hi Markus
> >
> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I can
> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos.
>
> So what you need is the Kerberos credentials. I have an older version
> of mod_auth_kerb I assume your version has the routine store_gss_creds()
> which should be doing this for you and creating the name in the
> create_krb5_ccache(). and calling
> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
Yes it does contain that function, I'm using mod_auth_kerb 5.3
>
> Is KrbSaveCredentials being set in the conf file?
Yes it is set. And I have set the:
network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
(Have tryied all kinds of combinations. This must be the right one.
> This controls the saving of credentials:
> if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
> store_gss_creds(...)
>
> Are the above routines being called.
It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the
store_gss_creds is never called.
Compiled the mod_auth_kerb with the attched and It is now called but I
get in the log:
[Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available, referer: http://od.cbs.dk/phpinfo.php
[Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>
> Is the client actually delegating a credential.
So it seems that the credential is never delegated.
>
> Is the KRB5CCNAME being set in the environment of the subprocess.
Don't know how to check this. The KRB5CCNAME is in the env. with the
attached patch but the credetials is never saved to that file.
/Mikkel
>
>
>
> >
> > /Mikkel
> >
> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
> >>
> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing
> >> to do with delegation. You only need delegation if you wnat that
> >> Apache logs into a backend application with the users ID. Is that what
> >> you want ? If see you need to be very careful as iit gives yor apache
> >> server a lot of power if you don't use constraint delegation. You
> >> need to protect it like a domain controller !!!
> >>
> >> Markus
> >>
> >>
> >> "Mikkel Kruse Johnsen" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> >> wrote in message news:[EMAIL PROTECTED]
> >>
> >> Hi All
> >>
> >> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
> >> that patch.
> >>
> >> Now I only have the problem that mod_auth_kerb don't write my
> >> credentials to KRB5CCNAME (in PHP).
> >>
> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
> >> delegate", So I guess that is the problem.
> >>
> >> Under linux they are forwardable.
> >>
> >> ------
> >> [EMAIL PROTECTED] ~]$ klist -f
> >> Ticket cache: FILE:/tmp/krb5cc_500
> >> Default principal: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> >>
> >> Valid starting Expires Service principal
> >> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED]
> >> <mailto:[EMAIL PROTECTED]>
> >> renew until 07/19/07 09:16:49, Flags: FRIA
> >> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED]
> >> <mailto:[EMAIL PROTECTED]>
> >> renew until 07/19/07 09:16:49, Flags: FRAO
> >> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/[EMAIL PROTECTED]
> >> <mailto:[EMAIL PROTECTED]>
> >> renew until 07/18/07 09:17:04, Flags: FRAT
> >> 07/18/07 09:35:35 07/18/07 19:16:55 host/[EMAIL PROTECTED]
> >> <mailto:[EMAIL PROTECTED]>
> >> renew until 07/18/07 09:35:35, Flags: FRAT
> >>
> >>
> >> Kerberos 4 ticket cache: /tmp/tkt500
> >> klist: You have no tickets cached
> >> --------
> >>
> >>
> >> I found how to set ok-as-delegate for heimdal how is this done for
> >> MIT kerberos ?
> >>
> >> And how is it done under MS AD ?
> >>
> >> /Mikkel
> >>
> >>
> >> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
> >>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
> >>>
> >>> > gss_accept_sec_context() failed: Unspecified GSS failure. Minor
> >>> code
> >>> > may provide more information (Cannot allocate memory)
> >>>
> >>> What OS and what Kerberoslibs do you use?
> >>> Background of this question:
> >>>
> >>> I've seen this errormessage "Cannot allocate memory"
> >>> (and it's solution) in
> >>>
> >>>
> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help
> >>>
> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>
> >>>
> >>> Achim
> >> Mikkel Kruse Johnsen
> >> Linet
> >> Ørholmgade 6 st tv
> >> 2200 København N
> >>
> >> Tlf: +45 2128 7793
> >> email: [EMAIL PROTECTED]
> >> www: http://www.linet.dk
> >>
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >>
> >>
> >> -------------------------------------------------------------------------
> >> This SF.net email is sponsored by DB2 Express
> >> Download DB2 Express C - the FREE version of DB2 express and take
> >> control of your XML. No limits. Just data. Click to get it now.
> >> http://sourceforge.net/powerbar/db2/
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >>
> >> _______________________________________________
> >> modauthkerb-help mailing list
> >> [EMAIL PROTECTED]
> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> >>
> >>
> >> -------------------------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc.
> >> Still grepping through log files to find problems? Stop.
> >> Now Search log events and configuration files using AJAX and a browser.
> >> Download your FREE copy of Splunk now >> http://get.splunk.com/
> >>
> >> !DSPAM:46a4f4bb190711804284693!
> >> _______________________________________________
> >> modauthkerb-help mailing list
> >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
> >>
> >>
> >> !DSPAM:46a4f4bb190711804284693!
> > *Mikkel Kruse Johnsen*
> > Adm.Dir.
> >
> > *Linet <http://www.linet.dk>*
> > Ørholmgade 6 st tv
> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> > Copenhagen N 2200 Denmark *Work:* +45 21287793
> > *Mobile:* +45 21287793
> > *Email:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> > *IM:* [EMAIL PROTECTED] (MSN)
> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> > *Healthcare <http://www.xmedicus.dk>*
> >
> > Network Consultant
> >
> >
> > ------------------------------------------------------------------------
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems? Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >> http://get.splunk.com/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > modauthkerb-help mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: [EMAIL PROTECTED]
www: http://www.linet.dk
diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
--- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-25 11:42:40.000000000 +0200
@@ -1215,6 +1215,8 @@
spnego_oid.length = 6;
spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
+ OM_uint32 acc_ret_flags;
+
if (conf->krb_5_keytab) {
char *ktname;
/* we don't use the ap_* calls here, since the string passed to putenv()
@@ -1277,7 +1279,7 @@
&client_name,
NULL,
&output_token,
- NULL,
+ &acc_ret_flags,
NULL,
&delegated_cred);
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1351,8 +1353,18 @@
}
#endif
- if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
- store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ if (conf->krb_save_credentials) {
+ if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {
+ log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
+
+ store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
+ }
+ }
gss_release_buffer(&minor_status, &output_token);
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
