Mikkel Kruse Johnsen wrote: > Hi Douglas > > I have already done all these steps.
It still looks like the client is not delegating. and I am out of ideas. > > I'm currently on linux only to eliminate trust relations and the windows > factor :) > > I'm on Fedora 7 getting a ticket from MIT kerberos and accessing a web > site using the same MIT kerberos. > > I regularly try on windows, It don't work either (have done the steps on > windows as well). > > /Mikkel > > On Thu, 2007-07-26 at 10:22 -0500, Douglas E. Engert wrote: >> Attached is the Wireshark print output of the GET request showing >> the SPNEGO and GSSAPI >> >> In original trace, the client does request a ticket to delegate >> but it looks like it is not delegating it. >> >> It looks like it is: >> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) >> Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5\r\n >> >> >> I Googled for: >> FireFox SPNEGO delegation >> and found among other articles: >> >> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_config_web.html >> >> >> Complete the following steps to ensure that your Firefox browser is enabled >> to perform SPNEGO authentication. >> At the desktop, log in to the windows active directory domain. >> Activate Firefox. >> At the address field, type about:config. >> In the Filter, type network.n >> Double click on network.negotiate-auth.trusted-uris. This preference lists >> the sites that are permitted to engage in SPNEGO Authentication with the >> browser. Enter a comma-delimited list of trusted domains or URLs. >> Note: You must set the value for network.negotiate-auth.trusted-uris. >> If the deployed SPNEGO solution is using the advanced Kerberos feature of >> Credential Delegation double click on >> network.negotiate-auth.delegation-uris. This preference lists the sites for >> which the browser may delegate user authorization to the server. Enter a >> comma-delimited list of trusted domains >> or URLs. >> Click OK. The configuration appears as updated. >> Restart your Firefox browser to activate this configuration. >> >> >> Mikkel Kruse Johnsen wrote: >> > Hi Douglas >> > >> > Im not sure what to look for, but here is the dump. If you are able to >> > see anything. Done with wireshark. >> > >> > /Mikkel >> > >> > On Wed, 2007-07-25 at 09:36 -0500, Douglas E. Engert wrote: >> >> Looks like it should have worked. >> >> >> >> A wireshark trace of the packets would show a lot, as long as >> >> the session is not encrypted. >> >> >> >> It could be a size issue. AD can produce very large tickets if you >> >> are in many groups. >> >> >> >> It could be an enc-type issue, which the server does not understand >> >> >> >> It could be the client is not delegating. >> >> >> >> Wireshark could answer these. >> >> >> >> >> >> >> >> Mikkel Kruse Johnsen wrote: >> >> > >> >> > >> >> > On Mon, 2007-07-23 at 16:27 -0500, Douglas E. Engert wrote: >> >> >> >> >> >> Mikkel Kruse Johnsen wrote: >> >> >> > Hi Markus >> >> >> > >> >> >> > Yes that is what I want. I need the KRB5CCNAME (the credential) so I >> >> >> > can >> >> >> > login to my OpenLDAP SASL based server and PostgreSQL with kerberos. >> >> >> >> >> >> So what you need is the Kerberos credentials. I have an older version >> >> >> of mod_auth_kerb I assume your version has the routine >> >> >> store_gss_creds() >> >> >> which should be doing this for you and creating the name in the >> >> >> create_krb5_ccache(). and calling >> >> >> apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); >> >> > >> >> > Yes it does contain that function, I'm using mod_auth_kerb 5.3 >> >> > >> >> >> >> >> >> Is KrbSaveCredentials being set in the conf file? >> >> > >> >> > Yes it is set. And I have set the: >> >> > >> >> > network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk >> >> > network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk >> >> > >> >> > (Have tryied all kinds of combinations. This must be the right one. >> >> > >> >> >> This controls the saving of credentials: >> >> >> if (conf->krb_save_credentials && delegated_cred != >> >> >> GSS_C_NO_CREDENTIAL) >> >> >> store_gss_creds(...) >> >> >> >> >> >> Are the above routines being called. >> >> > >> >> > It seems that "delegated_cred = GSS_C_NO_CREDENTIAL" because the >> >> > store_gss_creds is never called. >> >> > Compiled the mod_auth_kerb with the attched and It is now called but I >> >> > get in the log: >> >> > >> >> > [Wed Jul 25 11:53:27 2007] [debug] src/mod_auth_kerb.c(1358): [client >> >> > 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG >> >> > available, referer: http://od.cbs.dk/phpinfo.php >> >> > [Wed Jul 25 11:53:27 2007] [error] [client 130.226.36.170] Cannot store >> >> > delegated credential (gss_krb5_copy_ccache: Invalid credential was >> >> > supplied (No error)), referer: http://od.cbs.dk/phpinfo.php >> >> > >> >> >> >> >> >> Is the client actually delegating a credential. >> >> > >> >> > So it seems that the credential is never delegated. >> >> > >> >> >> >> >> >> Is the KRB5CCNAME being set in the environment of the subprocess. >> >> > >> >> > Don't know how to check this. The KRB5CCNAME is in the env. with the >> >> > attached patch but the credetials is never saved to that file. >> >> > >> >> > >> >> > /Mikkel >> >> > >> >> > >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > /Mikkel >> >> >> > >> >> >> > On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote: >> >> >> >> >> >> >> >> Storing credentials in a krb5 cache pointing to KRB5CCNAME has >> >> >> >> nothing >> >> >> >> to do with delegation. You only need delegation if you wnat that >> >> >> >> Apache logs into a backend application with the users ID. Is that >> >> >> >> what >> >> >> >> you want ? If see you need to be very careful as iit gives yor >> >> >> >> apache >> >> >> >> server a lot of power if you don't use constraint delegation. You >> >> >> >> need to protect it like a domain controller !!! >> >> >> >> >> >> >> >> Markus >> >> >> >> >> >> >> >> >> >> >> >> "Mikkel Kruse Johnsen" <[EMAIL PROTECTED] <mailto:[EMAIL >> >> >> >> PROTECTED]> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]>> >> >> >> >> wrote in message news:[EMAIL PROTECTED] <mailto:[EMAIL >> >> >> >> PROTECTED]> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> >> >> >> PROTECTED]>... >> >> >> >> >> >> >> >> Hi All >> >> >> >> >> >> >> >> That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with >> >> >> >> that patch. >> >> >> >> >> >> >> >> Now I only have the problem that mod_auth_kerb don't write my >> >> >> >> credentials to KRB5CCNAME (in PHP). >> >> >> >> >> >> >> >> My "kerbtray" under windows says it is Forwardable but no "Ok to >> >> >> >> delegate", So I guess that is the problem. >> >> >> >> >> >> >> >> Under linux they are forwardable. >> >> >> >> >> >> >> >> ------ >> >> >> >> [EMAIL PROTECTED] ~]$ klist -f >> >> >> >> Ticket cache: FILE:/tmp/krb5cc_500 >> >> >> >> Default principal: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> >> >> >> >> Valid starting Expires Service principal >> >> >> >> 07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED] >> >> >> >> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> renew until 07/19/07 09:16:49, Flags: FRIA >> >> >> >> 07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/[EMAIL PROTECTED] >> >> >> >> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> renew until 07/19/07 09:16:49, Flags: FRAO >> >> >> >> 07/18/07 09:17:04 07/18/07 19:16:55 HTTP/[EMAIL PROTECTED] >> >> >> >> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> renew until 07/18/07 09:17:04, Flags: FRAT >> >> >> >> 07/18/07 09:35:35 07/18/07 19:16:55 host/[EMAIL PROTECTED] >> >> >> >> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> >> >> >> >> renew until 07/18/07 09:35:35, Flags: FRAT >> >> >> >> >> >> >> >> >> >> >> >> Kerberos 4 ticket cache: /tmp/tkt500 >> >> >> >> klist: You have no tickets cached >> >> >> >> -------- >> >> >> >> >> >> >> >> >> >> >> >> I found how to set ok-as-delegate for heimdal how is this done >> >> >> >> for >> >> >> >> MIT kerberos ? >> >> >> >> >> >> >> >> And how is it done under MS AD ? >> >> >> >> >> >> >> >> /Mikkel >> >> >> >> >> >> >> >> >> >> >> >> On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote: >> >> >> >>> On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote: >> >> >> >>> >> >> >> >>> > gss_accept_sec_context() failed: Unspecified GSS failure. >> >> >> >>> Minor code >> >> >> >>> > may provide more information (Cannot allocate memory) >> >> >> >>> >> >> >> >>> What OS and what Kerberoslibs do you use? >> >> >> >>> Background of this question: >> >> >> >>> >> >> >> >>> I've seen this errormessage "Cannot allocate memory" >> >> >> >>> (and it's solution) in >> >> >> >>> >> >> >> >>> >> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help >> >> >> >>> >> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> >> >> >> >>> >> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help >> >> >> >>> >> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>> >> >> >> >>> >> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help >> >> >> >>> >> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> >> >> >> >>> >> >> >> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help >> >> >> >>> <h ttp://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>> <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help> <http >> ://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>>> >> >> >> >>> >> >> >> >>> Achim >> >> >> >> Mikkel Kruse Johnsen >> >> >> >> Linet >> >> >> >> Ørholmgade 6 st tv >> >> >> >> 2200 København N >> >> >> >> >> >> >> >> Tlf: +45 2128 7793 >> >> >> >> email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> >> >> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> www: http://www.linet.dk >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> >> This SF.net email is sponsored by DB2 Express >> >> >> >> Download DB2 Express C - the FREE version of DB2 express and >> >> >> >> take >> >> >> >> control of your XML. No limits. Just data. Click to get it now. >> >> >> >> http://sourceforge.net/powerbar/db2/ >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> >> modauthkerb-help mailing list >> >> >> >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> >> >> >> PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> >> This SF.net email is sponsored by: Splunk Inc. >> >> >> >> Still grepping through log files to find problems? Stop. >> >> >> >> Now Search log events and configuration files using AJAX and a >> >> >> >> browser. >> >> >> >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> >> modauthkerb-help mailing list >> >> >> >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> >> >> >> PROTECTED]> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > *Mikkel Kruse Johnsen* >> >> >> > Adm.Dir. >> >> >> > >> >> >> > *Linet <http://www.linet.dk>* >> >> >> > Ørholmgade 6 st tv >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en >> >> >> > >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> >> >> >> > >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en >> >> >> > >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>> >> >> >> > >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en >> >> >> > >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> >> >> >> > >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en >> >> >> > >> >> >> > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>>>> >> >> >> > Copenhagen N 2200 Denmark *Work:* +45 21287793 >> >> >> > *Mobile:* +45 21287793 >> >> >> > *Email:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> >> >> > PROTECTED]> <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> > *IM:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> >> >> > PROTECTED]> <mailto:[EMAIL PROTECTED]> (MSN) >> >> >> > *Professional Profile <http://www.linkedin.com/pub/3/333/803>* >> >> >> > *Healthcare <http://www.xmedicus.dk>* >> >> >> > >> >> >> > Network Consultant >> >> >> > >> >> >> > >> >> >> > ------------------------------------------------------------------------ >> >> >> > >> >> >> > ------------------------------------------------------------------------- >> >> >> > This SF.net email is sponsored by: Splunk Inc. >> >> >> > Still grepping through log files to find problems? Stop. >> >> >> > Now Search log events and configuration files using AJAX and a >> >> >> > browser. >> >> >> > Download your FREE copy of Splunk now >> http://get.splunk.com/ >> >> >> > >> >> >> > >> >> >> > ------------------------------------------------------------------------ >> >> >> > >> >> >> > _______________________________________________ >> >> >> > modauthkerb-help mailing list >> >> >> > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> >> >> > PROTECTED]> <mailto:[EMAIL PROTECTED]> >> >> >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> > Mikkel Kruse Johnsen >> >> > Linet >> >> > Ørholmgade 6 st tv >> >> > 2200 København N >> >> > >> >> > Tlf: +45 2128 7793 >> >> > email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL >> >> > PROTECTED]> >> >> > www: http://www.linet.dk >> >> > >> >> > >> >> > ------------------------------------------------------------------------ >> >> > >> >> > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c >> >> > mod_auth_kerb-5.3/src/mod_auth_kerb.c >> >> > --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 >> >> > 11:38:20.000000000 +0200 >> >> > +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-25 >> >> > 11:42:40.000000000 +0200 >> >> > @@ -1215,6 +1215,8 @@ >> >> > spnego_oid.length = 6; >> >> > spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02"; >> >> > >> >> > + OM_uint32 acc_ret_flags; >> >> > + >> >> > if (conf->krb_5_keytab) { >> >> > char *ktname; >> >> > /* we don't use the ap_* calls here, since the string passed to >> >> > putenv() >> >> > @@ -1277,7 +1279,7 @@ >> >> > &client_name, >> >> > NULL, >> >> > &output_token, >> >> > - NULL, >> >> > + &acc_ret_flags, >> >> > NULL, >> >> > &delegated_cred); >> >> > log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, >> >> > @@ -1351,8 +1353,18 @@ >> >> > } >> >> > #endif >> >> > >> >> > - if (conf->krb_save_credentials && delegated_cred != >> >> > GSS_C_NO_CREDENTIAL) >> >> > - store_gss_creds(r, conf, (char *)output_token.value, >> >> > delegated_cred); >> >> > + if (conf->krb_save_credentials) { >> >> > + if ( acc_ret_flags & GSS_C_DELEG_FLAG ) { >> >> > + log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r, >> >> > + "krb_save_credentials activated, GSS_C_DELEG_FLAG available", >> >> > "" ); >> >> > + >> >> > + store_gss_creds(r, conf, (char *)output_token.value, >> >> > delegated_cred); >> >> > + } >> >> > + else { >> >> > + log_rerror( APLOG_MARK, APLOG_ERR, 0, r, >> >> > + "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" ); >> >> > + } >> >> > + } >> >> > >> >> > gss_release_buffer(&minor_status, &output_token); >> >> > >> >> >> > Mikkel Kruse Johnsen >> > Linet >> > Ørholmgade 6 st tv >> > 2200 København N >> > >> > Tlf: +45 2128 7793 >> > email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> > www: http://www.linet.dk >> > >> > >> > ------------------------------------------------------------------------ >> > >> > ------------------------------------------------------------------------- >> > This SF.net email is sponsored by: Splunk Inc. >> > Still grepping through log files to find problems? Stop. >> > Now Search log events and configuration files using AJAX and a browser. >> > Download your FREE copy of Splunk now >> http://get.splunk.com/ >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > modauthkerb-help mailing list >> > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> plain text document attachment (wireshark.txt) >> >> No. Time Source Destination Protocol >> Info >> 16 09:14:12.060179 130.226.36.170 130.226.36.191 HTTP >> GET /test.php HTTP/1.1 >> >> Frame 16 (1514 bytes on wire, 1514 bytes captured) >> Arrival Time: Jul 26, 2007 09:14:12.060179000 >> [Time delta from previous captured frame: 0.000053000 seconds] >> [Time delta from previous displayed frame: 0.000053000 seconds] >> [Time since reference or first frame: 0.058896000 seconds] >> Frame Number: 16 >> Frame Length: 1514 bytes >> Capture Length: 1514 bytes >> [Frame is marked: False] >> [Protocols in frame: eth:ip:tcp:http:gss-api:spnego:spnego-krb5] >> [Coloring Rule Name: Checksum Errors] >> [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || >> ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1] >> Ethernet II, Src: HewlettP_f1:fb:4a (00:11:85:f1:fb:4a), Dst: Ibm_a4:a7:30 >> (00:14:5e:a4:a7:30) >> Internet Protocol, Src: 130.226.36.170 (130.226.36.170), Dst: 130.226.36.191 >> (130.226.36.191) >> Transmission Control Protocol, Src Port: 59168 (59168), Dst Port: http (80), >> Seq: 1, Ack: 1, Len: 1448 >> Hypertext Transfer Protocol >> GET /test.php HTTP/1.1\r\n >> Request Method: GET >> Request URI: /test.php >> Request Version: HTTP/1.1 >> Host: od.cbs.dk\r\n >> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) >> Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5\r\n >> Accept: >> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n >> Accept-Language: da,en-us;q=0.7,en;q=0.3\r\n >> Accept-Encoding: gzip,deflate\r\n >> Accept-Charset: UTF-8,*\r\n >> Keep-Alive: 300\r\n >> Connection: keep-alive\r\n >> Cookie: [EMAIL PROTECTED]@u/2b0b0b001ab63a9ddf5d0bc900aaf3322b15aed5; >> __utma=86912970.1938967652.1154513502.1185282347.1185453096.204; >> __utmz=86912970.1183459330.194.26.utmccn=(referral)|utmcsr=muhuhu.cbs.dk|utmcct=/om >> Cache-Control: max-age=0, max-age=0\r\n >> Authorization: Negotiate >> YIID7gYGKwYBBQUCoIID4jCCA96gHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKhBAMCAQKiggOzBIIDr2CCA6sGCSqGSIb3EgECAgEAboIDmjCCA5agAwIBBaEDAgEOogcDBQAAAAAAo4HjYYHgMIHdoAMCAQWhCBsGQ0JTLkRLoh4wHKADAgEDoRUwExsESFRUUBsLc3VnaS >> GSS-API Generic Security Service Application Program Interface >> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) >> SPNEGO >> negTokenInit >> mechTypes: 3 items >> Item: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) >> Item: 1.3.5.1.5.2 (SNMPv2-SMI::org.5.1.5.2) >> Item: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft >> Kerberos 5) >> Padding: 1 >> reqFlags: 02 (integFlag) >> 0... .... = delegFlag: False >> .0.. .... = mutualFlag: False >> ..0. .... = replayFlag: False >> ...0 .... = sequenceFlag: False >> .... 0... = anonFlag: False >> .... .0.. = confFlag: False >> .... ..1. = integFlag: True >> mechToken: >> 608203AB06092A864886F71201020201006E82039A308203... >> krb5_blob: >> 608203AB06092A864886F71201020201006E82039A308203... >> KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) >> krb5_tok_id: KRB5_AP_REQ (0x0001) >> Kerberos AP-REQ >> Pvno: 5 >> MSG Type: AP-REQ (14) >> Padding: 0 >> APOptions: 00000000 >> .0.. .... .... .... .... .... .... .... = >> Use Session Key: Do NOT use the session key to encrypt the ticket >> ..0. .... .... .... .... .... .... .... = >> Mutual required: Mutual authentication is NOT required >> Ticket >> Tkt-vno: 5 >> Realm: CBS.DK >> Server Name (Service and Host): >> HTTP/sugi.cbs.dk >> Name-type: Service and Host (3) >> Name: HTTP >> Name: sugi.cbs.dk >> enc-part des-cbc-crc >> Encryption type: des-cbc-crc (1) >> Kvno: 3 >> enc-part: >> CB835CF2DBFE16D024DB4F67A572BAC61C07B4389DF94CD6... >> Authenticator des-cbc-crc >> Encryption type: des-cbc-crc (1) >> Authenticator data: >> CD64AF3F5353CFA94E0E7A52FF7269C404D1ED422AC9AD84... >> >> Frame (1514 bytes): >> >> 0000 00 14 5e a4 a7 30 00 11 85 f1 fb 4a 08 00 45 00 ..^..0.....J..E. >> 0010 05 dc 37 8e 40 00 40 06 ae 60 82 e2 24 aa 82 e2 [EMAIL >> PROTECTED]@..`..$... >> 0020 24 bf e7 20 00 50 09 b3 42 d9 8e 3d 77 6c 80 10 $.. .P..B..=wl.. >> 0030 00 2e 54 fc 00 00 01 01 08 0a 01 99 75 55 2a 9e ..T.........uU*. >> 0040 f2 59 47 45 54 20 2f 74 65 73 74 2e 70 68 70 20 .YGET /test.php >> 0050 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 HTTP/1.1..Host: >> 0060 6f 64 2e 63 62 73 2e 64 6b 0d 0a 55 73 65 72 2d od.cbs.dk..User- >> 0070 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 Agent: Mozilla/5 >> 0080 2e 30 20 28 58 31 31 3b 20 55 3b 20 4c 69 6e 75 .0 (X11; U; Linu >> 0090 78 20 69 36 38 36 3b 20 65 6e 2d 55 53 3b 20 72 x i686; en-US; r >> 00a0 76 3a 31 2e 38 2e 31 2e 35 29 20 47 65 63 6b 6f v:1.8.1.5) Gecko >> 00b0 2f 32 30 30 37 30 37 31 38 20 46 65 64 6f 72 61 /20070718 Fedora >> 00c0 2f 32 2e 30 2e 30 2e 35 2d 31 2e 66 63 37 20 46 /2.0.0.5-1.fc7 F >> 00d0 69 72 65 66 6f 78 2f 32 2e 30 2e 30 2e 35 0d 0a irefox/2.0.0.5.. >> 00e0 41 63 63 65 70 74 3a 20 74 65 78 74 2f 78 6d 6c Accept: text/xml >> 00f0 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d 6c ,application/xml >> 0100 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 ,application/xht >> 0110 6d 6c 2b 78 6d 6c 2c 74 65 78 74 2f 68 74 6d 6c ml+xml,text/html >> 0120 3b 71 3d 30 2e 39 2c 74 65 78 74 2f 70 6c 61 69 ;q=0.9,text/plai >> 0130 6e 3b 71 3d 30 2e 38 2c 69 6d 61 67 65 2f 70 6e n;q=0.8,image/pn >> 0140 67 2c 2a 2f 2a 3b 71 3d 30 2e 35 0d 0a 41 63 63 g,*/*;q=0.5..Acc >> 0150 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 64 61 ept-Language: da >> 0160 2c 65 6e 2d 75 73 3b 71 3d 30 2e 37 2c 65 6e 3b ,en-us;q=0.7,en; >> 0170 71 3d 30 2e 33 0d 0a 41 63 63 65 70 74 2d 45 6e q=0.3..Accept-En >> 0180 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 coding: gzip,def >> 0190 6c 61 74 65 0d 0a 41 63 63 65 70 74 2d 43 68 61 late..Accept-Cha >> 01a0 72 73 65 74 3a 20 55 54 46 2d 38 2c 2a 0d 0a 4b rset: UTF-8,*..K >> 01b0 65 65 70 2d 41 6c 69 76 65 3a 20 33 30 30 0d 0a eep-Alive: 300.. >> 01c0 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 Connection: keep >> 01d0 2d 61 6c 69 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20 -alive..Cookie: >> 01e0 6e 65 74 2e 69 6e 73 74 61 64 69 61 2e 63 6c 69 net.instadia.cli >> 01f0 65 6e 74 73 74 65 70 2e 70 65 72 73 69 73 74 2e entstep.persist. >> 0200 31 3d 31 40 34 32 40 75 2f 32 62 30 62 30 62 30 [EMAIL >> PROTECTED]@u/2b0b0b0 >> 0210 30 31 61 62 36 33 61 39 64 64 66 35 64 30 62 63 01ab63a9ddf5d0bc >> 0220 39 30 30 61 61 66 33 33 32 32 62 31 35 61 65 64 900aaf3322b15aed >> 0230 35 3b 20 5f 5f 75 74 6d 61 3d 38 36 39 31 32 39 5; __utma=869129 >> 0240 37 30 2e 31 39 33 38 39 36 37 36 35 32 2e 31 31 70.1938967652.11 >> 0250 35 34 35 31 33 35 30 32 2e 31 31 38 35 32 38 32 54513502.1185282 >> 0260 33 34 37 2e 31 31 38 35 34 35 33 30 39 36 2e 32 347.1185453096.2 >> 0270 30 34 3b 20 5f 5f 75 74 6d 7a 3d 38 36 39 31 32 04; __utmz=86912 >> 0280 39 37 30 2e 31 31 38 33 34 35 39 33 33 30 2e 31 970.1183459330.1 >> 0290 39 34 2e 32 36 2e 75 74 6d 63 63 6e 3d 28 72 65 94.26.utmccn=(re >> 02a0 66 65 72 72 61 6c 29 7c 75 74 6d 63 73 72 3d 6d ferral)|utmcsr=m >> 02b0 75 68 75 68 75 2e 63 62 73 2e 64 6b 7c 75 74 6d uhuhu.cbs.dk|utm >> 02c0 63 63 74 3d 2f 6f 6d 5f 63 62 73 2f 6f 6d 5f 77 cct=/om_cbs/om_w >> 02d0 77 77 5f 63 62 73 5f 64 6b 2f 73 5f 67 5f 63 62 ww_cbs_dk/s_g_cb >> 02e0 73 5f 64 6b 7c 75 74 6d 63 6d 64 3d 72 65 66 65 s_dk|utmcmd=refe >> 02f0 72 72 61 6c 3b 20 50 48 50 53 45 53 53 49 44 3d rral; PHPSESSID= >> 0300 31 30 63 65 36 65 37 37 63 30 64 35 63 64 39 33 10ce6e77c0d5cd93 >> 0310 37 33 63 33 64 65 30 66 33 65 38 66 33 66 32 32 73c3de0f3e8f3f22 >> 0320 3b 20 5f 5f 75 74 6d 63 3d 38 36 39 31 32 39 37 ; __utmc=8691297 >> 0330 30 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 0..Cache-Control >> 0340 3a 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6d 61 78 : max-age=0, max >> 0350 2d 61 67 65 3d 30 0d 0a 41 75 74 68 6f 72 69 7a -age=0..Authoriz >> 0360 61 74 69 6f 6e 3a 20 4e 65 67 6f 74 69 61 74 65 ation: Negotiate >> 0370 20 59 49 49 44 37 67 59 47 4b 77 59 42 42 51 55 YIID7gYGKwYBBQU >> 0380 43 6f 49 49 44 34 6a 43 43 41 39 36 67 48 7a 41 CoIID4jCCA96gHzA >> 0390 64 42 67 6b 71 68 6b 69 47 39 78 49 42 41 67 49 dBgkqhkiG9xIBAgI >> 03a0 47 42 53 73 46 41 51 55 43 42 67 6b 71 68 6b 69 GBSsFAQUCBgkqhki >> 03b0 43 39 78 49 42 41 67 4b 68 42 41 4d 43 41 51 4b C9xIBAgKhBAMCAQK >> 03c0 69 67 67 4f 7a 42 49 49 44 72 32 43 43 41 36 73 iggOzBIIDr2CCA6s >> 03d0 47 43 53 71 47 53 49 62 33 45 67 45 43 41 67 45 GCSqGSIb3EgECAgE >> 03e0 41 62 6f 49 44 6d 6a 43 43 41 35 61 67 41 77 49 AboIDmjCCA5agAwI >> 03f0 42 42 61 45 44 41 67 45 4f 6f 67 63 44 42 51 41 BBaEDAgEOogcDBQA >> 0400 41 41 41 41 41 6f 34 48 6a 59 59 48 67 4d 49 48 AAAAAo4HjYYHgMIH >> 0410 64 6f 41 4d 43 41 51 57 68 43 42 73 47 51 30 4a doAMCAQWhCBsGQ0J >> 0420 54 4c 6b 52 4c 6f 68 34 77 48 4b 41 44 41 67 45 TLkRLoh4wHKADAgE >> 0430 44 6f 52 55 77 45 78 73 45 53 46 52 55 55 42 73 DoRUwExsESFRUUBs >> 0440 4c 63 33 56 6e 61 53 35 6a 59 6e 4d 75 5a 47 75 Lc3VnaS5jYnMuZGu >> 0450 6a 67 61 73 77 67 61 69 67 41 77 49 42 41 61 45 jgaswgaigAwIBAaE >> 0460 44 41 67 45 44 6f 6f 47 62 42 49 47 59 79 34 4e DAgEDooGbBIGYy4N >> 0470 63 38 74 76 2b 46 74 41 6b 32 30 39 6e 70 58 4b c8tv+FtAk209npXK >> 0480 36 78 68 77 48 74 44 69 64 2b 55 7a 57 30 4d 37 6xhwHtDid+UzW0M7 >> 0490 53 46 33 37 52 6d 4a 50 37 74 48 66 48 56 2b 2f SF37RmJP7tHfHV+/ >> 04a0 63 74 79 62 66 6a 6f 53 6d 47 45 77 79 64 36 59 ctybfjoSmGEwyd6Y >> 04b0 4a 41 45 31 68 61 55 34 73 36 35 42 65 55 58 51 JAE1haU4s65BeUXQ >> 04c0 39 4d 5a 53 6a 70 72 55 67 43 2b 6e 6b 57 41 4c 9MZSjprUgC+nkWAL >> 04d0 76 67 4d 79 4e 57 33 34 70 4c 6c 37 5a 7a 37 6e vgMyNW34pLl7Zz7n >> 04e0 69 56 41 49 78 65 73 67 7a 5a 4d 58 67 6e 36 6d iVAIxesgzZMXgn6m >> 04f0 43 49 39 77 70 59 79 58 75 45 49 57 57 71 2f 58 CI9wpYyXuEIWWq/X >> 0500 54 2b 4e 4f 43 7a 65 6c 47 6a 31 78 43 43 61 4c T+NOCzelGj1xCCaL >> 0510 62 4a 58 68 34 4c 63 31 79 6f 6b 4b 35 32 79 6e bJXh4Lc1yokK52yn >> 0520 64 31 35 45 78 7a 72 30 74 49 51 45 61 51 50 71 d15Exzr0tIQEaQPq >> 0530 37 55 58 67 61 4a 71 79 6b 67 67 4b 5a 4d 49 49 7UXgaJqykggKZMII >> 0540 43 6c 61 41 44 41 67 45 42 6f 6f 49 43 6a 41 53 ClaADAgEBooICjAS >> 0550 43 41 6f 6a 4e 5a 4b 38 2f 55 31 50 50 71 55 34 CAojNZK8/U1PPqU4 >> 0560 4f 65 6c 4c 2f 63 6d 6e 45 42 4e 48 74 51 69 72 OelL/cmnEBNHtQir >> 0570 4a 72 59 54 6e 32 6c 69 39 75 41 4a 43 43 6d 6c JrYTn2li9uAJCCml >> 0580 41 57 75 48 76 57 67 57 66 35 48 75 44 2b 71 31 AWuHvWgWf5HuD+q1 >> 0590 30 73 7a 66 2b 38 6f 64 61 47 79 50 32 62 51 63 0szf+8odaGyP2bQc >> 05a0 78 4a 57 77 44 74 49 64 50 6c 4f 77 70 55 7a 56 xJWwDtIdPlOwpUzV >> 05b0 78 63 39 6e 2b 32 65 4d 4e 61 4b 32 70 64 76 34 xc9n+2eMNaK2pdv4 >> 05c0 2f 6a 43 4f 79 68 52 35 6c 37 57 44 76 66 34 6c /jCOyhR5l7WDvf4l >> 05d0 65 53 71 70 4c 68 4e 71 47 39 4a 67 46 4c 59 6b eSqpLhNqG9JgFLYk >> 05e0 76 52 2f 51 4a 63 46 74 46 31 vR/QJcFtF1 >> >> NTLMSSP / GSSAPI Data (475 bytes): >> >> 0000 60 82 03 ee 06 06 2b 06 01 05 05 02 a0 82 03 e2 `.....+......... >> 0010 30 82 03 de a0 1f 30 1d 06 09 2a 86 48 86 f7 12 0.....0...*.H... >> 0020 01 02 02 06 05 2b 05 01 05 02 06 09 2a 86 48 82 .....+......*.H. >> 0030 f7 12 01 02 02 a1 04 03 02 01 02 a2 82 03 b3 04 ................ >> 0040 82 03 af 60 82 03 ab 06 09 2a 86 48 86 f7 12 01 ...`.....*.H.... >> 0050 02 02 01 00 6e 82 03 9a 30 82 03 96 a0 03 02 01 ....n...0....... >> 0060 05 a1 03 02 01 0e a2 07 03 05 00 00 00 00 00 a3 ................ >> 0070 81 e3 61 81 e0 30 81 dd a0 03 02 01 05 a1 08 1b ..a..0.......... >> 0080 06 43 42 53 2e 44 4b a2 1e 30 1c a0 03 02 01 03 .CBS.DK..0...... >> 0090 a1 15 30 13 1b 04 48 54 54 50 1b 0b 73 75 67 69 ..0...HTTP..sugi >> 00a0 2e 63 62 73 2e 64 6b a3 81 ab 30 81 a8 a0 03 02 .cbs.dk...0..... >> 00b0 01 01 a1 03 02 01 03 a2 81 9b 04 81 98 cb 83 5c ...............\ >> 00c0 f2 db fe 16 d0 24 db 4f 67 a5 72 ba c6 1c 07 b4 .....$.Og.r..... >> 00d0 38 9d f9 4c d6 d0 ce d2 17 7e d1 98 93 fb b4 77 8..L.....~.....w >> 00e0 c7 57 ef dc b7 26 df 8e 84 a6 18 4c 32 77 a6 09 .W...&.....L2w.. >> 00f0 00 4d 61 69 4e 2c eb 90 5e 51 74 3d 31 94 a3 a6 .MaiN,..^Qt=1... >> 0100 b5 20 0b e9 e4 58 02 ef 80 cc 8d 5b 7e 29 2e 5e . ...X.....[~).^ >> 0110 d9 cf b9 e2 54 02 31 7a c8 33 64 c5 e0 9f a9 82 ....T.1z.3d..... >> 0120 23 dc 29 63 25 ee 10 85 96 ab f5 d3 f8 d3 82 cd #.)c%........... >> 0130 e9 46 8f 5c 42 09 a2 db 25 78 78 2d cd 72 a2 42 .F.\B...%xx-.r.B >> 0140 b9 db 29 dd d7 91 31 ce bd 2d 21 01 1a 40 fa bb ..)[EMAIL PROTECTED] >> 0150 51 78 1a 26 ac a4 82 02 99 30 82 02 95 a0 03 02 Qx.&.....0...... >> 0160 01 01 a2 82 02 8c 04 82 02 88 cd 64 af 3f 53 53 ...........d.?SS >> 0170 cf a9 4e 0e 7a 52 ff 72 69 c4 04 d1 ed 42 2a c9 ..N.zR.ri....B*. >> 0180 ad 84 e7 da 58 bd b8 02 42 0a 69 40 5a e1 ef 5a [EMAIL PROTECTED] >> 0190 05 9f e4 7b 83 fa ad 74 b3 37 fe f2 87 5a 1b 23 ...{...t.7...Z.# >> 01a0 f6 6d 07 31 25 6c 03 b4 87 4f 94 ec 29 53 35 71 .m.1%l...O..)S5q >> 01b0 73 d9 fe d9 e3 0d 68 ad a9 76 fe 3f 8c 23 b2 85 s.....h..v.?.#.. >> 01c0 1e 65 ed 60 ef 7f 89 5e 4a aa 4b 84 da 86 f4 98 .e.`...^J.K..... >> 01d0 05 2d 89 2f 47 f4 09 70 5b 45 d4 .-./G..p[E. >> >> !DSPAM:46a8bc529361222716257! > *Mikkel Kruse Johnsen* > Adm.Dir. > > *Linet <http://www.linet.dk>* > Ørholmgade 6 st tv > <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en> > Copenhagen N 2200 Denmark *Work:* +45 21287793 > *Mobile:* +45 21287793 > *Email:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > *IM:* [EMAIL PROTECTED] (MSN) > *Professional Profile <http://www.linkedin.com/pub/3/333/803>* > *Healthcare <http://www.xmedicus.dk>* > > Network Consultant > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > modauthkerb-help mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos