Hi Kronus You definitely have to use mod_auth_kerb's internal SPNEGO to get it to work. I spent a lot of time realizing that.
the "ok_as_delegate" flag is not in kerberos, but it is a very simple patch. See attacthment. Med Venlig Hilsen / Kind Regards Mikkel Kruse Johnsen Adm.Dir. Linet Ørholmgade 6 st tv Copenhagen N 2200 Denmark Work: +45 21287793 Mobile: +45 21287793 Email: mik...@linet.dk IM: mik...@linet.dk (MSN) Professional Profile Healthcare Network Consultant man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson: > kadmin support for ok_as_delegate has been added on the trunk but is not > currently scheduled to go into 1.7, as the cutoff for new features was a > while ago. That could probably change if we find conclusive evidence > that ok_as_delegate support is more important than we thought. > > However, I think your problem may not be related to the ok_as_delegate > flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your > symptoms and is a totally different bug, which will be fixed in 1.7. > (The relevant version in this case is the Kerberos code running on your > Apache HTTPD server.) > > http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html > suggests that you might be able to work around the problem by using > mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if > that's still possible two years later. > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos
diff -uNr krb5-1.6.1.orig/doc/admin.texinfo krb5-1.6.1/doc/admin.texinfo --- krb5-1.6.1.orig/doc/admin.texinfo 2006-12-21 23:07:31.000000000 +0100 +++ krb5-1.6.1/doc/admin.texinfo 2009-04-14 09:06:36.000000000 +0200 @@ -1896,6 +1896,13 @@ sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the database. +...@itemx @{-|+...@}ok_as_delegate +The ``+ok_as_delegate'' sets the OK-AS-DELEGATE flag on tickets issued for use +with this principal as the service, which clients may use as a hint that +credentials can and should be delegated when authenticating to the service. +Sets the KRB5_KDB_OK_AS_DELEGATE flag. ``-ok_as_delegate'' clears +this flag. + @item @{-|+...@}allow_svr The ``-allow_svr'' flag prohibits the issuance of service tickets for this principal. ``+allow_svr'' clears this flag. In effect, diff -uNr krb5-1.6.1.orig/src/include/kdb.h krb5-1.6.1/src/include/kdb.h --- krb5-1.6.1.orig/src/include/kdb.h 2006-12-13 00:37:53.000000000 +0100 +++ krb5-1.6.1/src/include/kdb.h 2009-04-14 09:06:36.000000000 +0200 @@ -79,6 +79,7 @@ #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 #define KRB5_KDB_NEW_PRINC 0x00008000 +#define KRB5_KDB_OK_AS_DELEGATE 0x00010000 /* Creation flags */ #define KRB5_KDB_CREATE_BTREE 0x00000001 diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.c krb5-1.6.1/src/kadmin/cli/kadmin.c --- krb5-1.6.1.orig/src/kadmin/cli/kadmin.c 2006-12-19 22:10:19.000000000 +0100 +++ krb5-1.6.1/src/kadmin/cli/kadmin.c 2009-04-14 09:07:43.000000000 +0200 @@ -65,7 +65,8 @@ {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 } +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 } }; static char *prflags[] = { @@ -85,6 +86,7 @@ "PWCHANGE_SERVICE", /* 0x00002000 */ "SUPPORT_DESMD5", /* 0x00004000 */ "NEW_PRINC", /* 0x00008000 */ + "OK_AS_DELEGATE", /* 0x00010000 */ }; char *getenv(); @@ -1101,6 +1103,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n"); } @@ -1117,6 +1120,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n" ); diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.M krb5-1.6.1/src/kadmin/cli/kadmin.M --- krb5-1.6.1.orig/src/kadmin/cli/kadmin.M 2006-12-21 23:07:20.000000000 +0100 +++ krb5-1.6.1/src/kadmin/cli/kadmin.M 2009-04-14 09:06:36.000000000 +0200 @@ -327,6 +327,16 @@ .B -requires_hwauth clears this flag. .TP +{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP +.B +ok_as_delegate +sets the OK-AS-DELEGATE flag on tickets issued for use with this principal +as the service, which clients may use as a hint that credentials can and +should be delegated when authenticating to the service. (Sets the +.SM KRB5_KDB_OK_AS_DELEGATE +flag.) +.B -ok_as_delegate +clears this flag. +.TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP .B -allow_svr prohibits the issuance of service tickets for this principal. (Sets the diff -uNr krb5-1.6.1.orig/src/kdc/do_as_req.c krb5-1.6.1/src/kdc/do_as_req.c --- krb5-1.6.1.orig/src/kdc/do_as_req.c 2006-11-14 23:47:21.000000000 +0100 +++ krb5-1.6.1/src/kdc/do_as_req.c 2009-04-14 09:06:36.000000000 +0200 @@ -257,6 +257,10 @@ enc_tkt_reply.caddrs = request->addresses; enc_tkt_reply.authorization_data = 0; + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) { + setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); + } + /* * Check the preauthentication if it is there. */ diff -uNr krb5-1.6.1.orig/src/kdc/do_tgs_req.c krb5-1.6.1/src/kdc/do_tgs_req.c --- krb5-1.6.1.orig/src/kdc/do_tgs_req.c 2007-04-04 23:08:05.000000000 +0200 +++ krb5-1.6.1/src/kdc/do_tgs_req.c 2009-04-14 09:06:36.000000000 +0200 @@ -534,6 +534,10 @@ goto cleanup; } + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) { + setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); + } + ticket_reply.enc_part2 = &enc_tkt_reply; /* diff -uNr krb5-1.6.1.orig/src/lib/kadm5/str_conv.c krb5-1.6.1/src/lib/kadm5/str_conv.c --- krb5-1.6.1.orig/src/lib/kadm5/str_conv.c 2001-06-26 21:59:45.000000000 +0200 +++ krb5-1.6.1/src/lib/kadm5/str_conv.c 2009-04-14 09:06:36.000000000 +0200 @@ -73,6 +73,7 @@ static const char flags_tickets_in[] = "allow-tickets"; static const char flags_preauth_in[] = "preauth"; static const char flags_hwauth_in[] = "hwauth"; +static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; static const char flags_pwchange_in[] = "pwchange"; static const char flags_service_in[] = "service"; static const char flags_pwsvc_in[] = "pwservice"; @@ -86,6 +87,7 @@ static const char flags_tickets_out[] = "All Tickets Disallowed"; static const char flags_preauth_out[] = "Preauthorization required"; static const char flags_hwauth_out[] = "HW Authorization required"; +static const char flags_ok_as_delegate_out[] = "OK as Delegate"; static const char flags_pwchange_out[] = "Password Change required"; static const char flags_service_out[] = "Service Disabled"; static const char flags_pwsvc_out[] = "Password Changing Service"; @@ -109,6 +111,7 @@ { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, +{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos