Re: ok_as_delegation status

2009-05-18 Thread Mikkel Kruse Johnsen 
Hi Kronus

You definitely have to use mod_auth_kerb's internal SPNEGO to get it to
work. I spent a lot of time realizing that.

 the "ok_as_delegate" flag is not in kerberos, but it is a very simple
patch. See attacthment.

Med Venlig Hilsen / Kind Regards




Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work:+45
21287793
Mobile: +45
21287793
Email:
mik...@linet.dk
IM:
mik...@linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant 


man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson:

> kadmin support for ok_as_delegate has been added on the trunk but is not
> currently scheduled to go into 1.7, as the cutoff for new features was a
> while ago.  That could probably change if we find conclusive evidence
> that ok_as_delegate support is more important than we thought.
> 
> However, I think your problem may not be related to the ok_as_delegate
> flag.  http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
> symptoms and is a totally different bug, which will be fixed in 1.7.
> (The relevant version in this case is the Kerberos code running on your
> Apache HTTPD server.)
> 
> http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
> suggests that you might be able to work around the problem by using
> mod_auth_kerb's SPNEGO code instead of MIT krb5's.  I don't know if
> that's still possible two years later.
> 
> 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
diff -uNr krb5-1.6.1.orig/doc/admin.texinfo krb5-1.6.1/doc/admin.texinfo
--- krb5-1.6.1.orig/doc/admin.texinfo	2006-12-21 23:07:31.0 +0100
+++ krb5-1.6.1/doc/admin.texinfo	2009-04-14 09:06:36.0 +0200
@@ -1896,6 +1896,13 @@
 sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
 database.
 
+...@itemx @{-|+...@}ok_as_delegate
+The ``+ok_as_delegate'' sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+Sets the KRB5_KDB_OK_AS_DELEGATE flag. ``-ok_as_delegate'' clears
+this flag.
+
 @item @{-|+...@}allow_svr
 The ``-allow_svr'' flag prohibits the issuance of service tickets for
 this principal.  ``+allow_svr'' clears this flag.  In effect,
diff -uNr krb5-1.6.1.orig/src/include/kdb.h krb5-1.6.1/src/include/kdb.h
--- krb5-1.6.1.orig/src/include/kdb.h	2006-12-13 00:37:53.0 +0100
+++ krb5-1.6.1/src/include/kdb.h	2009-04-14 09:06:36.0 +0200
@@ -79,6 +79,7 @@
 #define KRB5_KDB_PWCHANGE_SERVICE	0x2000
 #define KRB5_KDB_SUPPORT_DESMD5 0x4000
 #define	KRB5_KDB_NEW_PRINC		0x8000
+#define	KRB5_KDB_OK_AS_DELEGATE		0x0001
 
 /* Creation flags */
 #define KRB5_KDB_CREATE_BTREE		0x0001
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.c krb5-1.6.1/src/kadmin/cli/kadmin.c
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.c	2006-12-19 22:10:19.0 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.c	2009-04-14 09:07:43.0 +0200
@@ -65,7 +65,8 @@
 {"needchange", 10,	KRB5_KDB_REQUIRES_PWCHANGE,	0},
 {"allow_svr", 9,	KRB5_KDB_DISALLOW_SVR, 1},
 {"password_changing_service",	25,	KRB5_KDB_PWCHANGE_SERVICE,	0 },
-{"support_desmd5",	14,	KRB5_KDB_SUPPORT_DESMD5,	0 }
+{"support_desmd5",	14,	KRB5_KDB_SUPPORT_DESMD5,	0 },
+{"ok_as_delegate",	14,	KRB5_KDB_OK_AS_DELEGATE,	0 }
 };
 
 static char *prflags[] = {
@@ -85,6 +86,7 @@
 "PWCHANGE_SERVICE",		/* 0x2000 */
 "SUPPORT_DESMD5",		/* 0x4000 */
 "NEW_PRINC",		/* 0x8000 */
+"OK_AS_DELEGATE",		/* 0x0001 */
 };
 
 char *getenv();
@@ -1101,6 +1103,7 @@
 	"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
 	"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
 	"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+	"\t\tok_as_delegate\n"
 	"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
 	"\t\t\tLook at each database documentation for supported arguments\n");
 }
@@ -1117,6 +1120,7 @@
 	"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
 	"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
 	"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+	"\t\tok_as_delegate\n"
 	"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
 	"\t\t\tLook at each database documentation for supported arguments\n"
 	);
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.M krb5-1.6.1/src/kadmin/cli/kadmin.M
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.M	2006-12-21 23:07:20.0 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.M	2009-04-14 09:06:36.0 +0200
@@ -327,6 +327,16 @@
 .B -requires_hwauth
 clears this flag.
 .TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets is

Re: NIS => Kerberos/LDAP Migration

2009-05-18 Thread Russ Allbery 
Hubert Chomette  writes:

> I try to use pam_krb5_migrate pam module on debian lenny using package
> pam-krb5-migrate-heimdal package.

> I've see past messages on this subject :
> http://www.mail-archive.com/kerberos@mit.edu/msg12701.html
> Does this module works with MIT kerberos ?
> I try to do, but don't succeed.

This module won't work with the MIT Kerberos in lenny since it didn't
provide a public API for the kadmin libraries.  This is fixed in squeeze
(the current testing), but that's probably not horribly helpful for your
current purpose.  :/

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Racoon ipsec configuration with GSSAPI/kerberos

2009-05-18 Thread T. M. Pederson 
In article ,
Anandan  writes:
> 
> Hi,
> I have been trying to configure ipsec between two machines with kerberos..I
> have one Windows 2003 server which has active directory configured... these
> two linux machines are connected to that Windows machine... 
> I am not able to get any proper documentation on how to use kerberos with
> racoon..
> Any help would be appreciated..

Racoon works with Kerberos through GSSAPI, and only for Phase 1. I've
been working with some Racoon/Heimdal installations on *BSD and the
occasional Linux box, where the configuration (racoon.conf) has generally
had the phase 1 section as:

# No address lookup by name in this implementation, so this file needs
# a remote inherit section for EACH OTHER ADDRESS a host has.

remote  {
exchange_mode main;

lifetime time 24 hour;

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method gssapi_krb;
# For compatibility, use the GSS-API ID "host/fqdn",
# where fqdn is the output of the hostname(1)
# command. You probably want this to match your system's
# host principal.  ktutil(8)'s "list" command will list
# the principals in your system's keytab.  If you need
# to, you can change the GSS-API ID here.
# Older implementations used "ike/fqdn"
gss_id "host/fqdn";

dh_group 1;
}

# Used by client hosts (initiators). Should be off for servers.
generate_policy on;
}



Note that you could instead use the usual "anonymous" instead of an
address if you're going with the same phase 1 between all machines.

Also, depending on implementation, encyrption_algorithm may be 3des
or aes (I've been working with both).

The rest of the Racoon configuration (phase 2, etc.) is independent
of Kerberos and is covered by the standard documentation.

Just had a jump from Heimdal 0.x to 1.1 and it looks like racoon
needs to adjust for an API change to work with the new Heimdal. Still
tracking down what's going on with that combo. Otherwise, Racoon
w/Heimdal 0.6 and 0.7 has been working just fine. I have no experience
with Racoon interacting with MIT or MS Kerberos implementations.
-- 
T. M. Pederson 
GPG key fingerprint = FFAF D056 F12B E03F 7084  1288 EF8B E1FE 1693 21EB
+Accept: text/plain; charset=ISO-8859-*,UTF-*

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: ok_as_delegation status

2009-05-18 Thread Greg Hudson 
kadmin support for ok_as_delegate has been added on the trunk but is not
currently scheduled to go into 1.7, as the cutoff for new features was a
while ago.  That could probably change if we find conclusive evidence
that ok_as_delegate support is more important than we thought.

However, I think your problem may not be related to the ok_as_delegate
flag.  http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
symptoms and is a totally different bug, which will be fixed in 1.7.
(The relevant version in this case is the Kerberos code running on your
Apache HTTPD server.)

http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
suggests that you might be able to work around the problem by using
mod_auth_kerb's SPNEGO code instead of MIT krb5's.  I don't know if
that's still possible two years later.



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

NIS => Kerberos/LDAP Migration

2009-05-18 Thread Hubert Chomette 
Hi
I try to use pam_krb5_migrate pam module on debian lenny  using  
package pam-krb5-migrate-heimdal package.
I've see past messages on this subject : 
http://www.mail-archive.com/kerberos@mit.edu/msg12701.html
Does this module works with MIT kerberos ?
I try to do, but don't succeed.

thank's fro your help

regards,





Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

ok_as_delegation status

2009-05-18 Thread Kronus David 
 Hi all,
I'm trying to use the following setup (everything on Linux): 
   server: Apache2 + mod_auth_kerb + MIT KDC 
   klient: Firefox with properly configured MIT Kerberos support for the local 
server
User has a kerberos ticket in its cache and is able to access protected webpage 
using firefox without entering their password, the ticket for HTTP/ is 
being successfully obtained. However, in .htaccess of that webpage I have set 
KrbSaveCredentials and this setting is only working when I enter the password 
for authentication directly, not use the ticket from cache to authenticate. In 
apache log I can see the following when not entering the password:

[Mon May 18 11:41:25 2009] [error] [client 192.168.13.133] Cannot store 
delegated credential (gss_krb5_copy_ccache: Invalid credential was supplied (No 
error)), referer: http:///php/test.php


I've found on several pages that this is related to the ok_as_delegate flag set 
for HTTP/ principal. So my first question is, whether this is true, 
whether this is needed in my situation. And if yes then my second question is 
how can I set this flag in kadmin (or any other way)? I've seen some activity 
going on on this feature recently in MIT Kerberos svn, so maybe it will be 
available in the next release of MIT Kerberos? I'm using version 1.6.3.

Thanks for any help.
David

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos