Re: ok_as_delegation status

2009-05-19 Thread Mikkel Kruse Johnsen 
Hi Kronus

You definitely have to use mod_auth_kerb's internal SPNEGO to get it to
work. I spent a lot of time realizing that.

 the ok_as_delegate flag is not in kerberos, but it is a very simple
patch. See attacthment.

Med Venlig Hilsen / Kind Regards




Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work:+45
21287793
Mobile: +45
21287793
Email:
mik...@linet.dk
IM:
mik...@linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant 


man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson:

 kadmin support for ok_as_delegate has been added on the trunk but is not
 currently scheduled to go into 1.7, as the cutoff for new features was a
 while ago.  That could probably change if we find conclusive evidence
 that ok_as_delegate support is more important than we thought.
 
 However, I think your problem may not be related to the ok_as_delegate
 flag.  http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
 symptoms and is a totally different bug, which will be fixed in 1.7.
 (The relevant version in this case is the Kerberos code running on your
 Apache HTTPD server.)
 
 http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
 suggests that you might be able to work around the problem by using
 mod_auth_kerb's SPNEGO code instead of MIT krb5's.  I don't know if
 that's still possible two years later.
 
 
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos
diff -uNr krb5-1.6.1.orig/doc/admin.texinfo krb5-1.6.1/doc/admin.texinfo
--- krb5-1.6.1.orig/doc/admin.texinfo	2006-12-21 23:07:31.0 +0100
+++ krb5-1.6.1/doc/admin.texinfo	2009-04-14 09:06:36.0 +0200
@@ -1896,6 +1896,13 @@
 sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
 database.
 
+...@itemx @{-|+...@}ok_as_delegate
+The ``+ok_as_delegate'' sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+Sets the KRB5_KDB_OK_AS_DELEGATE flag. ``-ok_as_delegate'' clears
+this flag.
+
 @item @{-|+...@}allow_svr
 The ``-allow_svr'' flag prohibits the issuance of service tickets for
 this principal.  ``+allow_svr'' clears this flag.  In effect,
diff -uNr krb5-1.6.1.orig/src/include/kdb.h krb5-1.6.1/src/include/kdb.h
--- krb5-1.6.1.orig/src/include/kdb.h	2006-12-13 00:37:53.0 +0100
+++ krb5-1.6.1/src/include/kdb.h	2009-04-14 09:06:36.0 +0200
@@ -79,6 +79,7 @@
 #define KRB5_KDB_PWCHANGE_SERVICE	0x2000
 #define KRB5_KDB_SUPPORT_DESMD5 0x4000
 #define	KRB5_KDB_NEW_PRINC		0x8000
+#define	KRB5_KDB_OK_AS_DELEGATE		0x0001
 
 /* Creation flags */
 #define KRB5_KDB_CREATE_BTREE		0x0001
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.c krb5-1.6.1/src/kadmin/cli/kadmin.c
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.c	2006-12-19 22:10:19.0 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.c	2009-04-14 09:07:43.0 +0200
@@ -65,7 +65,8 @@
 {needchange, 10,	KRB5_KDB_REQUIRES_PWCHANGE,	0},
 {allow_svr, 9,	KRB5_KDB_DISALLOW_SVR, 1},
 {password_changing_service,	25,	KRB5_KDB_PWCHANGE_SERVICE,	0 },
-{support_desmd5,	14,	KRB5_KDB_SUPPORT_DESMD5,	0 }
+{support_desmd5,	14,	KRB5_KDB_SUPPORT_DESMD5,	0 },
+{ok_as_delegate,	14,	KRB5_KDB_OK_AS_DELEGATE,	0 }
 };
 
 static char *prflags[] = {
@@ -85,6 +86,7 @@
 PWCHANGE_SERVICE,		/* 0x2000 */
 SUPPORT_DESMD5,		/* 0x4000 */
 NEW_PRINC,		/* 0x8000 */
+OK_AS_DELEGATE,		/* 0x0001 */
 };
 
 char *getenv();
@@ -1101,6 +1103,7 @@
 	\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n,
 	\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n,
 	\t\trequires_hwauth needchange allow_svr password_changing_service\n
+	\t\tok_as_delegate\n
 	\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n
 	\t\t\tLook at each database documentation for supported arguments\n);
 }
@@ -1117,6 +1120,7 @@
 	\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n,
 	\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n,
 	\t\trequires_hwauth needchange allow_svr password_changing_service\n
+	\t\tok_as_delegate\n
 	\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n
 	\t\t\tLook at each database documentation for supported arguments\n
 	);
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.M krb5-1.6.1/src/kadmin/cli/kadmin.M
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.M	2006-12-21 23:07:20.0 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.M	2009-04-14 09:06:36.0 +0200
@@ -327,6 +327,16 @@
 .B -requires_hwauth
 clears this flag.
 .TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients

Re: ok_as_delegation status

2009-05-19 Thread Greg Hudson 
A correction: ok_as_delegate kadmin support will be in MIT krb5 1.7,
contrary to what I wrote previously.

On Tue, 2009-05-19 at 08:55 +0200, Mikkel Kruse Johnsen wrote:
 Hi Kronus
 
 You definitely have to use mod_auth_kerb's internal SPNEGO to get it
 to work. I spent a lot of time realizing that.
 
 the ok_as_delegate flag is not in kerberos, but it is a very simple
 patch. See attacthment.
 
 Med Venlig Hilsen / Kind Regards
 
 
 
 
 Mikkel Kruse
 Johnsen
 Adm.Dir.
 
 Linet
 Ørholmgade 6 st
 tv
 Copenhagen N 2200
 Denmark
 
 Work:+45
 21287793
 Mobile: +45
 21287793
 Email:
 mik...@linet.dk
 IM:
 mik...@linet.dk
 (MSN)
  Professional
 Profile
 Healthcare 
 
 
 Network
 Consultant 
 
 
 man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson: 
  kadmin support for ok_as_delegate has been added on the trunk but is not
  currently scheduled to go into 1.7, as the cutoff for new features was a
  while ago.  That could probably change if we find conclusive evidence
  that ok_as_delegate support is more important than we thought.
  
  However, I think your problem may not be related to the ok_as_delegate
  flag.  http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
  symptoms and is a totally different bug, which will be fixed in 1.7.
  (The relevant version in this case is the Kerberos code running on your
  Apache HTTPD server.)
  
  http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
  suggests that you might be able to work around the problem by using
  mod_auth_kerb's SPNEGO code instead of MIT krb5's.  I don't know if
  that's still possible two years later.
  
  
  
  Kerberos mailing list   Kerberos@mit.edu
  https://mailman.mit.edu/mailman/listinfo/kerberos


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

ok_as_delegation status

2009-05-18 Thread Kronus David 
 Hi all,
I'm trying to use the following setup (everything on Linux): 
   server: Apache2 + mod_auth_kerb + MIT KDC 
   klient: Firefox with properly configured MIT Kerberos support for the local 
server
User has a kerberos ticket in its cache and is able to access protected webpage 
using firefox without entering their password, the ticket for HTTP/server is 
being successfully obtained. However, in .htaccess of that webpage I have set 
KrbSaveCredentials and this setting is only working when I enter the password 
for authentication directly, not use the ticket from cache to authenticate. In 
apache log I can see the following when not entering the password:

[Mon May 18 11:41:25 2009] [error] [client 192.168.13.133] Cannot store 
delegated credential (gss_krb5_copy_ccache: Invalid credential was supplied (No 
error)), referer: http://server/php/test.php


I've found on several pages that this is related to the ok_as_delegate flag set 
for HTTP/server principal. So my first question is, whether this is true, 
whether this is needed in my situation. And if yes then my second question is 
how can I set this flag in kadmin (or any other way)? I've seen some activity 
going on on this feature recently in MIT Kerberos svn, so maybe it will be 
available in the next release of MIT Kerberos? I'm using version 1.6.3.

Thanks for any help.
David

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: ok_as_delegation status

2009-05-18 Thread Greg Hudson 
kadmin support for ok_as_delegate has been added on the trunk but is not
currently scheduled to go into 1.7, as the cutoff for new features was a
while ago.  That could probably change if we find conclusive evidence
that ok_as_delegate support is more important than we thought.

However, I think your problem may not be related to the ok_as_delegate
flag.  http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
symptoms and is a totally different bug, which will be fixed in 1.7.
(The relevant version in this case is the Kerberos code running on your
Apache HTTPD server.)

http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
suggests that you might be able to work around the problem by using
mod_auth_kerb's SPNEGO code instead of MIT krb5's.  I don't know if
that's still possible two years later.



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos