Hi Kronus
You definitely have to use mod_auth_kerb's internal SPNEGO to get it to
work. I spent a lot of time realizing that.
the ok_as_delegate flag is not in kerberos, but it is a very simple
patch. See attacthment.
Med Venlig Hilsen / Kind Regards
Mikkel Kruse
Johnsen
Adm.Dir.
Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark
Work:+45
21287793
Mobile: +45
21287793
Email:
mik...@linet.dk
IM:
mik...@linet.dk
(MSN)
Professional
Profile
Healthcare
Network
Consultant
man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson:
kadmin support for ok_as_delegate has been added on the trunk but is not
currently scheduled to go into 1.7, as the cutoff for new features was a
while ago. That could probably change if we find conclusive evidence
that ok_as_delegate support is more important than we thought.
However, I think your problem may not be related to the ok_as_delegate
flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
symptoms and is a totally different bug, which will be fixed in 1.7.
(The relevant version in this case is the Kerberos code running on your
Apache HTTPD server.)
http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
suggests that you might be able to work around the problem by using
mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if
that's still possible two years later.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
diff -uNr krb5-1.6.1.orig/doc/admin.texinfo krb5-1.6.1/doc/admin.texinfo
--- krb5-1.6.1.orig/doc/admin.texinfo 2006-12-21 23:07:31.0 +0100
+++ krb5-1.6.1/doc/admin.texinfo 2009-04-14 09:06:36.0 +0200
@@ -1896,6 +1896,13 @@
sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
database.
+...@itemx @{-|+...@}ok_as_delegate
+The ``+ok_as_delegate'' sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+Sets the KRB5_KDB_OK_AS_DELEGATE flag. ``-ok_as_delegate'' clears
+this flag.
+
@item @{-|+...@}allow_svr
The ``-allow_svr'' flag prohibits the issuance of service tickets for
this principal. ``+allow_svr'' clears this flag. In effect,
diff -uNr krb5-1.6.1.orig/src/include/kdb.h krb5-1.6.1/src/include/kdb.h
--- krb5-1.6.1.orig/src/include/kdb.h 2006-12-13 00:37:53.0 +0100
+++ krb5-1.6.1/src/include/kdb.h 2009-04-14 09:06:36.0 +0200
@@ -79,6 +79,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x2000
#define KRB5_KDB_SUPPORT_DESMD5 0x4000
#define KRB5_KDB_NEW_PRINC 0x8000
+#define KRB5_KDB_OK_AS_DELEGATE 0x0001
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x0001
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.c krb5-1.6.1/src/kadmin/cli/kadmin.c
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.c 2006-12-19 22:10:19.0 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.c 2009-04-14 09:07:43.0 +0200
@@ -65,7 +65,8 @@
{needchange, 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{allow_svr, 9, KRB5_KDB_DISALLOW_SVR, 1},
{password_changing_service, 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{support_desmd5, 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{support_desmd5, 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{ok_as_delegate, 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -85,6 +86,7 @@
PWCHANGE_SERVICE, /* 0x2000 */
SUPPORT_DESMD5, /* 0x4000 */
NEW_PRINC, /* 0x8000 */
+OK_AS_DELEGATE, /* 0x0001 */
};
char *getenv();
@@ -1101,6 +1103,7 @@
\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n,
\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n,
\t\trequires_hwauth needchange allow_svr password_changing_service\n
+ \t\tok_as_delegate\n
\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n
\t\t\tLook at each database documentation for supported arguments\n);
}
@@ -1117,6 +1120,7 @@
\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n,
\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n,
\t\trequires_hwauth needchange allow_svr password_changing_service\n
+ \t\tok_as_delegate\n
\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n
\t\t\tLook at each database documentation for supported arguments\n
);
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.M krb5-1.6.1/src/kadmin/cli/kadmin.M
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.M 2006-12-21 23:07:20.0 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.M 2009-04-14 09:06:36.0 +0200
@@ -327,6 +327,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients