[27901] in Kerberos
Re: Kerberos for authentication, php for authorization
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Fri Jun 8 04:00:23 2007
In-Reply-To: <ace41e70706070724w624ee341u8b80e631b993d21c@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Message-Id: <E1A052C6-4FA1-45F3-B901-54FACE7409BB@sxw.org.uk>
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Fri, 8 Jun 2007 09:00:09 +0100
To: "\" \" <slushpupie@gmail.com>" <slushpupie@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 7 Jun 2007, at 15:24, " " <slushpupie@gmail.com>
<slushpupie@gmail.com> wrote:
> mod_auth_kerb works great in the right conditions. You must be using
> IE or a newer Firefox. Linux works great (not sure about other Unix
> systems). On Windows the two browsers can only acquire credentials
> from the LSA which means the workstation needs to be joined to a
> domain, I believe.
It works with both recent Opera and Safari too, for some definition
of works.
Where you hit problems is where the name of your webserver is not the
hostname of your machine. Different browsers handle this situation in
different ways. Some (Firefox) use the DNS to canonicalise the name -
so meaning that you (should) always see GSSAPI requests for HTTP/
<hostname> principals. Others (Safari) use the name as entered by the
user with no canonicalisation.
Ultimately, this means you may need to have a keytab containing
multiple different prinicpals for your service, and have
mod_auth_kerb accept any one of these principals. Unfortunately, the
code isn't there to do that in current mod_auth_kerb's. Russ posted a
patch by iterating through every key in the keytab - that should be
available from the mod_auth_kerb mailing list. I also have a simpler
patch that uses the new behaviour of gss_accept_sec_context when the
server credentials are set to GSS_C_NO_CREDENTIAL, that I must
contribute upstream.
Cheers,
Simon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
