[28090] in Kerberos
Re: [modauthkerb] Negotiate on Windows with cross-realm trust AD
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Mon Jul 23 14:25:36 2007
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: "Douglas E. Engert" <deengert@anl.gov>
In-Reply-To: <469E5895.9080704@anl.gov>
Content-Type: multipart/mixed; boundary="=-7TiYJQ/N4WHujDde72xK"
Date: Mon, 23 Jul 2007 11:24:12 +0200
Message-Id: <1185182652.3028.5.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: modauthkerb-help <modauthkerb-help@lists.sourceforge.net>,
kerberos <kerberos@mit.edu>
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@mit.edu
--=-7TiYJQ/N4WHujDde72xK
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Hi Douglas
Setting: "ksetup /SetRealmFlag CBS.DK Delegate" did not work. Still no
KRB5CCNAME in apache.
I have recompiled krb5-1.5 (RHEL5) with a patch to make it possible to
set the ok-as-delegate flag. I then set the flag on
"HTTP/sugi.cbs.dk@CBS.DK" and windows kerbtray shows "Ok as delegate"
checked. but there is still no KRB5CCNAME saved.
1) Just to be save, does mod_auth_kerb save KRB5CCNAME env. when running
php as a module under apache ?
2) Where should I set the ok-as-delegate, is it on my own principle or
the HTTP/sugi.cbs.dk ?
Any other info is approciated.
/Mikkel
On Wed, 2007-07-18 at 13:14 -0500, Douglas E. Engert wrote:
>
> Stephen Frost wrote:
> > * Mikkel Kruse Johnsen (mikkel@linet.dk) wrote:
> >> Now I only have the problem that mod_auth_kerb don't write my
> >> credentials to KRB5CCNAME (in PHP).
> >>
> >> My "kerbtray" under windows says it is Forwardable but no "Ok to
> >> delegate", So I guess that is the problem.
>
>
> Have a look at the "ksetup /SetRealmFlag <realm> Delegate" command
> as it will tell a Windows client to assume the KDC has set
> the OK_AS_DELAGATE bit. This can be used where the KDC does support
> setting of the bit. But this only works on a Windows client.
>
>
> >>
> >> Under linux they are forwardable.
> > [...]
> >> I found how to set ok-as-delegate for heimdal how is this done for MIT
> >> kerberos ?
> >
> > The short answer is, you don't. For reasons unknown to me, the MIT
> > Kerberos upstream folks have seen fit to implement something in their
> > client libraries that's not done in their server. This means that even
> > a completely MIT solution breaks. We've heard of some patches going
> > around to implement the ok-as-delegate flag in the MIT KDC but havn't
> > been able to actually get a hold of them yet.
> >
> > If we're unable to we might end up writing some ourselves as this is
> > rather important to us. If we find or write patches to fix this glaring
> > problem in the MIT KDC we'll be sure to post them.
> >
> > Thanks,
> >
> > Stephen
> >
> >
> > ------------------------------------------------------------------------
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk
--=-7TiYJQ/N4WHujDde72xK
Content-Disposition: attachment; filename=krb5-1.5-mech.patch
Content-Type: text/x-patch; name=krb5-1.5-mech.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit
diff -r -u krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c
--- krb5-1.5.orig/src/lib/gssapi/krb5/indicate_mechs.c 2006-06-15 00:27:54.000000000 +0200
+++ krb5-1.5/src/lib/gssapi/krb5/indicate_mechs.c 2007-07-18 08:59:13.000000000 +0200
@@ -34,7 +34,7 @@
{
*minor_status = 0;
- if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
+ if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
*mech_set = GSS_C_NO_OID_SET;
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
--=-7TiYJQ/N4WHujDde72xK
Content-Disposition: attachment; filename=krb5-1.5-ok-as-delegate.patch
Content-Type: text/x-patch; name=krb5-1.5-ok-as-delegate.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit
diff -r -u krb5-1.5.orig/doc/admin.texinfo krb5-1.5/doc/admin.texinfo
--- krb5-1.5.orig/doc/admin.texinfo 2007-07-23 10:10:42.000000000 +0200
+++ krb5-1.5/doc/admin.texinfo 2007-07-23 10:33:43.000000000 +0200
@@ -1747,6 +1747,13 @@
sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
database.
+@itemx @{-|+@}ok_as_delegate
+The ``+ok_as_delegate'' sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+Sets the KRB5_KDB_OK_AS_DELEGATE flag. ``-ok_as_delegate'' clears
+this flag.
+
@item @{-|+@}allow_svr
The ``-allow_svr'' flag prohibits the issuance of service tickets for
this principal. ``+allow_svr'' clears this flag. In effect,
diff -r -u krb5-1.5.orig/src/include/kdb.h krb5-1.5/src/include/kdb.h
--- krb5-1.5.orig/src/include/kdb.h 2007-07-23 10:10:41.000000000 +0200
+++ krb5-1.5/src/include/kdb.h 2007-07-23 10:34:18.000000000 +0200
@@ -79,6 +79,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
diff -r -u krb5-1.5.orig/src/kadmin/cli/kadmin.c krb5-1.5/src/kadmin/cli/kadmin.c
--- krb5-1.5.orig/src/kadmin/cli/kadmin.c 2007-07-23 10:10:41.000000000 +0200
+++ krb5-1.5/src/kadmin/cli/kadmin.c 2007-07-23 10:38:46.000000000 +0200
@@ -61,7 +61,8 @@
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -81,6 +82,7 @@
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "OK_AS_DELEGATE", /* 0x00010000 */
};
char *getenv();
@@ -1099,6 +1101,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1115,6 +1118,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
diff -r -u krb5-1.5.orig/src/kadmin/cli/kadmin.M krb5-1.5/src/kadmin/cli/kadmin.M
--- krb5-1.5.orig/src/kadmin/cli/kadmin.M 2007-07-23 10:10:41.000000000 +0200
+++ krb5-1.5/src/kadmin/cli/kadmin.M 2007-07-23 10:40:03.000000000 +0200
@@ -282,6 +282,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
diff -r -u krb5-1.5.orig/src/kdc/do_as_req.c krb5-1.5/src/kdc/do_as_req.c
--- krb5-1.5.orig/src/kdc/do_as_req.c 2007-07-23 10:10:42.000000000 +0200
+++ krb5-1.5/src/kdc/do_as_req.c 2007-07-23 10:35:57.000000000 +0200
@@ -257,6 +257,10 @@
enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
/*
* Check the preauthentication if it is there.
*/
diff -r -u krb5-1.5.orig/src/kdc/do_tgs_req.c krb5-1.5/src/kdc/do_tgs_req.c
--- krb5-1.5.orig/src/kdc/do_tgs_req.c 2007-07-23 10:10:42.000000000 +0200
+++ krb5-1.5/src/kdc/do_tgs_req.c 2007-07-23 10:35:08.000000000 +0200
@@ -532,6 +532,10 @@
goto cleanup;
}
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
diff -r -u krb5-1.5.orig/src/lib/kadm5/str_conv.c krb5-1.5/src/lib/kadm5/str_conv.c
--- krb5-1.5.orig/src/lib/kadm5/str_conv.c 2007-07-23 10:10:42.000000000 +0200
+++ krb5-1.5/src/lib/kadm5/str_conv.c 2007-07-23 10:54:10.000000000 +0200
@@ -73,6 +73,7 @@
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
@@ -86,6 +87,7 @@
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
@@ -109,6 +111,7 @@
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
--=-7TiYJQ/N4WHujDde72xK
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--=-7TiYJQ/N4WHujDde72xK--