[28109] in Kerberos
Re: [modauthkerb] Negotiate on Windows with cross-realm trust
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Thu Jul 26 10:10:29 2007
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Achim Grolms <kerberosml@grolmsnet.de>
In-Reply-To: <200707252056.26671.kerberosml@grolmsnet.de>
Content-Type: multipart/mixed; boundary="=-K+VKWju/EtqASLmNVEfO"
Date: Thu, 26 Jul 2007 16:09:11 +0200
Message-Id: <1185458951.3002.9.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@mit.edu
--=-K+VKWju/EtqASLmNVEfO
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Hi Achim
With the patch applied:
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1451): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1451): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1148): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1269): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1285): [client
130.226.36.170] Verification returned code 0
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1303): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1351): [client
130.226.36.170] set cached name mkj.lib@CBS.DK for connection
[Thu Jul 26 16:05:21 2007] [debug] src/mod_auth_kerb.c(1359): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Thu Jul 26 16:05:21 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))
/Mikkel
On Wed, 2007-07-25 at 20:56 +0200, Achim Grolms wrote:
> On Wednesday 25 July 2007 11:55, Mikkel Kruse Johnsen wrote:
>
> > Compiled the mod_auth_kerb with the attched
>
> The modification does a check if GSS_C_DELEG_FLAG
> is present.
>
> From my point of view (a paranoid point of view)
> an additional check has to follow:
> before the code does the call to store_gss_creds()
> The code should check if
>
> delegated_cred != GSS_C_NO_CREDENTIAL
>
> and report this state to logfile and only in case of
> delegated_cred != GSS_C_NO_CREDENTIAL
> do the call of store_gss_creds()
>
> Can you give that a try?
>
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.14 as permitted sender)
>
> !DSPAM:46a79cdd293831136180008!
>
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk
--=-K+VKWju/EtqASLmNVEfO
Content-Disposition: attachment; filename=mod_auth_kerb-5.3-deleg.patch
Content-Type: text/x-patch; name=mod_auth_kerb-5.3-deleg.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit
diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
--- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-26 09:02:26.000000000 +0200
@@ -1215,6 +1215,8 @@
spnego_oid.length = 6;
spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
+ OM_uint32 acc_ret_flags;
+
if (conf->krb_5_keytab) {
char *ktname;
/* we don't use the ap_* calls here, since the string passed to putenv()
@@ -1277,7 +1279,7 @@
&client_name,
NULL,
&output_token,
- NULL,
+ &acc_ret_flags,
NULL,
&delegated_cred);
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1351,8 +1353,24 @@
}
#endif
- if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
- store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ if (conf->krb_save_credentials) {
+ if (delegated_cred != GSS_C_NO_CREDENTIAL) {
+ if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {
+ log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
+
+ store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
+ }
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );
+ }
+ }
gss_release_buffer(&minor_status, &output_token);
--=-K+VKWju/EtqASLmNVEfO
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--=-K+VKWju/EtqASLmNVEfO--