[28126] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust

daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Fri Jul 27 03:14:20 2007

From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: achim@grolmsnet.de
In-Reply-To: <200707262238.12048.achim@grolmsnet.de>
Content-Type: multipart/mixed; boundary="=-qgsf9xh7CLZBl/duJqY7"
Date: Fri, 27 Jul 2007 09:14:06 +0200
Message-Id: <1185520446.2958.3.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, kerberos@mit.edu,
   modauthkerb-help@lists.sourceforge.net,
   "Douglas E. Engert" <deengert@anl.gov>
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@mit.edu


--=-qgsf9xh7CLZBl/duJqY7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hi

Settings check:

network.negotiate-auth.allow-proxies = true
network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
network.negotiate-auth.gsslib =
network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
network.negotiate-auth.using-native-gsslib = true

After the patch (attached) I get this. So it seems that status is
GSS_S_COMPLETE:

[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
130.226.36.170] Verification returned code 0
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
130.226.36.170] set cached name mkj.lib@CBS.DK for connection
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
130.226.36.170] Verification returned code 0, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back,
referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
130.226.36.170] set cached name mkj.lib@CBS.DK for connection, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available, referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
130.226.36.170] Verification returned code 0, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back,
referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
130.226.36.170] set cached name mkj.lib@CBS.DK for connection, referer:
http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available, referer: http://od.cbs.dk/phpinfo.php
[Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error)), referer: http://od.cbs.dk/phpinfo.php

/Mikkel


On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:

> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
> > Achim Grolms wrote:
> > > On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
> > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
> > >>> would not be set in that case?
> > >>>
> > >>> Achim
> > >>
> > >> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
> > >> valid until negotiation is complete.
> > >
> > > That means before trying to store delegated credentials
> > > and before checking GSS_C_DELEG_FLAG
> > > mod_auth_kerb needs to check if gss_accept_sec_context ()
> > > returns   major_status = GSS_S_COMPLETE
> 
> From my point of view this means that mod_auth_kerb
> needs a change in code.
> I needs to be of that style:
> 
> the major_status of 
> gss_accept_sec_context()
> 
> needs to be checked before checking GSS_C_DELEG_FLAG.
> 
> This can be done this way:
> 
> if ( major_status_accept = GSS_S_COMPLETE ) {
>     if (conf->krb_save_credentials) {
>         if (delegated_cred != GSS_C_NO_CREDENTIAL) {
>              .
>              .
>              .
>         }
>      }
> }
> 
> 
> major_status_accept is the major_status returned by
> accept_sec_token
> 
> Mikkel, can you give this a try?
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15 as permitted sender)
> 
> !DSPAM:46a9068820551136180008!
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk

--=-qgsf9xh7CLZBl/duJqY7
Content-Disposition: attachment; filename=mod_auth_kerb-5.3-deleg.patch
Content-Type: text/x-patch; name=mod_auth_kerb-5.3-deleg.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit

diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
--- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c	2007-07-25 11:38:20.000000000 +0200
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2007-07-27 09:09:21.000000000 +0200
@@ -1215,6 +1215,8 @@
   spnego_oid.length = 6;
   spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
 
+  OM_uint32 acc_ret_flags;
+
   if (conf->krb_5_keytab) {
      char *ktname;
      /* we don't use the ap_* calls here, since the string passed to putenv()
@@ -1277,7 +1279,7 @@
 				  &client_name,
 				  NULL,
 				  &output_token,
-				  NULL,
+				  &acc_ret_flags,
 				  NULL,
 				  &delegated_cred);
   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1351,8 +1353,30 @@
   }
 #endif
 
-  if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
-     store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+  if (major_status == GSS_S_COMPLETE ) {
+    if (conf->krb_save_credentials) {
+      if (delegated_cred != GSS_C_NO_CREDENTIAL) {
+        if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {      
+          log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
+       	    "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
+ 
+          store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+        } 
+        else {
+          log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+            "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
+        }
+      } 
+      else {
+        log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+          "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );
+      }
+    }
+  }
+  else {
+    log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+      "krb_save_credentials not activated, no GSS_S_COMPLETE", "" );
+  }	 
 
   gss_release_buffer(&minor_status, &output_token);
 

--=-qgsf9xh7CLZBl/duJqY7
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--=-qgsf9xh7CLZBl/duJqY7--


home help back first fref pref prev next nref lref last post