[28130] in Kerberos
Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Jul 27 12:11:53 2007
Message-ID: <46AA191D.6020902@anl.gov>
Date: Fri, 27 Jul 2007 11:11:09 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: mikkel@linet.dk
In-Reply-To: <1185520446.2958.3.camel@tux.lib.cbs.dk>
Cc: achim@grolmsnet.de, "Henry B. Hotz" <hotz@jpl.nasa.gov>,
modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I stil think you have a client problem, of the client not delegating.Can you use IE, or FireFox on some other platform to connecto yourserver?
Mikkel Kruse Johnsen wrote:> Hi> > Settings check:> > network.negotiate-auth.allow-proxies = true> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk> network.negotiate-auth.gsslib => network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk> network.negotiate-auth.using-native-gsslib = true> > After the patch (attached) I get this. So it seems that status is> GSS_S_COMPLETE:> > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client> 130.226.36.170] Verifying client data using KRB5 GSS-API> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client> 130.226.36.170] Verification returned code 0> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client> 130.226.36.170] GSS-API token of length 22 bytes will be sent back> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client> 130.226.36.170] set cached name mkj.lib@CBS.DK for connection> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG> available> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store> delegated credential (gss_krb5_copy_ccache: Invalid credential was> supplied (No error))> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client> 130.226.36.170] Verification returned code 0, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,> referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client> 130.226.36.170] set cached name mkj.lib@CBS.DK for connection, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG> available, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store> delegated credential (gss_krb5_copy_ccache: Invalid credential was> supplied (No error)), referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client> 130.226.36.170] Verification returned code 0, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,> referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client> 130.226.36.170] set cached name mkj.lib@CBS.DK for connection, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG> available, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store> delegated credential (gss_krb5_copy_ccache: Invalid credential was> supplied (No error)), referer: http://od.cbs.dk/phpinfo.php> > /Mikkel> > > On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:> >> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:>>> Achim Grolms wrote:>>>> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:>>>>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG>>>>>> would not be set in that case?>>>>>>>>>>>> Achim>>>>> Agreed. That flag shouldn't be set AFAIK, though the value isn't>>>>> valid until negotiation is complete.>>>> That means before trying to store delegated credentials>>>> and before checking GSS_C_DELEG_FLAG>>>> mod_auth_kerb needs to check if gss_accept_sec_context ()>>>> returns major_status = GSS_S_COMPLETE>> From my point of view this means that mod_auth_kerb>> needs a change in code.>> I needs to be of that style:>>>> the major_status of >> gss_accept_sec_context()>>>> needs to be checked before checking GSS_C_DELEG_FLAG.>>>> This can be done this way:>>>> if ( major_status_accept = GSS_S_COMPLETE ) {>> if (conf->krb_save_credentials) {>> if (delegated_cred != GSS_C_NO_CREDENTIAL) {>> .>> .>> .>> }>> }>> }>>>>>> major_status_accept is the major_status returned by>> accept_sec_token>>>> Mikkel, can you give this a try?>> Achim>> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15 as permitted sender)>>>> !DSPAM:46a9068820551136180008!>>> > Mikkel Kruse Johnsen> Linet> Ørholmgade 6 st tv> 2200 København N> > Tlf: +45 2128 7793> email: mikkel@linet.dk> www: http://www.linet.dk> > > ------------------------------------------------------------------------> > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c> --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200> +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-27 09:09:21.000000000 +0200> @@ -1215,6 +1215,8 @@> spnego_oid.length = 6;> spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";> > + OM_uint32 acc_ret_flags;> +> if (conf->krb_5_keytab) {> char *ktname;> /* we don't use the ap_* calls here, since the string passed to putenv()> @@ -1277,7 +1279,7 @@> &client_name,> NULL,> &output_token,> - NULL,> + &acc_ret_flags,> NULL,> &delegated_cred);> log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,> @@ -1351,8 +1353,30 @@> }> #endif> > - if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)> - store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);> + if (major_status == GSS_S_COMPLETE ) {> + if (conf->krb_save_credentials) {> + if (delegated_cred != GSS_C_NO_CREDENTIAL) {> + if ( acc_ret_flags & GSS_C_DELEG_FLAG ) { > + log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,> + "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );> + > + store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);> + } > + else {> + log_rerror( APLOG_MARK, APLOG_ERR, 0, r,> + "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );> + }> + } > + else {> + log_rerror( APLOG_MARK, APLOG_ERR, 0, r,> + "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );> + }> + }> + }> + else {> + log_rerror( APLOG_MARK, APLOG_ERR, 0, r,> + "krb_save_credentials not activated, no GSS_S_COMPLETE", "" );> + } > > gss_release_buffer(&minor_status, &output_token);> > > > ------------------------------------------------------------------------> > ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos