[28130] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Jul 27 12:11:53 2007

Message-ID: <46AA191D.6020902@anl.gov>
Date: Fri, 27 Jul 2007 11:11:09 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: mikkel@linet.dk
In-Reply-To: <1185520446.2958.3.camel@tux.lib.cbs.dk>
Cc: achim@grolmsnet.de, "Henry B. Hotz" <hotz@jpl.nasa.gov>,
   modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

I stil think you have a client problem, of the client not delegating.Can you use IE, or FireFox on some other platform to connecto yourserver?


Mikkel Kruse Johnsen wrote:> Hi> > Settings check:> > network.negotiate-auth.allow-proxies = true> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk> network.negotiate-auth.gsslib => network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk> network.negotiate-auth.using-native-gsslib = true> > After the patch (attached) I get this. So it seems that status is> GSS_S_COMPLETE:> > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client> 130.226.36.170] Verifying client data using KRB5 GSS-API> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client> 130.226.36.170] Verification returned code 0> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client> 130.226.36.170] GSS-API token of length 22 bytes will be sent back> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client> 130.226.36.170] set cached name mkj.lib@CBS.DK for connection> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG> available> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store> delegated credential (gss_krb5_copy_ccache: Invalid credential was> supplied (No error))> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client> 130.226.36.170] Verification returned code 0, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,> referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client> 130.226.36.170] set cached name mkj.lib@CBS.DK for connection, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG> available, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store> delegated credential (gss_krb5_copy_ccache: Invalid credential was> supplied (No error)), referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client> 130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client> 130.226.36.170] Verification returned code 0, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,> referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client> 130.226.36.170] set cached name mkj.lib@CBS.DK for connection, referer:> http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG> available, referer: http://od.cbs.dk/phpinfo.php> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot store> delegated credential (gss_krb5_copy_ccache: Invalid credential was> supplied (No error)), referer: http://od.cbs.dk/phpinfo.php> > /Mikkel> > > On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:> >> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:>>> Achim Grolms wrote:>>>> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:>>>>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG>>>>>> would not be set in that case?>>>>>>>>>>>> Achim>>>>> Agreed.  That flag shouldn't be set AFAIK, though the value isn't>>>>> valid until negotiation is complete.>>>> That means before trying to store delegated credentials>>>> and before checking GSS_C_DELEG_FLAG>>>> mod_auth_kerb needs to check if gss_accept_sec_context ()>>>> returns   major_status = GSS_S_COMPLETE>> From my point of view this means that mod_auth_kerb>> needs a change in code.>> I needs to be of that style:>>>> the major_status of >> gss_accept_sec_context()>>>> needs to be checked before checking GSS_C_DELEG_FLAG.>>>> This can be done this way:>>>> if ( major_status_accept = GSS_S_COMPLETE ) {>>     if (conf->krb_save_credentials) {>>         if (delegated_cred != GSS_C_NO_CREDENTIAL) {>>              .>>              .>>              .>>         }>>      }>> }>>>>>> major_status_accept is the major_status returned by>> accept_sec_token>>>> Mikkel, can you give this a try?>> Achim>> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15 as permitted sender)>>>> !DSPAM:46a9068820551136180008!>>> > Mikkel Kruse Johnsen> Linet> Ørholmgade 6 st tv> 2200 København N> > Tlf: +45 2128 7793> email: mikkel@linet.dk> www: http://www.linet.dk> > > ------------------------------------------------------------------------> > diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c> --- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c	2007-07-25 11:38:20.000000000 +0200> +++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2007-07-27 09:09:21.000000000 +0200> @@ -1215,6 +1215,8 @@>    spnego_oid.length = 6;>    spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";>  > +  OM_uint32 acc_ret_flags;> +>    if (conf->krb_5_keytab) {>       char *ktname;>       /* we don't use the ap_* calls here, since the string passed to putenv()> @@ -1277,7 +1279,7 @@>  				  &client_name,>  				  NULL,>  				  &output_token,> -				  NULL,> +				  &acc_ret_flags,>  				  NULL,>  				  &delegated_cred);>    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,> @@ -1351,8 +1353,30 @@>    }>  #endif>  > -  if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)> -     store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);> +  if (major_status == GSS_S_COMPLETE ) {> +    if (conf->krb_save_credentials) {> +      if (delegated_cred != GSS_C_NO_CREDENTIAL) {> +        if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {      > +          log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,> +       	    "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );> + > +          store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);> +        } > +        else {> +          log_rerror( APLOG_MARK, APLOG_ERR, 0, r,> +            "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );> +        }> +      } > +      else {> +        log_rerror( APLOG_MARK, APLOG_ERR, 0, r,> +          "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );> +      }> +    }> +  }> +  else {> +    log_rerror( APLOG_MARK, APLOG_ERR, 0, r,> +      "krb_save_credentials not activated, no GSS_S_COMPLETE", "" );> +  }	 >  >    gss_release_buffer(&minor_status, &output_token);>  > > > ------------------------------------------------------------------------> > ________________________________________________> Kerberos mailing list           Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
  Douglas E. Engert  <DEEngert@anl.gov>  Argonne National Laboratory  9700 South Cass Avenue  Argonne, Illinois  60439  (630) 252-5444________________________________________________Kerberos mailing list           Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post