[28145] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust

daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Mon Jul 30 04:54:01 2007

From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: achim@grolmsnet.de
In-Reply-To: <200707272020.01184.achim@grolmsnet.de>
Content-Type: multipart/mixed; boundary="=-s/R5DrMvCpK1/MtXrSOu"
Date: Mon, 30 Jul 2007 10:53:20 +0200
Message-Id: <1185785600.3058.8.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>,
   "Douglas E. Engert" <deengert@anl.gov>,
   modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@mit.edu


--=-s/R5DrMvCpK1/MtXrSOu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hi Achim

I see your point here is the ne patch. I still get this error:

[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1458): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1458): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1148): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1269): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1286): [client
130.226.36.170] Verification returned code 0
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1304): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1352): [client
130.226.36.170] set cached name mkj.lib@CBS.DK for connection
[Mon Jul 30 10:51:26 2007] [debug] src/mod_auth_kerb.c(1361): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Mon Jul 30 10:51:26 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))

/Mikkel


On Fri, 2007-07-27 at 20:19 +0200, Achim Grolms wrote:

> On Friday 27 July 2007 09:14, Mikkel Kruse Johnsen wrote:
> 
> > After the patch (attached) I get this.
> 
> I think your patch does my idea wrong.
> 
> Your patch checks
> 
> major_status == GSS_S_COMPLETE
> 
> but in your patch  major_status is the return-value of gss_display_name(),
> not of accept_sec_token.
> 
> You need to store the return-value of accept_sec_token
> in a 2nd variable, "major_status_accept" for example
> and check 
> 
> major_status_accept == GSS_S_COMPLETE
> (or move the delegation-store-code direct below the
> accept_sec_token() so major_status really holds the value
> of accept_sec_token.
> 
> Maybe the client tries to to mutual authentication and the
> TGT is only delegated *after* the mutual-auth-roundrip has finished?
> 
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.16 as permitted sender)
> 
> !DSPAM:46aa375b54622628239487!
> 

Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk

--=-s/R5DrMvCpK1/MtXrSOu
Content-Disposition: attachment; filename=mod_auth_kerb-5.3-deleg.patch
Content-Type: text/x-patch; name=mod_auth_kerb-5.3-deleg.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit

diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
--- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c	2007-07-25 11:38:20.000000000 +0200
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c	2007-07-30 10:50:28.000000000 +0200
@@ -1198,7 +1198,7 @@
 authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
 		      const char *auth_line, char **negotiate_ret_value)
 {
-  OM_uint32 major_status, minor_status, minor_status2;
+  OM_uint32 major_status, minor_status, minor_status2, major_status_accept;
   gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
   gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
   const char *auth_param = NULL;
@@ -1215,6 +1215,8 @@
   spnego_oid.length = 6;
   spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
 
+  OM_uint32 acc_ret_flags;
+
   if (conf->krb_5_keytab) {
      char *ktname;
      /* we don't use the ap_* calls here, since the string passed to putenv()
@@ -1269,19 +1271,20 @@
 	       ? "KRB5 GSS-API"
 	       : "SPNEGO GSS-API");
 
-  major_status = accept_sec_token(&minor_status,
-				  &context,
-				  server_creds,
-				  &input_token,
-				  GSS_C_NO_CHANNEL_BINDINGS,
-				  &client_name,
-				  NULL,
-				  &output_token,
-				  NULL,
-				  NULL,
-				  &delegated_cred);
+  major_status_accept = accept_sec_token(&minor_status,
+					 &context,
+					 server_creds,
+				 	 &input_token,
+				  	 GSS_C_NO_CHANNEL_BINDINGS,
+				 	 &client_name,
+				 	 NULL,
+				 	 &output_token,
+				 	 &acc_ret_flags,
+				 	 NULL,
+				  	 &delegated_cred);
+
   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-	     "Verification returned code %d", major_status);
+	     "Verification returned code %d", major_status_accept);
   if (output_token.length) {
      char *token = NULL;
      size_t len;
@@ -1305,13 +1308,13 @@
      set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
   }
 
-  if (GSS_ERROR(major_status)) {
+  if (GSS_ERROR(major_status_accept)) {
      if (input_token.length > 7 && memcmp(input_token.value, "NTLMSSP", 7) == 0)
 	log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 	          "Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.");
 
      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	        "%s", get_gss_error(r->pool, major_status, minor_status,
+	        "%s", get_gss_error(r->pool, major_status_accept, minor_status,
 		                    "gss_accept_sec_context() failed"));
      /* Don't offer the Negotiate method again if call to GSS layer failed */
      *negotiate_ret_value = NULL;
@@ -1323,7 +1326,7 @@
   /* This is a _Kerberos_ module so multiple authentication rounds aren't
    * supported. If we wanted a generic GSS authentication we would have to do
    * some magic with exporting context etc. */
-  if (major_status & GSS_S_CONTINUE_NEEDED) {
+  if (major_status_accept & GSS_S_CONTINUE_NEEDED) {
      ret = HTTP_UNAUTHORIZED;
      goto end;
   }
@@ -1351,8 +1354,30 @@
   }
 #endif
 
-  if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
-     store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+  if (major_status_accept == GSS_S_COMPLETE ) {
+    if (conf->krb_save_credentials) {
+      if (delegated_cred != GSS_C_NO_CREDENTIAL) {
+        if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {      
+          log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
+       	    "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
+ 
+          store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+        } 
+        else {
+          log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+            "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
+        }
+      } 
+      else {
+        log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+          "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );
+      }
+    }
+  }
+  else {
+    log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+      "krb_save_credentials not activated, no GSS_S_COMPLETE", "" );
+  }	 
 
   gss_release_buffer(&minor_status, &output_token);
 

--=-s/R5DrMvCpK1/MtXrSOu
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--=-s/R5DrMvCpK1/MtXrSOu--


home help back first fref pref prev next nref lref last post