[28147] in Kerberos
Re: [modauthkerb] Negotiate on Windows with cross-realm trust
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Mon Jul 30 09:23:13 2007
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: achim@grolmsnet.de
In-Reply-To: <200707262238.12048.achim@grolmsnet.de>
Content-Type: multipart/mixed; boundary="=-mQgHP2lkMtavH/kVxKSm"
Date: Mon, 30 Jul 2007 15:22:43 +0200
Message-Id: <1185801763.3058.11.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, kerberos@mit.edu,
modauthkerb-help@lists.sourceforge.net,
"Douglas E. Engert" <deengert@anl.gov>
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@mit.edu
--=-mQgHP2lkMtavH/kVxKSm
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Hi
Just found something. It seems that the ticket is expired, look at this
patch (thanks Achim for pointing this out)
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1488): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1488): [client
130.226.36.170] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1178): [client
130.226.36.170] Acquiring creds for HTTP/sugi.cbs.dk@CBS.DK
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1299): [client
130.226.36.170] Verifying client data using KRB5 GSS-API
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1316): [client
130.226.36.170] Verification returned code 0
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1334): [client
130.226.36.170] GSS-API token of length 22 bytes will be sent back
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1382): [client
130.226.36.170] set cached name mkj.lib@CBS.DK for connection
[Mon Jul 30 15:19:55 2007] [debug] src/mod_auth_kerb.c(1391): [client
130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
available
[Mon Jul 30 15:19:55 2007] [error] [client 130.226.36.170] Lifetime of
delegated credential is expired
[Mon Jul 30 15:19:55 2007] [error] [client 130.226.36.170] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))
/Mikkel
---
[mkj@tux ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib@CBS.DK
Valid starting Expires Service principal
07/30/07 15:19:49 07/31/07 15:19:49 krbtgt/CBS.DK@CBS.DK
07/30/07 15:19:55 07/31/07 15:19:49 HTTP/sugi.cbs.dk@CBS.DK
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
----
On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:
> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
> > Achim Grolms wrote:
> > > On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
> > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
> > >>> would not be set in that case?
> > >>>
> > >>> Achim
> > >>
> > >> Agreed. That flag shouldn't be set AFAIK, though the value isn't
> > >> valid until negotiation is complete.
> > >
> > > That means before trying to store delegated credentials
> > > and before checking GSS_C_DELEG_FLAG
> > > mod_auth_kerb needs to check if gss_accept_sec_context ()
> > > returns major_status = GSS_S_COMPLETE
>
> From my point of view this means that mod_auth_kerb
> needs a change in code.
> I needs to be of that style:
>
> the major_status of
> gss_accept_sec_context()
>
> needs to be checked before checking GSS_C_DELEG_FLAG.
>
> This can be done this way:
>
> if ( major_status_accept = GSS_S_COMPLETE ) {
> if (conf->krb_save_credentials) {
> if (delegated_cred != GSS_C_NO_CREDENTIAL) {
> .
> .
> .
> }
> }
> }
>
>
> major_status_accept is the major_status returned by
> accept_sec_token
>
> Mikkel, can you give this a try?
> Achim
> Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15 as permitted sender)
>
> !DSPAM:46a9068820551136180008!
>
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk
--=-mQgHP2lkMtavH/kVxKSm
Content-Disposition: attachment; filename=mod_auth_kerb-5.3-deleg.patch
Content-Type: text/x-patch; name=mod_auth_kerb-5.3-deleg.patch; charset=UTF-8
Content-Transfer-Encoding: 7bit
diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
--- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-30 15:19:16.000000000 +0200
@@ -1060,6 +1060,11 @@
krb5_context context;
int ret = HTTP_INTERNAL_SERVER_ERROR;
+ gss_name_t name;
+ OM_uint32 lifetime;
+ gss_cred_usage_t cred_usage;
+ gss_OID_set mechanisms;
+
problem = krb5_init_context(&context);
if (problem) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Cannot initialize krb5 context");
@@ -1080,6 +1085,31 @@
goto end;
}
+ // Start Credential Check
+ maj_stat = gss_inquire_cred (&min_stat, delegated_cred, &name, &lifetime, &cred_usage, &mechanisms);
+ if (maj_stat != GSS_S_COMPLETE) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Inquire delegated credential (%s)",
+ get_gss_error(r->pool, maj_stat, min_stat, "gss_inquire_cred"));
+ goto end;
+ }
+
+ if (lifetime == GSS_C_INDEFINITE) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Lifetime of delegated credential never expires");
+ } else {
+ if (lifetime == 0) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Lifetime of delegated credential is expired");
+ } else {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Lifetime of delegated credential is %d", lifetime);
+ }
+ }
+
+ gss_release_oid_set(&min_stat, &mechanisms);
+ // End Credential Check
+
maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache);
if (GSS_ERROR(maj_stat)) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
@@ -1198,7 +1228,7 @@
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
{
- OM_uint32 major_status, minor_status, minor_status2;
+ OM_uint32 major_status, minor_status, minor_status2, major_status_accept;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
const char *auth_param = NULL;
@@ -1215,6 +1245,8 @@
spnego_oid.length = 6;
spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
+ OM_uint32 acc_ret_flags;
+
if (conf->krb_5_keytab) {
char *ktname;
/* we don't use the ap_* calls here, since the string passed to putenv()
@@ -1269,19 +1301,20 @@
? "KRB5 GSS-API"
: "SPNEGO GSS-API");
- major_status = accept_sec_token(&minor_status,
- &context,
- server_creds,
- &input_token,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client_name,
- NULL,
- &output_token,
- NULL,
- NULL,
- &delegated_cred);
+ major_status_accept = accept_sec_token(&minor_status,
+ &context,
+ server_creds,
+ &input_token,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &client_name,
+ NULL,
+ &output_token,
+ &acc_ret_flags,
+ NULL,
+ &delegated_cred);
+
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "Verification returned code %d", major_status);
+ "Verification returned code %d", major_status_accept);
if (output_token.length) {
char *token = NULL;
size_t len;
@@ -1305,13 +1338,13 @@
set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
}
- if (GSS_ERROR(major_status)) {
+ if (GSS_ERROR(major_status_accept)) {
if (input_token.length > 7 && memcmp(input_token.value, "NTLMSSP", 7) == 0)
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.");
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "%s", get_gss_error(r->pool, major_status, minor_status,
+ "%s", get_gss_error(r->pool, major_status_accept, minor_status,
"gss_accept_sec_context() failed"));
/* Don't offer the Negotiate method again if call to GSS layer failed */
*negotiate_ret_value = NULL;
@@ -1323,7 +1356,7 @@
/* This is a _Kerberos_ module so multiple authentication rounds aren't
* supported. If we wanted a generic GSS authentication we would have to do
* some magic with exporting context etc. */
- if (major_status & GSS_S_CONTINUE_NEEDED) {
+ if (major_status_accept & GSS_S_CONTINUE_NEEDED) {
ret = HTTP_UNAUTHORIZED;
goto end;
}
@@ -1351,8 +1384,30 @@
}
#endif
- if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
- store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ if (major_status_accept == GSS_S_COMPLETE ) {
+ if (conf->krb_save_credentials) {
+ if (delegated_cred != GSS_C_NO_CREDENTIAL) {
+ if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {
+ log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
+
+ store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
+ }
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );
+ }
+ }
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials not activated, no GSS_S_COMPLETE", "" );
+ }
gss_release_buffer(&minor_status, &output_token);
--=-mQgHP2lkMtavH/kVxKSm
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--=-mQgHP2lkMtavH/kVxKSm--