[31137] in Kerberos
Re: ok_as_delegation status
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Tue May 19 02:56:32 2009
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Greg Hudson <ghudson@MIT.EDU>
In-Reply-To: <1242666802.4146.32.camel@ray>
Content-Type: multipart/mixed; boundary="=-GkYFOtMAG/KCf10o4K/k"
Date: Tue, 19 May 2009 08:55:35 +0200
Message-Id: <1242716135.2652.5.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos@MIT.EDU
Reply-To: mikkel@linet.dk
Errors-To: kerberos-bounces@MIT.EDU
--=-GkYFOtMAG/KCf10o4K/k
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Hi Kronus
You definitely have to use mod_auth_kerb's internal SPNEGO to get it to
work. I spent a lot of time realizing that.
the "ok_as_delegate" flag is not in kerberos, but it is a very simple
patch. See attacthment.
Med Venlig Hilsen / Kind Regards
Mikkel Kruse
Johnsen
Adm.Dir.
Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark
Work: +45
21287793
Mobile: +45
21287793
Email:
mikkel@linet.dk
IM:
mikkel@linet.dk
(MSN)
Professional
Profile
Healthcare
Network
Consultant
man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson:
> kadmin support for ok_as_delegate has been added on the trunk but is not
> currently scheduled to go into 1.7, as the cutoff for new features was a
> while ago. That could probably change if we find conclusive evidence
> that ok_as_delegate support is more important than we thought.
>
> However, I think your problem may not be related to the ok_as_delegate
> flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
> symptoms and is a totally different bug, which will be fixed in 1.7.
> (The relevant version in this case is the Kerberos code running on your
> Apache HTTPD server.)
>
> http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
> suggests that you might be able to work around the problem by using
> mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if
> that's still possible two years later.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--=-GkYFOtMAG/KCf10o4K/k
Content-Disposition: attachment; filename="krb5-1.6-ok-as-delegate.patch"
Content-Type: text/x-patch; name="krb5-1.6-ok-as-delegate.patch";
charset="UTF-8"
Content-Transfer-Encoding: 7bit
diff -uNr krb5-1.6.1.orig/doc/admin.texinfo krb5-1.6.1/doc/admin.texinfo
--- krb5-1.6.1.orig/doc/admin.texinfo 2006-12-21 23:07:31.000000000 +0100
+++ krb5-1.6.1/doc/admin.texinfo 2009-04-14 09:06:36.000000000 +0200
@@ -1896,6 +1896,13 @@
sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
database.
+@itemx @{-|+@}ok_as_delegate
+The ``+ok_as_delegate'' sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+Sets the KRB5_KDB_OK_AS_DELEGATE flag. ``-ok_as_delegate'' clears
+this flag.
+
@item @{-|+@}allow_svr
The ``-allow_svr'' flag prohibits the issuance of service tickets for
this principal. ``+allow_svr'' clears this flag. In effect,
diff -uNr krb5-1.6.1.orig/src/include/kdb.h krb5-1.6.1/src/include/kdb.h
--- krb5-1.6.1.orig/src/include/kdb.h 2006-12-13 00:37:53.000000000 +0100
+++ krb5-1.6.1/src/include/kdb.h 2009-04-14 09:06:36.000000000 +0200
@@ -79,6 +79,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.c krb5-1.6.1/src/kadmin/cli/kadmin.c
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.c 2006-12-19 22:10:19.000000000 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.c 2009-04-14 09:07:43.000000000 +0200
@@ -65,7 +65,8 @@
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -85,6 +86,7 @@
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "OK_AS_DELEGATE", /* 0x00010000 */
};
char *getenv();
@@ -1101,6 +1103,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1117,6 +1120,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
diff -uNr krb5-1.6.1.orig/src/kadmin/cli/kadmin.M krb5-1.6.1/src/kadmin/cli/kadmin.M
--- krb5-1.6.1.orig/src/kadmin/cli/kadmin.M 2006-12-21 23:07:20.000000000 +0100
+++ krb5-1.6.1/src/kadmin/cli/kadmin.M 2009-04-14 09:06:36.000000000 +0200
@@ -327,6 +327,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
diff -uNr krb5-1.6.1.orig/src/kdc/do_as_req.c krb5-1.6.1/src/kdc/do_as_req.c
--- krb5-1.6.1.orig/src/kdc/do_as_req.c 2006-11-14 23:47:21.000000000 +0100
+++ krb5-1.6.1/src/kdc/do_as_req.c 2009-04-14 09:06:36.000000000 +0200
@@ -257,6 +257,10 @@
enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
/*
* Check the preauthentication if it is there.
*/
diff -uNr krb5-1.6.1.orig/src/kdc/do_tgs_req.c krb5-1.6.1/src/kdc/do_tgs_req.c
--- krb5-1.6.1.orig/src/kdc/do_tgs_req.c 2007-04-04 23:08:05.000000000 +0200
+++ krb5-1.6.1/src/kdc/do_tgs_req.c 2009-04-14 09:06:36.000000000 +0200
@@ -534,6 +534,10 @@
goto cleanup;
}
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
diff -uNr krb5-1.6.1.orig/src/lib/kadm5/str_conv.c krb5-1.6.1/src/lib/kadm5/str_conv.c
--- krb5-1.6.1.orig/src/lib/kadm5/str_conv.c 2001-06-26 21:59:45.000000000 +0200
+++ krb5-1.6.1/src/lib/kadm5/str_conv.c 2009-04-14 09:06:36.000000000 +0200
@@ -73,6 +73,7 @@
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
@@ -86,6 +87,7 @@
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
@@ -109,6 +111,7 @@
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
--=-GkYFOtMAG/KCf10o4K/k
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--=-GkYFOtMAG/KCf10o4K/k--
