[31189] in Kerberos
Re: question about apache mod_auth_kerb
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed May 27 10:45:29 2009
Message-ID: <4A1D51B7.5070407@anl.gov>
Date: Wed, 27 May 2009 09:44:07 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Guillaume Rousse <Guillaume.Rousse@inria.fr>
In-Reply-To: <4A1D451A.70509@inria.fr>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Guillaume Rousse wrote:
> Hello list.
>
> We use mod_auth_kerb 5.4 to protect nagios access. This application
> automatically refresh the screen every 30s.
>
> By looking at the logs, we just discovered each refresh lead to multiple
> connections to the KDC, for forwarding tickets:
> 2009-05-27T15:34:18 TGS-REQ stefanes@SACLAY.INRIA.FR from
> IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR@SACLAY.INRIA.FR [forwarded]
> 2009-05-27T15:34:18 Request to forward non-forwardable ticket
> 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212
> 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212
> 2009-05-27T15:34:18 TGS-REQ stefanes@SACLAY.INRIA.FR from
> IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR@SACLAY.INRIA.FR [forwarded]
> 2009-05-27T15:34:18 Request to forward non-forwardable ticket
> 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212
> 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212
>
> Using a forwardable TGT, this changes to:
> 2009-05-27T15:34:42 TGS-REQ rousse@SACLAY.INRIA.FR from
> IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR@SACLAY.INRIA.FR
> [proxiable, forwarded, forwardable]
> 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime:
> 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset
> 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49
> 2009-05-27T15:34:42 TGS-REQ rousse@SACLAY.INRIA.FR from
> IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR@SACLAY.INRIA.FR
> [proxiable, forwarded, forwardable]
> 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime:
> 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset
> 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49
>
> The multiple attempts seems to result from the multiple resources
> fetched each time (html page, CSS stylesheets, icons...). However, why
> does the client (firefox here) apparently attempt to forward its ticket,
> or to renew it each time it attempts to reconnect ?
You may have told FireFox to do this. Enter about:config and look for the
network.negotiate-auth.delegation-uris user set string https://inria.fr
This would sat to try and delegate to any website in inria.fr
>
> Here is apache configuration:
> <Location />
> AuthType Kerberos
> AuthName "Kerberos autentication required"
> KrbAuthRealm SACLAY.INRIA.FR
> Krb5Keytab /etc/krb5.keytab
> KrbMethodK5Passwd on
> KrbMethodNegotiate on
> KrbLocalUserMapping on
> Require valid-user
> </Location>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
