[31576] in Kerberos
mod_auth_kerb realm stripping
daemon@ATHENA.MIT.EDU (Chris Cowley)
Tue Oct 13 14:07:02 2009
From: Chris Cowley <chriscowleysound@googlemail.com>
Date: Tue, 13 Oct 2009 09:28:15 -0700 (PDT)
Message-ID: <ae52b579-4261-4fcf-adb4-e2113cbf2b2f@k17g2000yqb.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello all
I am trying to tweak my mod_auth_kerb setup. Currently it works
nicely, I am able to authenticate to web pages on our intranet and
everything is dandy.
The problem I am having is the contents of Apache's REMOTE_USER
variable. Currently it has my REALM on the end, which I do not want. I
have upgraded to mod_auth_kerb 5.4 which introduced an
"KrbLocalUserMapping" option. As you can see in the log below it
rewriting my principal, but then I am not found in AD. the value I am
being re-written to matches my sAMAccount name, so it should be found.
[Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1578): [client
172.19.77.8] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1213): [client
172.19.77.8] Acquiring creds for HTTP/svn.snellwilcox.local
[Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1335): [client
172.19.77.8] Verifying client data using KRB5 GSS-API
[Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1351): [client
172.19.77.8] Client didn't delegate us their credential
[Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1370): [client
172.19.77.8] GSS-API token of length 161 bytes will be sent back
[Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1484): [client
172.19.77.8] kerb_authenticate_a_name_to_local_name
ChrisCowley@SNELLWILCOX.LOCAL -> ChrisCowley
[Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(561): [client
172.19.77.8] ldap authorize: Creating LDAP req structure
[Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(573): [client
172.19.77.8] auth_ldap authorise: User DN not found, User not found
http.conf:
AuthType Kerberos
AuthName "Subversion - use your SNELLWILCOX domain login (as
used to log in to Windows"
Krb5Keytab /etc/kerberos/svn.keytab
KrbVerifyKDC On
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms SNELLWILCOX.LOCAL
KrbLocalUserMapping on
AuthLDAPBindDN <binddn>
AuthLDAPBindPassword <password>
AuthLDAPURL
ldap://<windoze_dn>/OU=SnellWilcox,DC=snellwilcox,DC=local?userPrincipalName,sAMAccountName,mail,displayname,cn?sub?(objectClass=*)
require ldap-attribute
msSFU30PosixMemberOf="CN=SG_Linux_CVS_IT,OU=Linux Authentication
Groups,OU=Security Groups,OU=SnellWilcox,DC=snellwilcox,DC=local"
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
