[Freeipa-devel] kerberos ticket forwarding with mod_auth_kerb
Rob Crittenden
rcritten at redhat.com
Fri Jul 13 20:19:51 UTC 2007
Well I'm having no luck at all getting ticket forwarding working. I've
got basic kerberos SSO working fine.
I get a forwardable ticket with:
kinit -f rcrit at GREYOAK.COM
klist
Ticket cache: FILE:/tmp/krb5cc_10996
Default principal: rcrit at GREYOAK.COM
Valid starting Expires Service principal
07/13/07 15:58:36 07/14/07 15:56:44 krbtgt/GREYOAK.COM at GREYOAK.COM
Flags: FIA
07/13/07 15:58:37 07/14/07 15:56:44 HTTP/ipa.greyoak.com at GREYOAK.COM
Flags: FAT
Ticket cache: FILE:/tmp/krb5cc_10996
krb5.conf has forwardable=yes on the client and the kdc server.
I have mod_auth_kerb configured to save them:
<LocationMatch "/cgi-bin/*">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms GREYOAK.COM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /errors/unauthorized.html
</LocationMatch>
In my browser (Firefox 2.0.0.4) I have
network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris set and the Firefox log seems to
indicate that it is doing the right thing:
-1208289600[937eeb8]: using REQ_DELEGATE
-1208289600[937eeb8]: service = ipa.greyoak.com
-1208289600[937eeb8]: using negotiate-gss
-1208289600[937eeb8]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1208289600[937eeb8]: entering nsAuthGSSAPI::Init()
-1208289600[937eeb8]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
-1208289600[937eeb8]: entering nsAuthGSSAPI::GetNextToken()
-1208289600[937eeb8]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
-1208289600[937eeb8]: Sending a token of length 1150
Assuming that REQ_DELEGATE means what I think it does.
Apache is logging:
[Fri Jul 13 16:15:21 2007] [debug] src/mod_auth_kerb.c(1405): [client
192.168.0.1] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1405): [client
192.168.0.1] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1148): [client
192.168.0.1] Acquiring creds for HTTP at ipa.greyoak.com
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1240): [client
192.168.0.1] Verifying client data using KRB5 GSS-API
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1256): [client
192.168.0.1] Verification returned code 0
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1274): [client
192.168.0.1] GSS-API token of length 22 bytes will be sent back
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1321): [client
192.168.0.1] set cached name rcrit at GREYOAK.COM for connection
The call to gss_accept_sec_context() is setting the delegated
credentials to GSS_C_NO_CREDENTIAL.
So I'm pretty much stumped.
This is on Fedora 7 with Apache 2.2.4 and mod_auth_kerb 5.3-3
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070713/a3ddd07d/attachment.bin>
More information about the Freeipa-devel
mailing list