[Freeipa-devel] kerberos ticket forwarding with mod_auth_kerb

Rob Crittenden rcritten at redhat.com
Fri Jul 13 20:19:51 UTC 2007 

Well I'm having no luck at all getting ticket forwarding working. I've 
got basic kerberos SSO working fine.

I get a forwardable ticket with:

kinit -f rcrit at GREYOAK.COM
klist
Ticket cache: FILE:/tmp/krb5cc_10996
Default principal: rcrit at GREYOAK.COM

Valid starting     Expires            Service principal
07/13/07 15:58:36  07/14/07 15:56:44  krbtgt/GREYOAK.COM at GREYOAK.COM
         Flags: FIA
07/13/07 15:58:37  07/14/07 15:56:44  HTTP/ipa.greyoak.com at GREYOAK.COM
         Flags: FAT

Ticket cache: FILE:/tmp/krb5cc_10996

krb5.conf has forwardable=yes on the client and the kdc server.

I have mod_auth_kerb configured to save them:

<LocationMatch "/cgi-bin/*">
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   KrbServiceName HTTP
   KrbAuthRealms GREYOAK.COM
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
   Require valid-user
   ErrorDocument 401 /errors/unauthorized.html
</LocationMatch>

In my browser (Firefox 2.0.0.4) I have 
network.negotiate-auth.delegation-uris and 
network.negotiate-auth.trusted-uris set and the Firefox log seems to 
indicate that it is doing the right thing:

-1208289600[937eeb8]:   using REQ_DELEGATE
-1208289600[937eeb8]:   service = ipa.greyoak.com
-1208289600[937eeb8]:   using negotiate-gss
-1208289600[937eeb8]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1208289600[937eeb8]: entering nsAuthGSSAPI::Init()
-1208289600[937eeb8]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1208289600[937eeb8]: entering nsAuthGSSAPI::GetNextToken()
-1208289600[937eeb8]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
-1208289600[937eeb8]:   Sending a token of length 1150

Assuming that REQ_DELEGATE means what I think it does.

Apache is logging:

[Fri Jul 13 16:15:21 2007] [debug] src/mod_auth_kerb.c(1405): [client 
192.168.0.1] kerb_authenticate_user entered with user (NULL) and 
auth_type Kerberos
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1405): [client 
192.168.0.1] kerb_authenticate_user entered with user (NULL) and 
auth_type Kerberos
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1148): [client 
192.168.0.1] Acquiring creds for HTTP at ipa.greyoak.com
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1240): [client 
192.168.0.1] Verifying client data using KRB5 GSS-API
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1256): [client 
192.168.0.1] Verification returned code 0
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1274): [client 
192.168.0.1] GSS-API token of length 22 bytes will be sent back
[Fri Jul 13 16:15:22 2007] [debug] src/mod_auth_kerb.c(1321): [client 
192.168.0.1] set cached name rcrit at GREYOAK.COM for connection

The call to gss_accept_sec_context() is setting the delegated 
credentials to GSS_C_NO_CREDENTIAL.

So I'm pretty much stumped.

This is on Fedora 7 with Apache 2.2.4 and mod_auth_kerb 5.3-3

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070713/a3ddd07d/attachment.bin>

More information about the Freeipa-devel mailing list