[Freeipa-devel] kerberos ticket forwarding with mod_auth_kerb
Andrew Bartlett
abartlet at samba.org
Fri Jul 13 23:01:23 UTC 2007
On Fri, 2007-07-13 at 17:26 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Fri, 2007-07-13 at 16:19 -0400, Rob Crittenden wrote:
> >> I have mod_auth_kerb configured to save them:
> >>
> >> <LocationMatch "/cgi-bin/*">
> >> AuthType Kerberos
> >> AuthName "Kerberos Login"
> >> KrbMethodNegotiate on
> >> KrbMethodK5Passwd off
> >> KrbServiceName HTTP
> >> KrbAuthRealms GREYOAK.COM
> >> Krb5KeyTab /etc/httpd/conf/ipa.keytab
> >> KrbSaveCredentials on
> >> Require valid-user
> >> ErrorDocument 401 /errors/unauthorized.html
> >> </LocationMatch>
> >
> > Shouldn't it be Krb5SaveCredentials (note the missing 5 in your conf) ?
> > Have you tried also to set Krb5Forwardable on ?
> >
> > Simo.
> >
>
> I found a patch
> http://permalink.gmane.org/gmane.comp.apache.mod-auth-kerb.general/980
> that seems to work with curl:
>
> % curl -u : --negotiate http://ipa.greyoak.com/cgi-bin/klist
> REMOTE_USER is rcrit at GREYOAK.COM
> Ticket cache: FILE:/tmp/krb5cc_apache_pOtmOk
> Default principal: rcrit at GREYOAK.COM
>
> Valid starting Expires Service principal
> 07/13/07 17:21:48 07/14/07 15:56:44 krbtgt/GREYOAK.COM at GREYOAK.COM
>
> In Firefox with this patch the cache file is set but klist doesn't
> report any tickets.
One of the big challenges with forwarded kerberos tickets is that they
are almost entirely up to the client - if the client app doesn't really
want to give them away, then there is nothing the KDC or target server
can do about it...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070714/d2543054/attachment.sig>
More information about the Freeipa-devel
mailing list