[Freeipa-devel] Kerberos ticket forwarding
Rob Crittenden
rcritten at redhat.com
Thu Oct 4 17:37:13 UTC 2007
Rob Crittenden wrote:
> Rob Crittenden wrote:
>> I started from scratch on the Kerberos ticket forwarding problem and
>> mod_auth_kerb again. I have a 2-line patch that fixes it now and
>> doesn't require the massive changes I currently used.
>>
>> In my rush I included the F7 patch in the RHEL-5 bug :-( I also made a
>> patch for that.
>>
>> The patch for both can be found at:
>> https://bugzilla.redhat.com/show_bug.cgi?id=301061
>>
>> Note that I had RHEL-5 enforcing on my RHEL-5 box and had lots of
>> problems with the tickets.
>>
>> The CGI I wrote to test this called klist to show that the ticket was
>> forwarded properly. I got this denial:
>>
>> Oct 1 16:38:18 thor setroubleshoot: SELinux is preventing the
>> /usr/kerberos/bin/klist from using potentially mislabeled files
>> (/tmp/krb5cc_apache_TxNr3M). For complete SELinux messages. run
>> sealert -l 40a72116-ed45-420d-914a-ce9d56486d94
>>
>> rob
>>
>
> Attached is the new SRPM if anyone wants to give it a go.
Ok, it looks like I spoke too soon. This new module works fine with the
command-line tools and curl but does not work with Firefox. With Firefox
I get an error in Apache:
Cannot store delegated credential (gss_krb5_copy_ccache: Invalid
credential was supplied (No error))
It works fine using the mod_auth_kerb SPNEGO code.
So to use the GUI stick with the 5.3-4ipa verison for now.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071004/54d103d0/attachment.bin>
More information about the Freeipa-devel
mailing list