[Freeipa-devel] freeipa and samba
Thomas Sailer
sailer at sailer.dynip.lugs.ch
Fri Feb 15 13:13:25 UTC 2008
Hi Rob,
thanks for your suggestions.
I used the following test script: test.sh
#!/bin/sh
######################################################################
#
# Example CGI script that uses Kerberos credentials cached by
# mod_auth_kerb compiled with caching option.
#
# Submitted by: Von Welch <vwelch at ncsa.uiuc.edu>
#
# mod_auth_kerb - Daniel Henninger <daniel at ncsu.edu>
#
######################################################################
# Output HTML header
echo Content-type: text/plain
echo
# $REMOTE_USER should be set by httpd
if [ -z "$REMOTE_USER" ]; then
echo '$REMOTE_USER not set.'
exit 1
fi
echo "REMOTE_USER is $REMOTE_USER"
if [ -z "$KRB5CCNAME" ]; then
echo 'Kerberos credential cache name $KRB5CCNAME does not exist.'
exit 1
fi
# Do Kerberos stuff
echo "Environment"
env|sort
echo "/tmp contents"
/bin/ls -lZ /tmp/krb*
echo "run klist"
#/usr/bin/strace /usr/kerberos/bin/klist 2>&1
/usr/kerberos/bin/klist
echo "end run klist"
#X=`echo ${KRB5CCNAME} | sed -e s,FILE:,,`;
#/bin/cp -f ${X} /tmp/krb5cccache
#echo "cp -f ${X} /tmp/krb5cccache"
exit 0
--
The curl output is:
REMOTE_USER is admin at XXX.COM
Environment
AUTH_TYPE=Negotiate
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=xxx.xxx.com
HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14
KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PWD=/var/www/cgi-bin
QUERY_STRING=
REMOTE_ADDR=192.168.1.2
REMOTE_PORT=36386
REMOTE_USER=admin at XXX.COM
REQUEST_METHOD=GET
REQUEST_URI=/cgi-bin/test.sh
SCRIPT_FILENAME=/var/www/cgi-bin/test.sh
SCRIPT_NAME=/cgi-bin/test.sh
SERVER_ADDR=192.168.1.2
SERVER_ADMIN=root at localhost
SERVER_NAME=xxx.xxx.com
SERVER_PORT=443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=<address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443</address>
SERVER_SOFTWARE=Apache/2.2.6 (Fedora)
SHLVL=1
SSL_CIPHER=RC4
SSL_CIPHER_ALGKEYSIZE=128
SSL_CIPHER_EXPORT=false
SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5
SSL_CIPHER_USEKEYSIZE=128
SSL_CLIENT_VERIFY=NONE
SSL_PROTOCOL=TLSv1
SSL_SERVER_A_KEY=RSA_RSA
SSL_SERVER_A_SIG=MD5-RSA
SSL_SERVER_I_DN=CN=IPA Test Certificate Authority
SSL_SERVER_I_DN_CN=IPA Test Certificate Authority
SSL_SERVER_M_SERIAL=2000
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server
SSL_SERVER_S_DN_CN=xxx.xxx.com
SSL_SERVER_S_DN_OU=Apache Web Server
SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT
SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT
SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU=
SSL_VERSION_INTERFACE=mod_nss/2.2.6
SSL_VERSION_LIBRARY=NSS/3.11.7.1
_=/bin/env
/tmp contents
-rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm
-rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0
-rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000
-rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu
run klist
Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu
Default principal: admin at XXX.COM
Valid starting Expires Service principal
02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM
Kerberos 4 ticket cache: /tmp/tkt48
end run klist
--
The firefox output is:
REMOTE_USER is admin at XXX.COM
Environment
AUTH_TYPE=Negotiate
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING=gzip,deflate
HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
HTTP_CACHE_CONTROL=max-age=0, max-age=0
HTTP_CONNECTION=keep-alive
HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45
HTTP_HOST=xxx.xxx.com
HTTP_KEEP_ALIVE=300
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PWD=/var/www/cgi-bin
QUERY_STRING=
REMOTE_ADDR=192.168.1.2
REMOTE_PORT=36383
REMOTE_USER=admin at XXX.COM
REQUEST_METHOD=GET
REQUEST_URI=/cgi-bin/test.sh
SCRIPT_FILENAME=/var/www/cgi-bin/test.sh
SCRIPT_NAME=/cgi-bin/test.sh
SERVER_ADDR=192.168.1.2
SERVER_ADMIN=root at localhost
SERVER_NAME=xxx.xxx.com
SERVER_PORT=443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=<address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443</address>
SERVER_SOFTWARE=Apache/2.2.6 (Fedora)
SHLVL=1
SSL_CIPHER=AES-256
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_VERIFY=NONE
SSL_PROTOCOL=TLSv1
SSL_SERVER_A_KEY=RSA_RSA
SSL_SERVER_A_SIG=SHA1-RSA
SSL_SERVER_I_DN=CN=IPA Test Certificate Authority
SSL_SERVER_I_DN_CN=IPA Test Certificate Authority
SSL_SERVER_M_SERIAL=2000
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server
SSL_SERVER_S_DN_CN=xxx.xxx.com
SSL_SERVER_S_DN_OU=Apache Web Server
SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT
SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT
SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A=
SSL_VERSION_INTERFACE=mod_nss/2.2.6
SSL_VERSION_LIBRARY=NSS/3.11.7.1
_=/bin/env
/tmp contents
-rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm
-rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0
-rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000
run klist
Kerberos 4 ticket cache: /tmp/tkt48
end run klist
--
Diff between curl and firefox:
@@ -5,15 +5,22 @@
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
-HTTP_ACCEPT=*/*
+HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
+HTTP_ACCEPT_ENCODING=gzip,deflate
+HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
+HTTP_CACHE_CONTROL=max-age=0, max-age=0
+HTTP_CONNECTION=keep-alive
+HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45
HTTP_HOST=xxx.xxx.com
-HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14
-KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu
+HTTP_KEEP_ALIVE=300
+HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
+KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PWD=/var/www/cgi-bin
QUERY_STRING=
REMOTE_ADDR=192.168.1.2
-REMOTE_PORT=36386
+REMOTE_PORT=36383
REMOTE_USER=admin at XXX.COM
REQUEST_METHOD=GET
REQUEST_URI=/cgi-bin/test.sh
@@ -27,15 +34,15 @@
SERVER_SIGNATURE=<address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443</address>
SERVER_SOFTWARE=Apache/2.2.6 (Fedora)
SHLVL=1
-SSL_CIPHER=RC4
-SSL_CIPHER_ALGKEYSIZE=128
+SSL_CIPHER=AES-256
+SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
-SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5
-SSL_CIPHER_USEKEYSIZE=128
+SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA
+SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_VERIFY=NONE
SSL_PROTOCOL=TLSv1
SSL_SERVER_A_KEY=RSA_RSA
-SSL_SERVER_A_SIG=MD5-RSA
+SSL_SERVER_A_SIG=SHA1-RSA
SSL_SERVER_I_DN=CN=IPA Test Certificate Authority
SSL_SERVER_I_DN_CN=IPA Test Certificate Authority
SSL_SERVER_M_SERIAL=2000
@@ -45,7 +52,7 @@
SSL_SERVER_S_DN_OU=Apache Web Server
SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT
SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT
-SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU=
+SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A=
SSL_VERSION_INTERFACE=mod_nss/2.2.6
SSL_VERSION_LIBRARY=NSS/3.11.7.1
_=/bin/env
@@ -58,13 +65,7 @@
-rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm
-rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0
-rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000
--rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu
run klist
-Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu
-Default principal: admin at XXX.COM
-
-Valid starting Expires Service principal
-02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM
No significant difference IMO, except that the krb5 credentials cache
file just isn't there when the script is called from firefox!
Even strace'ing klist does not show any significant difference, except
that in the firefox case klist cannot open the krb5 cc file listed in
the environment.
Tom
On Wed, 2008-02-13 at 14:04 -0800, Rob Crittenden wrote:
> Thomas Sailer wrote:
> > On Wed, 2008-02-13 at 12:06 -0800, Rob Crittenden wrote:
> >> Can you look to see if there are any SELinux denials?
> >
> > I had selinux in permissive mode, so I don't think selinux is the
> > culprit here...
>
> Does the CGI test program work? (test.py)
>
> It is very strange that the cache is there but seems unusable.
>
> On a bright note it looks like Firefox is correctly delegating the
> credentials, so that's something anyhow.
>
> Can you try this really simple test. Create a CGI (/var/www/cgi-bin on
> Fedora) with this:
>
> #!/bin/sh
>
> echo "Content-Type: text/plain"
> echo ""
>
> /usr/kerberos/bin/klist
>
> It should list your ticket and if not, maybe it will give us a better
> error message to work with.
>
> rob
More information about the Freeipa-devel
mailing list