[Freeipa-devel] freeipa and samba
Rob Crittenden
rcritten at redhat.com
Fri Feb 15 16:44:41 UTC 2008
Did you restart httpd after loading the new krb5 rpms? I've seen one
other case where Apache was still using the old krb5 libraries after
installing the ones that do spnego in a way that Firefox likes.
I may add this CGI to our bag of tricks too, or at least a pointer to it.
thanks
rob
Thomas Sailer wrote:
> Hi Rob,
>
> thanks for your suggestions.
>
> I used the following test script: test.sh
> #!/bin/sh
> ######################################################################
> #
> # Example CGI script that uses Kerberos credentials cached by
> # mod_auth_kerb compiled with caching option.
> #
> # Submitted by: Von Welch <vwelch at ncsa.uiuc.edu>
> #
> # mod_auth_kerb - Daniel Henninger <daniel at ncsu.edu>
> #
> ######################################################################
>
> # Output HTML header
> echo Content-type: text/plain
> echo
>
> # $REMOTE_USER should be set by httpd
> if [ -z "$REMOTE_USER" ]; then
> echo '$REMOTE_USER not set.'
> exit 1
> fi
>
> echo "REMOTE_USER is $REMOTE_USER"
>
> if [ -z "$KRB5CCNAME" ]; then
> echo 'Kerberos credential cache name $KRB5CCNAME does not exist.'
> exit 1
> fi
>
> # Do Kerberos stuff
> echo "Environment"
> env|sort
> echo "/tmp contents"
> /bin/ls -lZ /tmp/krb*
> echo "run klist"
> #/usr/bin/strace /usr/kerberos/bin/klist 2>&1
> /usr/kerberos/bin/klist
> echo "end run klist"
>
> #X=`echo ${KRB5CCNAME} | sed -e s,FILE:,,`;
> #/bin/cp -f ${X} /tmp/krb5cccache
> #echo "cp -f ${X} /tmp/krb5cccache"
>
> exit 0
> --
>
> The curl output is:
> REMOTE_USER is admin at XXX.COM
> Environment
>
> AUTH_TYPE=Negotiate
> DOCUMENT_ROOT=/var/www/html
> GATEWAY_INTERFACE=CGI/1.1
> HTTPS=on
> HTTP_ACCEPT=*/*
> HTTP_HOST=xxx.xxx.com
> HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14
> KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu
> PATH=/sbin:/usr/sbin:/bin:/usr/bin
> PWD=/var/www/cgi-bin
> QUERY_STRING=
> REMOTE_ADDR=192.168.1.2
> REMOTE_PORT=36386
> REMOTE_USER=admin at XXX.COM
> REQUEST_METHOD=GET
> REQUEST_URI=/cgi-bin/test.sh
> SCRIPT_FILENAME=/var/www/cgi-bin/test.sh
> SCRIPT_NAME=/cgi-bin/test.sh
> SERVER_ADDR=192.168.1.2
> SERVER_ADMIN=root at localhost
> SERVER_NAME=xxx.xxx.com
> SERVER_PORT=443
> SERVER_PROTOCOL=HTTP/1.1
> SERVER_SIGNATURE=<address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443</address>
> SERVER_SOFTWARE=Apache/2.2.6 (Fedora)
> SHLVL=1
> SSL_CIPHER=RC4
> SSL_CIPHER_ALGKEYSIZE=128
> SSL_CIPHER_EXPORT=false
> SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5
> SSL_CIPHER_USEKEYSIZE=128
> SSL_CLIENT_VERIFY=NONE
> SSL_PROTOCOL=TLSv1
> SSL_SERVER_A_KEY=RSA_RSA
> SSL_SERVER_A_SIG=MD5-RSA
> SSL_SERVER_I_DN=CN=IPA Test Certificate Authority
> SSL_SERVER_I_DN_CN=IPA Test Certificate Authority
> SSL_SERVER_M_SERIAL=2000
> SSL_SERVER_M_VERSION=3
> SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server
> SSL_SERVER_S_DN_CN=xxx.xxx.com
> SSL_SERVER_S_DN_OU=Apache Web Server
> SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT
> SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT
> SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU=
> SSL_VERSION_INTERFACE=mod_nss/2.2.6
> SSL_VERSION_LIBRARY=NSS/3.11.7.1
> _=/bin/env
> /tmp contents
> -rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm
> -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0
> -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000
> -rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu
> run klist
> Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu
> Default principal: admin at XXX.COM
>
> Valid starting Expires Service principal
> 02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM
>
>
> Kerberos 4 ticket cache: /tmp/tkt48
> end run klist
> --
>
>
> The firefox output is:
> REMOTE_USER is admin at XXX.COM
> Environment
>
> AUTH_TYPE=Negotiate
> DOCUMENT_ROOT=/var/www/html
> GATEWAY_INTERFACE=CGI/1.1
> HTTPS=on
> HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
> HTTP_ACCEPT_ENCODING=gzip,deflate
> HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
> HTTP_CACHE_CONTROL=max-age=0, max-age=0
> HTTP_CONNECTION=keep-alive
> HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45
> HTTP_HOST=xxx.xxx.com
> HTTP_KEEP_ALIVE=300
> HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
> KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7
> PATH=/sbin:/usr/sbin:/bin:/usr/bin
> PWD=/var/www/cgi-bin
> QUERY_STRING=
> REMOTE_ADDR=192.168.1.2
> REMOTE_PORT=36383
> REMOTE_USER=admin at XXX.COM
> REQUEST_METHOD=GET
> REQUEST_URI=/cgi-bin/test.sh
> SCRIPT_FILENAME=/var/www/cgi-bin/test.sh
> SCRIPT_NAME=/cgi-bin/test.sh
> SERVER_ADDR=192.168.1.2
> SERVER_ADMIN=root at localhost
> SERVER_NAME=xxx.xxx.com
> SERVER_PORT=443
> SERVER_PROTOCOL=HTTP/1.1
> SERVER_SIGNATURE=<address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443</address>
> SERVER_SOFTWARE=Apache/2.2.6 (Fedora)
> SHLVL=1
> SSL_CIPHER=AES-256
> SSL_CIPHER_ALGKEYSIZE=256
> SSL_CIPHER_EXPORT=false
> SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA
> SSL_CIPHER_USEKEYSIZE=256
> SSL_CLIENT_VERIFY=NONE
> SSL_PROTOCOL=TLSv1
> SSL_SERVER_A_KEY=RSA_RSA
> SSL_SERVER_A_SIG=SHA1-RSA
> SSL_SERVER_I_DN=CN=IPA Test Certificate Authority
> SSL_SERVER_I_DN_CN=IPA Test Certificate Authority
> SSL_SERVER_M_SERIAL=2000
> SSL_SERVER_M_VERSION=3
> SSL_SERVER_S_DN=CN=xxx.xxx.com,OU=Apache Web Server
> SSL_SERVER_S_DN_CN=xxx.xxx.com
> SSL_SERVER_S_DN_OU=Apache Web Server
> SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT
> SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT
> SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A=
> SSL_VERSION_INTERFACE=mod_nss/2.2.6
> SSL_VERSION_LIBRARY=NSS/3.11.7.1
> _=/bin/env
> /tmp contents
> -rw-r--r-- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-1.6.3-4.fc9.src.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-devel-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-libs-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-server-ldap-1.6.2-11.fc8.i386.rpm
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm
> -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0
> -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000
> run klist
>
>
> Kerberos 4 ticket cache: /tmp/tkt48
> end run klist
> --
>
> Diff between curl and firefox:
> @@ -5,15 +5,22 @@
> DOCUMENT_ROOT=/var/www/html
> GATEWAY_INTERFACE=CGI/1.1
> HTTPS=on
> -HTTP_ACCEPT=*/*
> +HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> +HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
> +HTTP_ACCEPT_ENCODING=gzip,deflate
> +HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
> +HTTP_CACHE_CONTROL=max-age=0, max-age=0
> +HTTP_CONNECTION=keep-alive
> +HTTP_COOKIE=session_id=2be4da016d07250e719ab15cae48512e680d52a9; tg-visit=7cd94c486e5746e239fb41f7fef1c7344c4f3e45
> HTTP_HOST=xxx.xxx.com
> -HTTP_USER_AGENT=curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1 NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14
> -KRB5CCNAME=FILE:/tmp/krb5cc_apache_aHfCAu
> +HTTP_KEEP_ALIVE=300
> +HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
> +KRB5CCNAME=FILE:/tmp/krb5cc_apache_oT62R7
> PATH=/sbin:/usr/sbin:/bin:/usr/bin
> PWD=/var/www/cgi-bin
> QUERY_STRING=
> REMOTE_ADDR=192.168.1.2
> -REMOTE_PORT=36386
> +REMOTE_PORT=36383
> REMOTE_USER=admin at XXX.COM
> REQUEST_METHOD=GET
> REQUEST_URI=/cgi-bin/test.sh
> @@ -27,15 +34,15 @@
> SERVER_SIGNATURE=<address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443</address>
> SERVER_SOFTWARE=Apache/2.2.6 (Fedora)
> SHLVL=1
> -SSL_CIPHER=RC4
> -SSL_CIPHER_ALGKEYSIZE=128
> +SSL_CIPHER=AES-256
> +SSL_CIPHER_ALGKEYSIZE=256
> SSL_CIPHER_EXPORT=false
> -SSL_CIPHER_NAME=SSL_RSA_WITH_RC4_128_MD5
> -SSL_CIPHER_USEKEYSIZE=128
> +SSL_CIPHER_NAME=TLS_RSA_WITH_AES_256_CBC_SHA
> +SSL_CIPHER_USEKEYSIZE=256
> SSL_CLIENT_VERIFY=NONE
> SSL_PROTOCOL=TLSv1
> SSL_SERVER_A_KEY=RSA_RSA
> -SSL_SERVER_A_SIG=MD5-RSA
> +SSL_SERVER_A_SIG=SHA1-RSA
> SSL_SERVER_I_DN=CN=IPA Test Certificate Authority
> SSL_SERVER_I_DN_CN=IPA Test Certificate Authority
> SSL_SERVER_M_SERIAL=2000
> @@ -45,7 +52,7 @@
> SSL_SERVER_S_DN_OU=Apache Web Server
> SSL_SERVER_V_END=Feb 05 11:30:49 2018 GMT
> SSL_SERVER_V_START=Feb 05 11:30:49 2008 GMT
> -SSL_SESSION_ID=FChmOVV5RlvItfI6JtGOac+kd5sMM1h3B41NqVT4YYU=
> +SSL_SESSION_ID=FCWK1o2LsZQBaata5jy0yFlAs8dltfXdurOS7OC5G7A=
> SSL_VERSION_INTERFACE=mod_nss/2.2.6
> SSL_VERSION_LIBRARY=NSS/3.11.7.1
> _=/bin/env
> @@ -58,13 +65,7 @@
> -rw-r--r-- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5-workstation-1.6.2-11.fc8.i386.rpm
> -rw------- root root system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_0
> -rw------- t.sailer Domain Users system_u:object_r:unconfined_tmp_t:s0 /tmp/krb5cc_10000
> --rw------- apache apache system_u:object_r:httpd_tmp_t:s0 /tmp/krb5cc_apache_aHfCAu
> run klist
> -Ticket cache: FILE:/tmp/krb5cc_apache_aHfCAu
> -Default principal: admin at XXX.COM
> -
> -Valid starting Expires Service principal
> -02/15/08 14:02:59 02/17/08 13:53:25 krbtgt/XXX.COM at XXX.COM
>
>
> No significant difference IMO, except that the krb5 credentials cache
> file just isn't there when the script is called from firefox!
>
> Even strace'ing klist does not show any significant difference, except
> that in the firefox case klist cannot open the krb5 cc file listed in
> the environment.
>
> Tom
>
>
>
>
>
> On Wed, 2008-02-13 at 14:04 -0800, Rob Crittenden wrote:
>> Thomas Sailer wrote:
>>> On Wed, 2008-02-13 at 12:06 -0800, Rob Crittenden wrote:
>>>> Can you look to see if there are any SELinux denials?
>>> I had selinux in permissive mode, so I don't think selinux is the
>>> culprit here...
>> Does the CGI test program work? (test.py)
>>
>> It is very strange that the cache is there but seems unusable.
>>
>> On a bright note it looks like Firefox is correctly delegating the
>> credentials, so that's something anyhow.
>>
>> Can you try this really simple test. Create a CGI (/var/www/cgi-bin on
>> Fedora) with this:
>>
>> #!/bin/sh
>>
>> echo "Content-Type: text/plain"
>> echo ""
>>
>> /usr/kerberos/bin/klist
>>
>> It should list your ticket and if not, maybe it will give us a better
>> error message to work with.
>>
>> rob
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080215/423e1710/attachment.bin>
More information about the Freeipa-devel
mailing list