Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.



Mikkel Kruse Johnsen wrote:
Hi Markus

Yes that is what I want. I need the KRB5CCNAME (the credential) so I can login to my OpenLDAP SASL based server and PostgreSQL with kerberos.

So what you need is the Kerberos credentials. I have an older version
of mod_auth_kerb I assume your version has the routine store_gss_creds()
which should be doing this for you and creating the name in the
create_krb5_ccache(). and calling
apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);

Is KrbSaveCredentials being set in the conf file?
This controls the saving of credentials:
if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
store_gss_creds(...)

Are the above routines being called.

Is the client actually delegating a credential.

Is the KRB5CCNAME being set in the environment of the subprocess.




/Mikkel

On Mon, 2007-07-23 at 19:33 +0100, Markus Moeller wrote:
 Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing to do with delegation. You only need delegation if you wnat that Apache logs into a backend application with the users ID. Is that what you want ? If see you need to be very careful as iit gives yor apache server a lot of power if you don't use constraint delegation. You need to protect it like a domain controller !!! Markus

"Mikkel Kruse Johnsen" <mikkel@xxxxxxxx <mailto:mikkel@xxxxxxxx>>
wrote in message news:1184745677.3078.5.camel@xxxxxxxxxxxxxxxxx

Hi All

That did the trick, recompiling krb5-1.5 (on RHEL5 64bit) with
that patch.

Now I only have the problem that mod_auth_kerb don't write my
credentials to KRB5CCNAME (in PHP).

My "kerbtray" under windows says it is Forwardable but no "Ok to
delegate", So I guess that is the problem.

Under linux they are forwardable.

------
[mkj@tux ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib@xxxxxx <mailto:mkj.lib@xxxxxx>

Valid starting Expires Service principal
07/18/07 09:16:49 07/18/07 19:16:55 krbtgt/HHK.DK@xxxxxx
<mailto:HHK.DK@xxxxxx>
renew until 07/19/07 09:16:49, Flags: FRIA
07/18/07 09:17:06 07/18/07 19:16:55 krbtgt/CBS.DK@xxxxxx
<mailto:CBS.DK@xxxxxx>
renew until 07/19/07 09:16:49, Flags: FRAO
07/18/07 09:17:04 07/18/07 19:16:55 HTTP/sugi.cbs.dk@xxxxxx
<mailto:sugi.cbs.dk@xxxxxx>
renew until 07/18/07 09:17:04, Flags: FRAT
07/18/07 09:35:35 07/18/07 19:16:55 host/sugi.cbs.dk@xxxxxx
<mailto:sugi.cbs.dk@xxxxxx>
renew until 07/18/07 09:35:35, Flags: FRAT


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
--------


I found how to set ok-as-delegate for heimdal how is this done for
MIT kerberos ?

And how is it done under MS AD ?

/Mikkel


On Tue, 2007-07-17 at 21:25 +0200, Achim Grolms wrote:
On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:

> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information (Cannot allocate memory)

What OS and what Kerberoslibs do you use?
Background of this question:

I've seen this errormessage "Cannot allocate memory"
(and it's solution) in

<http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help <http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help>>

Achim
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel@xxxxxxxx
www: http://www.linet.dk


------------------------------------------------------------------------


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

------------------------------------------------------------------------


_______________________________________________
modauthkerb-help mailing list
modauthkerb-help@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

!DSPAM:46a4f4bb190711804284693!
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

!DSPAM:46a4f4bb190711804284693!
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help@xxxxxxxxxxxxxxxxxxxxx <mailto:modauthkerb-help@xxxxxxxxxxxxxxxxxxxxx>
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help


!DSPAM:46a4f4bb190711804284693!
*Mikkel Kruse Johnsen*
Adm.Dir.

*Linet <http://www.linet.dk>*
Ørholmgade 6 st tv <http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
Copenhagen N 2200 Denmark *Work:* +45 21287793
*Mobile:* +45 21287793
*Email:* mikkel@xxxxxxxx <mailto:mikkel@xxxxxxxx>
*IM:* mikkel@xxxxxxxx (MSN)
*Professional Profile <http://www.linkedin.com/pub/3/333/803>*
*Healthcare <http://www.xmedicus.dk>*

Network Consultant


------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/


------------------------------------------------------------------------

_______________________________________________
modauthkerb-help mailing list
modauthkerb-help@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.

Relevant Pages

  • Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.
    ... login to my OpenLDAP SASL based server and PostgreSQL with kerberos. ... Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing ... to do with delegation. ...
    (comp.protocols.kerberos)
  • Re: Impersonation/Delegation security considerations
    ... Our AD/network guys illustrated a potential security issue using the ... I assume that by delegation you mean passing ... only pass user's credentials to a SQL Server running on the same machine. ... Web site to the CEO ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation/Delegation security considerations
    ... security risk example. ... delegation you mean passing ... >only pass user's credentials to a SQL Server running on ... >Create a fake internal Web site. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Login failed for user . The user is not associated with a trusted SQL Server connection.
    ... he never mentioned he is impersonating in asp.net - so no delegation needed. ... Cassini runs with the credentials of the interactive user - which seems to have access to sql - in contrast to the local ASPNET account - which i am trying to tell him since 2 days.... ... yes - use explicit credentials and enable mixed mode auth in sql server to get this to work. ...
    (microsoft.public.dotnet.security)
  • Re: Remote process with network access
    ... You are missing a key concept, that is the transmission of credentials. ... Let's say you have 3 machines, WinMgmtClient, WinMgmtServer, FileServer. ... The second hop is guaranteed by Kerberos via Delegation. ...
    (microsoft.public.win32.programmer.wmi)