headers
Martin Yves | 15 Apr 2013 11:34
Picon
Favicon

Configuration behind Microsoft TMG

  Hello,

I have setup Apache2 / mod_auth_kerb against an ActiveDirectory 2008R2
and everything works well when direct access is used.

Now I try to pass through TMG in mode "Kerberos / NTLM"
but Apache2 receives at first request after successful authentication in
TMG a NTLMSSP encoded challenge/credential in "Authorization: Negotiate"
header and mod_auth_kerb 5.4 fails with error 500 and message:

[Mon Apr 15 11:03:34 2013] [error] [client 192.168.3.15]
gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
provide more information (, Key table entry not found), referer:
http://tmg.domain.com/CookieAuth.dll?GetLogon?curl=Z2FscriptZ2Ftest.cgi&reason=0&formdir=3

Is there any option to tune in mod_auth_kerb or TMG ?

In my opinion, mod_auth_kerb should answer 401 Negotiate... in the hope
TMG will query again with a Kerberos TGS in SPNEGO envelop.
Or is there any option in TMG to simply disable NTLM and only accept
Kerberos ?

Thank you in advance for your help

--

-- 
Yves Martin
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kurt Maet | 27 Mar 2013 15:14
Picon

Mod_auth_kerb: Warning: received token seems to be NTLM, possible issues?

I'm trying to set up mod_auth_kerb with `Debian/Apache` and a `Windows2008` Active Directory.
This works:

    kinit -k -t /etc/krb5.keytab HTTP/myhost.domain.local
    I see a valid ticket in klist, with Service Principal krbtgt/MYHOST.MYDOMAIN.LOCAL <at> MYDOMAIN.LOCAL

This is in my Apache error log:

    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1628): [client 10.50.109.64] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Sun Mar 24 16:41:11 2013] [debug] mod_deflate.c(615): [client 10.50.109.64] Zlib: Compressed 528 to 355 : URL /private/auth.php
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1628): [client 10.50.109.64] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1240): [client 10.50.109.64] Acquiring creds for HTTP <at> myhost
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1385): [client 10.50.109.64] Verifying client data using KRB5 GSS-API
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1401): [client 10.50.109.64] Client didn't delegate us their credential
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1429): [client 10.50.109.64] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1101): [client 10.50.109.64] GSS-API major_status:00090000, minor_status:00000000
    [Sun Mar 24 16:41:11 2013] [error] [client 10.50.109.64] gss_accept_sec_context() failed: Invalid token was supplied (, No error)

If I activate fallback to Basic Auth and enter credentials, it works fine. I checked IE settings, registry settings, tried with Firefox or Safari, but they all keep giving the same issue. I feel like I've been over and over dozens of tutorials and configuration changes, but I can't seem to find the needle.

Is this error message just misleading or what am I missing? Any help is strongly appreciated, I just can't seem to find anyone who's able to do this in my environment.

Sincerely


Kurt
------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Permalink | Reply | 0 comments |
headers
Cassiopeia | 28 Nov 2012 12:23
Picon

gss_acquire_cred() failed - unknown error

Allright guys - hello everbody

I'm encopuntering a problem since weeks - and it drives me crazy :(
So I hope that anybody of you could give me hint what the problem is.

The Goal is to access a Intranetsite trough Kerberos MIT SSO.
We do have 2 testsystems.

KDC is a Windows server 2008 R2
Webserver is a redhat 6.3 with all patches available.
Apache is 2.2.15


My problem is the following:
Implemented SSO on both machines in the same way.
Encountered on both machines the following error:

[Wed Nov 28 11:09:43 2012] [debug] src/mod_auth_kerb.c(1939): [client 1.2.3.4] kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
[Wed Nov 28 11:09:43 2012] [debug] src/mod_auth_kerb.c(1278): [client 1.2.3.4] Acquiring creds for HTTP/hostname.domain.local
[Wed Nov 28 11:09:43 2012] [debug] src/mod_auth_kerb.c(1138): [client 1.2.3.4] GSS-API major_status:000d0000, minor_status:00000000
[Wed Nov 28 11:09:43 2012] [error] [client 1.2.3.4] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Unknown error)


Altough I don't know why, the error is gone on one system since i altered the apache-directive "KrbServiceName HTTP" to "KrbServiceName HTTP/hostname.domain.local".
Same Implementation of the SSO on the other system doesn't solve this issue :/

I was not able to get any useful information about this error, so I started testing and found another difference to the working system, which may be useful to you guys;

Accessing the ressource through entering the password works IF (!) I configure additionally the "KrbVerifyKDC off" directive - see below my apache settings:

<Directory "/var/www/html/secure">
        AuthType KerberosV5
        AuthName "Intranet"
        KrbAuthRealms DOMAIN.LOCAL
        KrbServiceName HTTP/hostname.domain.local
        Krb5Keytab /etc/krb5.keytab
        KrbMethodNegotiate off
        KrbMethodK5Passwd on
        KrbVerifyKDC off
        require valid-user
</Directory>


If the "KrbVerifyKDC off" is missing errorlog throws the following:

[Wed Nov 28 11:13:17 2012] [debug] src/mod_auth_kerb.c(1939): [client 1.2.3.4] kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
[Wed Nov 28 11:13:17 2012] [debug] src/mod_auth_kerb.c(1031): [client 1.2.3.4] Using HTTP/hostname.domain.local <at> DOMAIN.LOCAL as server principal for password verification
[Wed Nov 28 11:13:17 2012] [debug] src/mod_auth_kerb.c(735): [client 1.2.3.4] Trying to get TGT for user domainuser <at> DOMAIN.LOCAL
[Wed Nov 28 11:13:17 2012] [debug] src/mod_auth_kerb.c(645): [client 1.2.3.4] Trying to verify authenticity of KDC using principal HTTP/hostname.domain.local <at> DOMAIN.LOCAL
[Wed Nov 28 11:13:17 2012] [debug] src/mod_auth_kerb.c(688): [client 1.2.3.4] krb5_rd_req() failed when verifying KDC
[Wed Nov 28 11:13:17 2012] [error] [client 1.2.3.4] failed to verify krb5 credentials: Permission denied


I think Kerberos is working quite proberly:

[root <at> hostname conf.d]# env KRB5_TRACE=/dev/stdout kinit -k -t /etc/krb5.keytab HTTP/hostname.domain.local
[3197] 1354097620.502739: Getting initial credentials for HTTP/hostname.domain.local <at> DOMAIN.LOCAL
[3197] 1354097620.503055: Sending request (199 bytes) to DOMAIN.LOCAL
[3197] 1354097620.504304: Sending initial UDP request to dgram 172.24.69.45:88
[3197] 1354097620.505261: Received answer from dgram 172.24.69.45:88
[3197] 1354097620.505679: Response was not from master KDC
[3197] 1354097620.505712: Salt derived from principal: DOMAIN.LOCALHTTPhostname.domain.local
[3197] 1354097620.505717: Getting AS key, salt "DOMAIN.LOCALHTTPhostname.domain.local", params ""
[3197] 1354097620.505802: Retrieving HTTP/hostname.domain.local <at> DOMAIN.LOCAL from WRFILE:/etc/krb5.keytab (vno 0, enctype rc4-hmac) with result: 0/success
[3197] 1354097620.505820: AS key obtained from gak_fct: rc4-hmac/8105
[3197] 1354097620.505858: Decrypted AS reply; session key is: rc4-hmac/1181
[3197] 1354097620.505862: FAST negotiation: unavailable
[3197] 1354097620.505880: Initializing FILE:/tmp/krb5cc_0 with default princ HTTP/hostname1.domain.local <at> DOMAIN.LOCAL
[3197] 1354097620.628902: Removing HTTP/hostname.domain.local <at> DOMAIN.LOCAL -> krbtgt/DOMAIN.LOCAL <at> DOMAIN.LOCAL from FILE:/tmp/krb5cc_0
[3197] 1354097620.628914: Storing HTTP/hostname.domain.local <at> DOMAIN.LOCAL -> krbtgt/DOMAIN.LOCAL <at> DOMAIN.LOCAL in FILE:/tmp/krb5cc_0

[root <at> hostname conf.d]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/hostname.domain.local <at> DOMAIN.LOCAL

Valid starting     Expires            Service principal
11/28/12 11:13:40  11/28/12 21:13:46  krbtgt/DOMAIN.LOCAL <at> DOMAIN.LOCAL
        renew until 11/29/12 11:13:40, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

[root <at> hostname conf.d]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC


[realms]
 DOMAIN.LOCAL = {
  kdc = kdcserver.domain.local:88
  admin_server = kdcserver.domain.local:88
  default_domain = DOMAIN.LOCAL
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL





Some well known facts I checked:
DNS looks fine; time is in sync; keytab-file looks good; KVNO is ident; permissions on keytabfile are 400 for apache:apache

Does anybody have an idea?

best regards

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Permalink | Reply | 0 comments |
headers
Saxon, Will | 27 Nov 2012 23:50

500 error w/ mod_auth_kerb and mod_authnz_ldap

Hello,

I'm trying to set up an LDAP group-controlled, Kerberos-authenticated web service, with the KRB5 and LDAP
requests targeting Active Directory. The environment I'm working with is CentOS 6.3, mod_auth_kerb 5.4
and the authnz_ldap module shipping with Apache 2.2.15. 

The configuration I'm working with is pretty standard and similar to what I've seen in the archives on this list:

<Directory /var/www/git>
        Options +ExecCGI
        AddHandler cgi-script .cgi
        DirectoryIndex gitweb.cgi

        AuthType Kerberos
        KrbAuthoritative On
        KrbAuthRealms EXAMPLE.COM
        KrbMethodNegotiate On
        KrbMethodK5Passwd On

        AuthzLDAPAuthoritative On
        AuthLDAPBindDN "CN=LDAP,OU=Service Accounts,DC=example,DC=com"
        AuthLDAPBindPassword SuperDuperSecret
        AuthName "Please Login"
        AuthLDAPURL "ldap://example.com:389/DC=example,DC=com?userPrincipalName?sub?(|(objectClass=user)(objectClass=group))"
        require ldap-group CN=gitAdmins,OU=Groups,DC=example,DC=com
</Directory>

If a user authenticates successfully and is a member of gitAdmins, pages load fine. The problem I'm having
is that when a user is NOT in the gitAdmins group, instead of getting a 401 error or an authentication
prompt, I get a 500 configuration error. I'm mailing here because the error logs show entries like this:

[error] [client 192.168.0.10] gss_display_name() failed: A required input parameter could not be read:
An invalid name was supplied (, Unknown error)

I've attached a .txt file with the scrubbed apache error logs from a failed page load. 

I've tried changing the above to have different authoritative settings for krb and ldap without success.
If I have AuthzLDAPAuthoritative set to 'off' and stick a 'require valid-user' in the config, I get the
expected behavior. If I instead stick a 'require user fakeUser' in the config, I get the 500 error again. 

Is this something I'm configuring incorrectly? Is this even a mod_auth_kerb issue? 

Thanks for any assistance.

-Will

--

Will Saxon
Systems Administrator III
13545 Progress Blvd., Alachua, FL 32615
877-932-6301 Main
386-418-7341 Direct
viterahealthcare.com


[debug] src/mod_auth_kerb.c(1939): [client 192.168.0.10] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1939): [client 192.168.0.10] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1939): [client 192.168.0.10] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1278): [client 192.168.0.10] Acquiring creds for HTTP <at> gerrit
[debug] src/mod_auth_kerb.c(1691): [client 192.168.0.10] Verifying client data using KRB5 GSS-API 
[debug] src/mod_auth_kerb.c(1707): [client 192.168.0.10] Client didn't delegate us their credential
[debug] src/mod_auth_kerb.c(1726): [client 192.168.0.10] GSS-API token of length 163 bytes will be
sent back
[debug] mod_authnz_ldap.c(709): [client 192.168.0.10] ldap authorize: Creating LDAP req structure
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for member:
CN=Test User,CN=Users,DC=example,DC=com (CN=Gitweb-test,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for
uniquemember: CN=Test User,CN=Users,DC=example,DC=com (CN=Gitweb-test,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(839): [9612] auth_ldap authorise: require group: testing for group
membership in "CN=gitAdmins,OU=Groups,DC=example,DC=com"
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for member:
CN=Test User,CN=Users,DC=example,DC=com (CN=gitAdmins,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(861): [9612] auth_ldap authorise: require group
"CN=gitAdmins,OU=Groups,DC=example,DC=com": authorisation failed [Comparison false (adding to
cache)][Compare False]
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for
uniquemember: CN=Test User,CN=Users,DC=example,DC=com (CN=gitAdmins,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(861): [9612] auth_ldap authorise: require group
"CN=gitAdmins,OU=Groups,DC=example,DC=com": authorisation failed [Comparison no such attribute
(adding to cache)][No such attribute]
[debug] mod_authnz_ldap.c(997): [9612] auth_ldap authorise: authorisation denied
[debug] src/mod_auth_kerb.c(1939): [client 192.168.0.10] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1278): [client 192.168.0.10] Acquiring creds for HTTP <at> gerrit
[debug] src/mod_auth_kerb.c(1691): [client 192.168.0.10] Verifying client data using KRB5 GSS-API 
[debug] src/mod_auth_kerb.c(1707): [client 192.168.0.10] Client didn't delegate us their credential
[debug] src/mod_auth_kerb.c(1726): [client 192.168.0.10] GSS-API token of length 163 bytes will be
sent back
[debug] mod_authnz_ldap.c(709): [client 192.168.0.10] ldap authorize: Creating LDAP req structure
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for member:
CN=Test User,CN=Users,DC=example,DC=com (CN=Gitweb-test,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for
uniquemember: CN=Test User,CN=Users,DC=example,DC=com (CN=Gitweb-test,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(839): [9612] auth_ldap authorise: require group: testing for group
membership in "CN=gitAdmins,OU=Groups,DC=example,DC=com"
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for member:
CN=Test User,CN=Users,DC=example,DC=com (CN=gitAdmins,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(861): [9612] auth_ldap authorise: require group
"CN=gitAdmins,OU=Groups,DC=example,DC=com": authorisation failed [Comparison false
(cached)][Compare False]
[debug] mod_authnz_ldap.c(845): [9612] auth_ldap authorise: require group: testing for
uniquemember: CN=Test User,CN=Users,DC=example,DC=com (CN=gitAdmins,OU=Groups,DC=example,DC=com)
[debug] mod_authnz_ldap.c(861): [9612] auth_ldap authorise: require group
"CN=gitAdmins,OU=Groups,DC=example,DC=com": authorisation failed [Comparison no such attribute
(cached)][No such attribute]
[debug] mod_authnz_ldap.c(997): [9612] auth_ldap authorise: authorisation denied
[debug] src/mod_auth_kerb.c(1939): [client 192.168.0.10] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1278): [client 192.168.0.10] Acquiring creds for HTTP <at> gerrit
[debug] src/mod_auth_kerb.c(1691): [client 192.168.0.10] Verifying client data using KRB5 GSS-API 
[debug] src/mod_auth_kerb.c(1707): [client 192.168.0.10] Client didn't delegate us their credential
[debug] src/mod_auth_kerb.c(1726): [client 192.168.0.10] GSS-API token of length 92 bytes will be sent back
[debug] src/mod_auth_kerb.c(1138): [client 192.168.0.10] GSS-API major_status:01020000, minor_status:00000000
[error] [client 192.168.0.10] gss_display_name() failed: A required input parameter could not be read:
An invalid name was supplied (, Unknown error)
[debug] src/mod_auth_kerb.c(1939): [client 192.168.0.10] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1278): [client 192.168.0.10] Acquiring creds for HTTP <at> gerrit
[debug] src/mod_auth_kerb.c(1691): [client 192.168.0.10] Verifying client data using KRB5 GSS-API 
[debug] src/mod_auth_kerb.c(1707): [client 192.168.0.10] Client didn't delegate us their credential
[debug] src/mod_auth_kerb.c(1726): [client 192.168.0.10] GSS-API token of length 92 bytes will be sent back
[debug] src/mod_auth_kerb.c(1138): [client 192.168.0.10] GSS-API major_status:01020000, minor_status:00000000
[error] [client 192.168.0.10] gss_display_name() failed: A required input parameter could not be read:
An invalid name was supplied (, Unknown error)

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Permalink | Reply | 3 comments |
headers
David Perry | 22 Oct 2012 12:47
Picon

Compiling error - no Kerberos environment found

Hi

I'm trying to build the module to use with Shibboleth single signon, on a SLES 10 SP4 server. Following the
instructions I use the following command:
./configure --with-krb5=/usr/bin --without-krb4 --with-apache=/usr/sbin

And with all the compilers installed I get this error:
configure: error: No Kerberos enviroment found

The Kerberos client has been installed using the package manager - krb5, krb5-32bit, krb5-client, yast2-kerberos-client.

Am I missing anything?

Thanks.

David Perry
eLearning Technologist, eLearning Team (L34 - Library)
Hull College Group
Wilberforce Drive, Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* * * Think about the environment - Do you really need to print this email?

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
Permalink | Reply | 0 comments |
headers
KAPP Arnaud | 28 Sep 2012 00:22
Picon

Prevauth and KRB5CCNAME not set

Hello,

I'm new to using mod_auth_kerb and I need your help to solve my problem. I run it with apache2 on a debian wheezy box.
My problem is that KRB5CCNAME environment variable is not always set.
I'm using mod_auth_kerb with this configuration:

                   KrbServiceName Any
                   KrbAuthRealms BOAP.NET
                   KrbMethodNegotiate off
                   KrbMethodK5Passwd on
                   KrbSaveCredentials on
                   Krb5Keytab /etc/apache2.keytab

and I have apache rewriting url to a shell script :

#!/bin/sh
# Output HTML header
echo Content-type: text/plain
echo

# $REMOTE_USER should be set by httpd
    if [ -z "$REMOTE_USER" ]; then
    echo '$REMOTE_USER not set.'
    exit 1
fi

    if [ -z "$KRB5CCNAME" ]; then
    echo 'Kerberos credential cache name $KRB5CCNAME does not exist.'
    sleep 10;
    exit 1
fi

While REMOTE_USER is always set, the kerberos credential cache is not. It happens after a previous successful request.
Here is what apache's log says:
[Fri Sep 28 00:04:47 2012] [debug] src/mod_auth_kerb.c(1641): [client 212.198.207.84] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Sep 28 00:04:47 2012] [debug] src/mod_auth_kerb.c(1579): [client 212.198.207.84] matched previous auth request

I noticed a bug report - https://sourceforge.net/tracker/?func=detail&aid=3540118&group_id=51775&atid=464524 - was opened about this.
Is there something I am missing in the configuration or should this be fixed in code?

The bug reporter asks if the code about prevauth could be removed. Since this bug is 2 months old I am asking here: should I try to patch the mod and remove prevauth or is there something else to do?

Thanks,
Xaqq

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Permalink | Reply | 0 comments |
headers
Rasanth | 21 Sep 2012 13:28
Picon

src/mod_auth_kerb.c(1628):kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Hi,
I get the following error while trying to login to the apache server.

[Fri Sep 21 16:27:01 2012] [debug] src/mod_auth_kerb.c(1628): [client 
10.11.18.90] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Fri Sep 21 16:27:01 2012] [debug] mod_deflate.c(615): [client 10.11.18.90] 
Zlib: Compressed 478 to 323 : URL /

==> /var/log/apache2/access.log <==
10.11.18.90 - - [21/Sep/2012:16:27:01 +0530] "GET / HTTP/1.1" 401 695 "-" 
"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0.1"

==> /var/log/apache2/error.log <==
[Fri Sep 21 16:27:04 2012] [debug] src/mod_auth_kerb.c(1628): [client 
10.11.18.90] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Fri Sep 21 16:27:04 2012] [debug] src/mod_auth_kerb.c(1240): [client 
10.11.18.90] Acquiring creds for HTTP <at> example.com
[Fri Sep 21 16:27:04 2012] [debug] src/mod_auth_kerb.c(1101): [client 
10.11.18.90] GSS-API major_status:000d0000, minor_status:000186a4
[Fri Sep 21 16:27:04 2012] [error] [client 10.11.18.90] gss_acquire_cred() 
failed: Unspecified GSS failure.  Minor code may provide more information (, )
[Fri Sep 21 16:27:04 2012] [debug] mod_deflate.c(615): [client 10.11.18.90] 
Zlib: Compressed 616 to 378 : URL /

==> /var/log/apache2/access.log <==
10.11.18.90 - - [21/Sep/2012:16:27:04 +0530] "GET / HTTP/1.1" 500 635 "-" 
"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0.1"

below is list of principals

kadmin:  listprincs
HTTP/example.com <at> EXAMPLE.COM
K/M <at> EXAMPLE.COM
admin/admin <at> EXAMPLE.COM
admin <at> EXAMPLE.COM
cuda <at> EXAMPLE.COM
host/example.com <at> EXAMPLE.COM
kadmin/admin <at> EXAMPLE.COM
kadmin/changepw <at> EXAMPLE.COM
krbtgt/EXAMPLE.COM <at> EXAMPLE.COM
rkandoth/admin <at> EXAMPLE.COM
rkandoth <at> EXAMPLE.COM
root/admin <at> EXAMPLE.COM
root <at> EXAMPLE.COM

from my desktop i can do kinit successfully.

rkandoth <at> rasanth:~/Downloads$ klist
Ticket cache: FILE:/tmp/krb5cc_1020
Default principal: rkandoth <at> EXAMPLE.COM

Valid starting     Expires            Service principal
09/21/12 16:37:12  09/22/12 16:37:12  krbtgt/EXAMPLE.COM <at> EXAMPLE.COM

below is the keytab used by apache.
ktutil:  rkt /etc/apache2/http.keytab 
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3             HTTP/example.com <at> EXAMPLE.COM
   2    3             HTTP/example.com <at> EXAMPLE.COM
   3    3             HTTP/example.com <at> EXAMPLE.COM
   4    3             HTTP/example.com <at> EXAMPLE.COM
   5    3             host/example.com <at> EXAMPLE.COM
   6    3             host/example.com <at> EXAMPLE.COM
   7    3             host/example.com <at> EXAMPLE.COM
   8    3             host/example.com <at> EXAMPLE.COM
ktutil:  

krb5.conf on my desktop where i run kinit/firefox is

[logging]
        default = FILE:/var/log/krb5.log

[libdefaults]
        default_realm = EXAMPLE.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = kdc1.example.com
                admin_server = kdc1.example.com
        }

[domain_realm]
        .kdc1.example.local = EXAMPLE.COM
        kdc1.example.local = EXAMPLE.COM
        .kdc1.server = EXAMPLE.COM
        .example.com = EXAMPLE.COM

wireshark capture is below
No.     Time        Source                Destination           Protocol Info
    138 15.856456   10.11.18.90           10.11.19.125          KRB5     TGS-REQ

Frame 138 (732 bytes on wire, 732 bytes captured)
Ethernet II, Src: CnetTech_97:85:52 (00:08:a1:97:85:52), Dst: D-Link_29:e7:02 
(00:22:b0:29:e7:02)
Internet Protocol, Src: 10.11.18.90 (10.11.18.90), Dst: 10.11.19.125 
(10.11.19.125)
User Datagram Protocol, Src Port: 46710 (46710), Dst Port: kerberos (88)
Kerberos TGS-REQ
    Pvno: 5
    MSG Type: TGS-REQ (12)
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
            Value: 6E82021C30820218A003020105A10302010EA20703050000... AP-REQ
    KDC_REQ_BODY

No.     Time        Source                Destination           Protocol Info
    139 15.859127   10.11.19.125          10.11.18.90           KRB5     KRB 
Error: KRB5KRB_ERR_GENERIC

Frame 139 (207 bytes on wire, 207 bytes captured)
Ethernet II, Src: D-Link_29:e7:02 (00:22:b0:29:e7:02), Dst: CnetTech_97:85:52 
(00:08:a1:97:85:52)
Internet Protocol, Src: 10.11.19.125 (10.11.19.125), Dst: 10.11.18.90 
(10.11.18.90)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 46710 (46710)
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    ctime: 2012-09-21 10:53:08 (UTC)
    stime: 2012-09-21 10:53:08 (UTC)
    susec: 449052
    error_code: KRB5KRB_ERR_GENERIC (60)
    Client Realm: EXAMPLE.COM
    Client Name (Principal): rkandoth
    Realm: EXAMPLE.COM
    Server Name (Service and Host): HTTP/example.com
    e-text: NO PREAUTH

No.     Time        Source                Destination           Protocol Info
    147 16.347658   10.11.18.90           10.11.19.125          KRB5     TGS-REQ

Frame 147 (726 bytes on wire, 726 bytes captured)
Ethernet II, Src: CnetTech_97:85:52 (00:08:a1:97:85:52), Dst: D-Link_29:e7:02 
(00:22:b0:29:e7:02)
Internet Protocol, Src: 10.11.18.90 (10.11.18.90), Dst: 10.11.19.125 
(10.11.19.125)
User Datagram Protocol, Src Port: 38478 (38478), Dst Port: kerberos (88)
Kerberos TGS-REQ
    Pvno: 5
    MSG Type: TGS-REQ (12)
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
            Value: 6E82021C30820218A003020105A10302010EA20703050000... AP-REQ
    KDC_REQ_BODY

No.     Time        Source                Destination           Protocol Info
    148 16.350199   10.11.19.125          10.11.18.90           KRB5     KRB 
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

Frame 148 (205 bytes on wire, 205 bytes captured)
Ethernet II, Src: D-Link_29:e7:02 (00:22:b0:29:e7:02), Dst: CnetTech_97:85:52 
(00:08:a1:97:85:52)
Internet Protocol, Src: 10.11.19.125 (10.11.19.125), Dst: 10.11.18.90 
(10.11.18.90)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 38478 (38478)
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    ctime: 2012-09-21 10:53:08 (UTC)
    stime: 2012-09-21 10:53:08 (UTC)
    susec: 940127
    error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
    Client Realm: EXAMPLE.COM
    Client Name (Principal): rkandoth
    Realm: EXAMPLE.COM
    Server Name (Service and Instance): krbtgt/COM
    e-text: UNKNOWN_SERVER

What could be going wrong here? any help is highly appreciated.

Thanks.

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Permalink | Reply | 2 comments |
headers
Mauricio Tavares | 17 Sep 2012 16:05
Picon

No SPNEGO available during compilation


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 5 comments |
headers
Jason Foster | 12 Sep 2012 19:47
Picon

Segmentation Fault on OS X … trying to figure out log_rerror()

I've recently been seeing a lot of segfaults on OS X Mountain Lion:

> Exception Type:  EXC_CRASH (SIGSEGV)
> Exception Codes: 0x0000000000000000, 0x0000000000000000
> 
> Thread 0:: Dispatch queue: com.apple.main-thread
> 0   libsystem_c.dylib                   0x00007fff91a85690 strlen + 16
> 1   libsystem_c.dylib                   0x00007fff91b0ca8d __vfprintf + 4704
> 2   libsystem_c.dylib                   0x00007fff91b09e3e vsnprintf_l + 254
> 3   mod_auth_kerb.so                    0x0000000110f70602 log_rerror + 386
> 4   mod_auth_kerb.so                    0x0000000110f721d3 verify_krb5_user + 451
> 5   mod_auth_kerb.so                    0x0000000110f71885 authenticate_user_krb5pwd + 1477
> 6   mod_auth_kerb.so                    0x0000000110f70280 kerb_authenticate_user + 928
> 7   httpd                               0x000000010fda6a7d ap_run_check_user_id + 109
> 8   httpd                               0x000000010fda78a3 ap_process_request_internal + 963

I'm new to segfault debugging, but it seems kind of strange that the vsnprintf_l() chain would be
segfaulting.  Any suggestions for how to debug (and ideally eliminate) this error would be appreciated.

Thanks!

Jason
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 1 comment |
headers
Mauricio Tavares | 27 Aug 2012 23:29
Picon

Cannot retrieve KRB5CCNAME if logged in with kerberos ticket

Quick-n-easy question: I have my apache virtual host configured to use
kerberos authentication:

        <Location />
                AuthType KerberosV5
                KrbAuthRealms DOMAIN.COM
                KrbServiceName HTTP
                Krb5Keytab /etc/apache2/krb5.keytab
                KrbMethodNegotiate on
                KrbMethodK5Passwd on
                KrbAuthoritative off
                KrbSaveCredentials on
                Require valid-user
        </Location>

And then I created the following test page:

<html>
<head>
        <title>PHP Test</title>
</head>
<body>
        <h1>PHP Kerberos Test</h1>
<?php
        echo "user = {$_SERVER['PHP_AUTH_USER']}<br/>";
        echo "REMOTE_USER={$_SERVER['REMOTE_USER']}<br/>";
        putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");
        echo "KRB5CCNAME={$_SERVER['KRB5CCNAME']}<br/>";

        exit();
?>
  </body>
</html>

And I have mod_auth_kerb php5 modules enabled in apache. When I try to
connect to the above test page using a kerberos ticket, I do see the
PHP_AUTH_USER and REMOTE_USER (which are the same). But I get nothing
in KRB5CCNAME. Now, if I destory my kerberos ticket and login using
kerberos user/pw, At first I do get the filename associated with
KRB5CCNAME. But, if I wait less than 15s to refresh the page, I get
nothing for KRB5CCNAME; if I wait more than 15s, I will get the
filename for KRB5CCNAME.

Does anyone know what I may be doing wrong?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 4 comments |
headers
Emmanuel Lesouef | 12 Jun 2012 11:39
Picon

No login possible with Windows2008r2

Hello,

I'm using the following Apache configuration and it works well with
Firefox 3 under Windows 2003 :

AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms CRBN.INTRA
Krb5KeyTab /etc/apache2/auth.keytab
KrbVerifyKDC On
KrbServiceName HTTP
require valid-user

I used msktutil to create de keytab file.

Now I would like to use newer Firefox and IE in Windows 2008r2.

It doesn't work and throws the following error in apache logs (debug
enabled) :

[Tue Jun 12 11:32:46 2012] [debug] src/mod_auth_kerb.c(1420): [client
10.1.36.109] GSS-API token of length 9 bytes will be sent back 
[Tue Jun 12 11:32:46 2012] [debug] src/mod_auth_kerb.c(1101): [client
10.1.36.109] GSS-API major_status:000d0000, minor_status:000186a3 
[Tue Jun 12 11:32:46 2012] [error] [client 10.1.36.109]
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
may provide more information (, )

If I enable KrbMethodK5Passwd, Firefox displays a login/password box
and let users in after entering their credentials. No hope for IE 8.

Is there a workaround for this issue ?

Thanks for your help.

--

-- 
Emmanuel Lesouef

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 2 comments |

Gmane