5.0-rc6 build error

Re: RE: Modification to allow user to enter realm

On Mon, Feb 28, 2005 at 01:10:49PM -0500, Martin, Charles (IDS DCS) wrote:
> I removed the loop that went through the list in KrbAuthRealms because
> for the majority of users it works better in our environment to request
> that a user indicate a domain (realm).  I know this may seem hard to
> believe, but trust me on this one.

I believe you, however the loop doesn't prevent users from entering (and the
module from processing) the usernames that contain realm.

> I was asked to use the domain\account format.  That's that standard in
> our environment.

then your environment is nonstandard, I'm affraid  Is there anyone else on
the list who would like to have such a functionality?

Daniel

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

RE: RE: Modification to allow user to enter realm

Are the patches too extensive to make these mods a compile time choice?

-DWIN_DOMAIN_ACCT_FORMAT

Len.

-----Original Message-----
From: modauthkerb-help-admin <at> lists.sourceforge.net
[mailto:modauthkerb-help-admin <at> lists.sourceforge.net]On Behalf Of Daniel
Kouril
Sent: Wednesday, March 02, 2005 1:41 AM
To: Martin, Charles (IDS DCS)
Cc: Daniel Kouril; modauthkerb-help <at> lists.sourceforge.net
Subject: Re: [modauthkerb] RE: Modification to allow user to enter realm

On Mon, Feb 28, 2005 at 01:10:49PM -0500, Martin, Charles (IDS DCS) wrote:
[ deletia - I hope the attributions are still correct...]

> I was asked to use the domain\account format.  That's that standard in
> our environment.

then your environment is nonstandard, I'm affraid  Is there anyone else
on
the list who would like to have such a functionality?
___________________________________________________________________
The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure.  If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof.  Thank you.

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

Re: RE: Modification to allow user to enter realm

On Wed, Mar 02, 2005 at 12:30:50PM -0500, Leonard.Jaffe <at> VerizonWireless.com wrote:
> Are the patches too extensive to make these mods a compile time choice?

they certainly aren't (provided I would leave the loop over the realm list
unchanged), but any such #define complicates the code and I don't like
introducing it.  However, I'm ready to consider adding support for it if more
people will ask for such a functionality (i.e. allowing to accept usernames
in the NetBios format - \\domain\username)

Daniel

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

RE: RE: Modification to allow user to enter realm

> then your environment is nonstandard, I'm affraid  Is 
> there anyone else on
> the list who would like to have such a functionality?

I think I could use the Windows naming syntax functionality.
However, I already have a solution that works well in our
environment so I don't absolutely need it.

Adding the Windows naming could be simplest done by adding
a function that converts from Windows to Kerberos name format
and then just adding a call to that function in appropriate
place in authenticate_user_krb5pwd().

For those who are wondering how I have done it, I am using
mod_auth_kerb only to process Negotiate and Basic is handled
with mod_auth_ldap against Active Directory. With this
configuration users only enter their userid (without domain)
and the userids must be unique across all domains in AD forest.

The above just got a lot easier when I got my changes checked
into Apache 2.0.53. Now there is no need to modify so much of
Apache code to make this work.

- Jari

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click

RE: RE: Modification to allow user to enter realm

There are a few edits below.  I think the attributions are still correct.

> -----Original Message-----
> From: Daniel Kouril [mailto:kouril <at> ics.muni.cz]
> Sent: Thursday, March 03, 2005 2:55 AM
> Cc: modauthkerb-help <at> lists.sourceforge.net
> Subject: Re: [modauthkerb] RE: Modification to allow user to enter realm
> 
> On Wed, Mar 02, 2005 at 12:30:50PM -0500,
Leonard.Jaffe <at> VerizonWireless.com wrote:
> > Are the patches too extensive to make these mods a compile time choice?
> they certainly aren't

> but any such #define complicates the code and I don't like
> introducing it.  
Understood.  I agree completely. 
I think I'll make a "slippery slope" reference here.
There. That feels right.

Len.
___________________________________________________________________
The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure.  If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof.  Thank you.

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

HPUX update

Some of you may remember that I asked about everybody's experience
with mod_auth_kerb on HPUX.

The list's response was "Good luck, mate. Let us know how it goes." 

Well I'm back to report that I finally got the module compiled.  I am now
patiently waiting for an admin to return from vacation so I can get a few
keytabs exported from Active Directory so I can get kerberos configured,
and try it all together.

Once I actually have it all working, I'll perform the forensics on how I
managed
to get it built.

I'm sure I'll be asking some configuration questions before too long.

Len.

--
Len Jaffe                   Leonard.Jaffe <at> verizonwireless.com        
Verizon Wireless                                       614-560-8893
Dublin, OH, USA
___________________________________________________________________
The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure.  If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof.  Thank you.

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

Apache 2.0.53 trouble

configure tips, ip as hostname, kinit, kvno, and forwarding

SuSe 9.2
Linux linux01 2.6.8-24.11-smp #1 SMP Fri Jan 14 13:01:26 UTC 2005 i686
i686 i386 GNU/Linux
gcc version 3.3.4 (pre 3.3.5 20040809)
Apache/2.0.50 with LogLevel debug
Heimdal libkrb5.so.17.3.0
mod_auth_kerb 5rc6
kdc is windows 2003
test workstations are w2k and wXP

This module has a lot of promise. Even at its barest functionality it's
a silver bullet. Thank you. I wanted to give feedback. Plus, I have a
number of questions I couldn't answer reading the archives.

1) Autoconf
The configure script was totally confused on my system. SuSe puts the
heimdal libraries and includes in /usr/lib and /usr/include/heimdal
respectively. The --with-krb5 option falls apart on that because it
expects them to be together in a directory. Suggest also adding
--with-krb5-include and --with-krb5-lib. I'll bet redhat uses this same
file layout.

The only way I could get the configure script to successfully compile
tests was by articulately setting the gcc environment. I especially had
to pay credence to the KRB5_ enviro variables.

KRB5_CFLAGS="-I/usr/include/heimdal -DHEIMDAL -DHAVE_KRB5_CC_GEN_NEW"
CFLAGS=$KRB5_CFLAGS KRB5_LDFLAGS="-lkrb5 -lgssapi" LDFLAGS=$KRB5_LDFLAGS
APXS=/usr/sbin/apxs2 KRB5_CPPFLAGS=$KRB5_CFLAGS ./configure
--with-krb5=yes --with-krb4=no

Initially, the script failed to detect any kerberos. I first got it
compiled without any flags by messing with the configure script. It
skipped code b/c DEFINES and my apache config was broken. Next, I added
CFLAGS to configure but it didn't link with kerberos or gssapi libs. The
.so was throwing wierd errors at run time. Finally, I'm compiled with
the version above and have trivial tests working.

2) My first question is about ips/dns for ServerNames. I got *very*
strange behavior when I was using just a raw ip as the ServerName.
Eventually, the principle would get mangled to
HTTP/137.229.157.22 <at> 229.157.22. Notice it made the ip into a domain? Why
does that over ride my Krb5AuthRealms? I made a dns name and re-issued
the HTTP keytab and the domain mangling works correctly now. I added
some extra debugging output and it seems like it is gss_ that is
mangling the name, not mod_auth_kerb or ap_anything.

3) Next, I want to validate my understanding of kiniting the HTTP
principle. I'm not a kerberos guru. That kinit with the HTTP keytab is
just a test right? I do not first need to kinit the HTTP principle
before serving pages right?

4) Then, I want to get into the weeds about negotiating authentication.
I initially have it working in both mozilla and internet explorer. I had
to futz a bit with ktpass on w2k3s. I eventually got it working using
all the browser tricks listed in the intructions and on this list. Then,
I went to go have a colleague try it and they didn't get negotiated.
They were forced to do basic user/pass auth. I came back to my
workstation and it was still working. Then, we tried another workstation
and negotiate failed.

The issue seems to be with the kvno. The record can't be found in the
keytab because the kvno that is coming from the authentication doesn't
match the kvno I generated. I verified this by generating a keytab using
-kvno to make the kvno match what my error_log was saying about my
colleague's auth. I put in the new keytab, and blamh, he can negotiate
right in.

What are peoples thoughts about this? Am I just missing something
glaringly obvious about kerberos or windows? What changes the kvno?

5) Krb5Forwarding. Could someone help me understand where I might want
this. Is it credential forwarding? E.g. sign-on the first webserver gets
me on the second if forwarding is on in the first?

Thank You,
Jim Weller
Software Engineer
Information Technology Services
University of Alaska Anchorage
o: (907) 786-4656
e: jim.weller <at> uaa.alaska.edu
w: http://technology.uaa.alaska.edu 

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click

apache seg fault when password incorrect