Achim Grolms | 4 Oct 21:38 2005
Picon

http://www.grolmsnet.de/kerbtut/

Update on <http://www.grolmsnet.de/kerbtut/>
"using mod_auth_kerb and Windows 2000/2003 as KDC":

Now the differences of Win2000 and Win2003 in kvno behavior are described.

BTW: Anyone out there with a working 
- Windows2003 as KDC 
- RC4 instead DES
- and mod_auth_kerb setup?

Thank you,
Achim

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Rob Sessink | 5 Oct 00:44 2005

http://www.grolmsnet.de/kerbtut/

Achim Grolms (achim <at> grolmsnet.de) wrote:
> Update on <http://www.grolmsnet.de/kerbtut/>
> "using mod_auth_kerb and Windows 2000/2003 as KDC":
> 
> Now the differences of Win2000 and Win2003 in kvno behavior are described.
> 
> BTW: Anyone out there with a working 
> - Windows2003 as KDC 
> - RC4 instead DES
> - and mod_auth_kerb setup?
> 
> Thank you,
> Achim
> 
No, I tried to use RC4 with negotiate on 2003, but i always get a DES 
ticket. I wanted to use it to pass the ticket to samba's smbclient. The 
only way i can get a RC4 ticket is to use Kerb5Passwd. (If someone has a 
setup for this please post it)

	Rob Sessink

> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
(Continue reading)

Achim Grolms | 5 Oct 10:43 2005
Picon

http://www.grolmsnet.de/kerbtut/

On Wednesday 05 October 2005 00:44, Rob Sessink wrote:

> No, I tried to use RC4 with negotiate on 2003, but i always get a DES
> ticket. 

Strange.
What happens when using kgetcred (or kvno on MIT)?
If the Account is not set to "DES only" I get a RC4 ticket
with Heimdal-Client and W2003 KDC.
Does that happen to you too?

Thank you,
Achim

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Siarhei Baidun | 5 Oct 17:39 2005
Picon

Re: failed to authenticate using mod_auth_kerb for Apache

Hi again Everybody,
 
Second week I have been batling with the problem...
A lot of problems a have already solved on the way thanks to your advises.
 
Now I have done everything in compliance with the  manual (http://www.grolmsnet.de/kerbtut/)
 
I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.
 
And I'm getting now the error (in the Apache's error_log file) :
 
--------------------- Apache's LOG
in case
KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error:  couldn't check access.  No groups file?: /

--------------------- Apache's LOG
in case
KrbMethodK5Passwd off
KrbMethodNegotiate on
 
------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194] configuration error:  couldn't check access.  No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!
 
Below are my httpd.conf and krb5.conf
 
--
Thank you very much in advance,
Siarhei Baidun
 
 
------------------
krb5.conf
-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
        admin_server = odessa.test.epo
        kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user


------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno  Type         Principal
  1  des-cbc-md5  HTTP/gvepl100.test.epo <at> TEST.EPO


 


 
Henry B. Hotz | 5 Oct 18:16 2005
Picon
Picon

mod_auth_kerb combined with any ldap module?

Has anyone used mod_auth_kerb in combination with any ldap modules,  
e.g. mod_authz_ldap?  If so, any hints on configuration?
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Siarhei Baidun | 6 Oct 18:25 2005
Picon

Re: failed to authenticate using mod_auth_kerb for Apache

Hello Everybody,
 
Just little question.
 
Do I need to have the principal
 
HOST/gvepl100.test.epo <at> TEST.EPO for my web server machine or it is enough to have only
 
 
Because this issue is not desribed in the manual (http://www.grolmsnet.de/kerbtut/).
I`m constantly having the error : "configuration error:  couldn't check access.  No groups file?: /" 
 
And I just think that this error means that modauthkerb does not try to authorize a user with KDC as userdatabase on the web server (in my case it is gvepl100.test.epo). And it tries to find some file as userdatabase. And reason might be that I do not have principal
 
HOST/gvepl100.test.epo <at> TEST.EPO for my web server, but only this one:
 
 
Is it right suggestion?
 
--
Thanks,
Siarhei Baidun


 
On 10/5/05, Siarhei Baidun <siarheibaidun <at> gmail.com> wrote:
Hi again Everybody,
 
Second week I have been batling with the problem...
A lot of problems a have already solved on the way thanks to your advises.
 
Now I have done everything in compliance with the  manual (http://www.grolmsnet.de/kerbtut/)
 
I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.
 
And I'm getting now the error (in the Apache's error_log file) :
 
--------------------- Apache's LOG
in case
KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error:  couldn't check access.  No groups file?: /

--------------------- Apache's LOG
in case
KrbMethodK5Passwd off
KrbMethodNegotiate on
 
------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194 ] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 ] configuration error:  couldn't check access.  No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!
 
Below are my httpd.conf and krb5.conf
 
--
Thank you very much in advance,
Siarhei Baidun
 
 
------------------
krb5.conf
-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
        admin_server = odessa.test.epo
        kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user


------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno  Type         Principal
  1  des-cbc-md5  HTTP/gvepl100.test.epo <at> TEST.EPO


 


 

Gary Rather | 6 Oct 23:24 2005

How to get the Remote User

After finally getting the mod_auth_kerb to work in my environment

Thank You archive list for all the help.

I now have a request being passed on to Tomcat.

I was expecting the RemoteUser to be populated.

But that is NULL.

I do have a ticket.

But at this point I do not know who made the request.

How do I get the remote user making this request from the tomcat world.

Is this in the ticket?  If so how do I get it.

It is not in any other header in the request.

Maybe I need to ask for it how do I get this info.

Thanks in advance

Gary Rather

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Jari Ahonen | 10 Oct 10:46 2005

RE: Re: failed to authenticate using mod_auth_kerb for Apache

Siarhei,
 
The HTTP/fqdn <at> realm principal is enough, you donm't need host/fqdn <at> realm.
 
The group file error you are getting has nothing to do with mod_auth_kerb. It's just
Apache's weird way of telling you that your authorization configuration is invalid.
Mod_auth_kerb  does not do authorization so you need to have another module
such as mod_auth configured to do that.
 
- Jari

From: modauthkerb-help-admin <at> lists.sourceforge.net [mailto:modauthkerb-help-admin <at> lists.sourceforge.net] On Behalf Of Siarhei Baidun
Sent: 06 October 2005 18:26
To: Achim Grolms; Nikola Milutinovic; Markus Moeller
Cc: kerberos <at> mit.edu; modauthkerb-help <at> lists.sourceforge.net
Subject: [modauthkerb] Re: failed to authenticate using mod_auth_kerb for Apache

Hello Everybody,
 
Just little question.
 
Do I need to have the principal
 
HOST/gvepl100.test.epo <at> TEST.EPO for my web server machine or it is enough to have only
 
 
Because this issue is not desribed in the manual (http://www.grolmsnet.de/kerbtut/).
I`m constantly having the error : "configuration error:  couldn't check access.  No groups file?: /" 
 
And I just think that this error means that modauthkerb does not try to authorize a user with KDC as userdatabase on the web server (in my case it is gvepl100.test.epo). And it tries to find some file as userdatabase. And reason might be that I do not have principal
 
HOST/gvepl100.test.epo <at> TEST.EPO for my web server, but only this one:
 
 
Is it right suggestion?
 
--
Thanks,
Siarhei Baidun


 
On 10/5/05, Siarhei Baidun <siarheibaidun <at> gmail.com> wrote:
Hi again Everybody,
 
Second week I have been batling with the problem...
A lot of problems a have already solved on the way thanks to your advises.
 
Now I have done everything in compliance with the  manual (http://www.grolmsnet.de/kerbtut/)
 
I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.
 
And I'm getting now the error (in the Apache's error_log file) :
 
--------------------- Apache's LOG
in case
KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error:  couldn't check access.  No groups file?: /

--------------------- Apache's LOG
in case
KrbMethodK5Passwd off
KrbMethodNegotiate on
 
------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194 ] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 ] configuration error:  couldn't check access.  No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!
 
Below are my httpd.conf and krb5.conf
 
--
Thank you very much in advance,
Siarhei Baidun
 
 
------------------
krb5.conf
-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
        admin_server = odessa.test.epo
        kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user


------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno  Type         Principal
  1  des-cbc-md5  HTTP/gvepl100.test.epo <at> TEST.EPO


 


 

Siarhei Baidun | 10 Oct 11:12 2005
Picon

Re: Re: failed to authenticate using mod_auth_kerb for Apache

Exactly!
Thank you very much for explanation.
I have noticed that mod_auth_kerb returned with OK but I experienced rpoblems with "no groups file" error.
When I launched mod_auth I managed to authorize against KDC!
 
--
Thanks,
Siarhei Baidun

 
On 10/10/05, Jari Ahonen <jah <at> progress.com> wrote:
Siarhei,
 
The HTTP/fqdn <at> realm principal is enough, you donm't need host/fqdn <at> realm.
 
The group file error you are getting has nothing to do with mod_auth_kerb. It's just
Apache's weird way of telling you that your authorization configuration is invalid.
Mod_auth_kerb  does not do authorization so you need to have another module
such as mod_auth configured to do that.
 
- Jari

From: modauthkerb-help-admin <at> lists.sourceforge.net [mailto:modauthkerb-help-admin <at> lists.sourceforge.net] On Behalf Of Siarhei Baidun
Sent: 06 October 2005 18:26
To: Achim Grolms; Nikola Milutinovic; Markus Moeller
Cc: kerberos <at> mit.edu; modauthkerb-help <at> lists.sourceforge.net
Subject: [modauthkerb] Re: failed to authenticate using mod_auth_kerb for Apache

 
Hello Everybody,
 
Just little question.
 
Do I need to have the principal
 
HOST/gvepl100.test.epo <at> TEST.EPO for my web server machine or it is enough to have only
 
 
Because this issue is not desribed in the manual (http://www.grolmsnet.de/kerbtut/).
I`m constantly having the error : "configuration error:  couldn't check access.  No groups file?: /" 
 
And I just think that this error means that modauthkerb does not try to authorize a user with KDC as userdatabase on the web server (in my case it is gvepl100.test.epo). And it tries to find some file as userdatabase. And reason might be that I do not have principal
 
HOST/gvepl100.test.epo <at> TEST.EPO for my web server, but only this one:
 
 
Is it right suggestion?
 
--
Thanks,
Siarhei Baidun


 
On 10/5/05, Siarhei Baidun <siarheibaidun <at> gmail.com > wrote:
Hi again Everybody,
 
Second week I have been batling with the problem...
A lot of problems a have already solved on the way thanks to your advises.
 
Now I have done everything in compliance with the  manual (http://www.grolmsnet.de/kerbtut/)
 
I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.
 
And I'm getting now the error (in the Apache's error_log file) :
 
--------------------- Apache's LOG
in case
KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error:  couldn't check access.  No groups file?: /

--------------------- Apache's LOG
in case
KrbMethodK5Passwd off
KrbMethodNegotiate on
 
------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194 ] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 ] configuration error:  couldn't check access.  No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!
 
Below are my httpd.conf and krb5.conf
 
--
Thank you very much in advance,
Siarhei Baidun
 
 
------------------
krb5.conf
-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
        admin_server = odessa.test.epo
        kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user


------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno  Type         Principal
  1  des-cbc-md5  HTTP/gvepl100.test.epo <at> TEST.EPO


 


 


Gary Rather | 10 Oct 19:22 2005

How To Pass Remote_user on to Tomcat

After finally getting mod_auth_kerb to work.

I found when the request was sent to Tomcat still had no idea who the 
remote user was.

Who just got authenicated ?

Apache knows. And in a CGI script the REMOTE_USER environment variable is set.

So with a bit of rewrite commands add a new header to the request.
Then in tomcat could look for that request.

Was not able to set the header so getRemoteUser worked
So just added a new header

Here is the code.

RewriteEngine on
RewriteBase /

RewriteCond %{REMOTE_USER} !=""
RewriteRule .* - [E=E_USER:%{REMOTE_USER}]

RequestHeader set my_new_header  %{E_USER}e

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Gmane