multi-realm support using incorrect domain?

NB: Using 5.0-r6

I have a webserver with two domains, e.g. apple.com and orange.com,
and multiple vhosts, e.g. admin.apple.com, www.apple.com,
wiki.orange.com, and www.orange.com.  I have setup mod_auth_kerb with
spnego for single signon in windows via gss api for one realm
APPLE.COM.  The steps I have taken include:

*)  Disable sspi in Firefox.
*)  set delegated and trusted uris in Firefox.
*)  Configured MIT Kerberos on Windows to use APPLE.COM for .apple.com
and .orange.com.
*)  Configure /etc/krb5.conf on the webhost to use APPLE.COM as above.

However what I see is that the setting in krb5.conf defines the realm
of the principal, e.g.

  HTTP/www.apple.com <at> APPLE.COM

The HTTP service name can be overidden but to no useful purpose with
KrbServiceName.  But the webservers short hostname and vhosts domain
name is used not the webservers FQDN, so when logging into
wiki.orange.com I see the following:

  HTTP/www.orange.com <at> APPLE.COM

However mod_auth_kerb is expecting the domain apple to authenticate
the request not orange.  To work around this I simply copy the keytab
to a new file,

RE: multi-realm support using incorrect domain?

MIT Kerberos always tries to find out what your "real" hostname is.

In practice this means that anything on one host ends up using the
same Kerberos principal.

This behavior depends a bit on what kind of principals are used but
as a general rule a host can only have one name.

- Jari

> -----Original Message-----
> From: modauthkerb-help-admin <at> lists.sourceforge.net 
> [mailto:modauthkerb-help-admin <at> lists.sourceforge.net] On 
> Behalf Of Steven McCoy
> Sent: 02 November 2005 09:14
> To: modauthkerb-help <at> lists.sourceforge.net
> Subject: [modauthkerb] multi-realm support using incorrect domain?
> 
> NB: Using 5.0-r6
> 
> I have a webserver with two domains, e.g. apple.com and orange.com,
> and multiple vhosts, e.g. admin.apple.com, www.apple.com,
> wiki.orange.com, and www.orange.com.  I have setup mod_auth_kerb with
> spnego for single signon in windows via gss api for one realm
> APPLE.COM.  The steps I have taken include:
> 
> *)  Disable sspi in Firefox.
> *)  set delegated and trusted uris in Firefox.
> *)  Configured MIT Kerberos on Windows to use APPLE.COM for .apple.com

NTLM vs Kerberos again

Re: multi-realm support using incorrect domain?

Continuing the inconsistency if I know have only two domains in the keytab:

  HTTP/www.orange.com <at> APPLE.COM
  HTTP/www.apple.com <at> APPLE.COM

With orange being a copy of apple, I cannot do Apache side Kerberos
authentication, only SPNEGO.  It appears mod_auth_kerb wants the vhost
name for each principal, i.e.

  HTTP/www.orange.com <at> APPLE.COM
  HTTP/wiki.orange.com <at> APPLE.COM
  etc ...

From your statement mod_auth_kerb should be completely ignored the
vhost name, but here it would appear it is not?

Sergey:

In FireFox 1.5 set the following about:config parameter:

    network.auth.use-sspi        false

For Internet Explorer I believe you have to setup an AD / Windows
domain, create a trusted link between that and your Kerberos domain
with KSETUP.EXE and then you can login to the Kerberos domain via AD:

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

--
Steve-o

On 11/2/05, Jari Ahonen <jah <at> progress.com> wrote:
>
> MIT Kerberos always tries to find out what your "real" hostname is.
>
> In practice this means that anything on one host ends up using the
> same Kerberos principal.
>
> This behavior depends a bit on what kind of principals are used but
> as a general rule a host can only have one name.

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Passing REMOTE_USER to Tomcat

Re: Passing REMOTE_USER to Tomcat

Sung Ho Jee wrote:

> Hi all,
> 
> From looking at a number of past postings on passing REMOTE_USER to 
> Tomcat, I was able to achieve this by using RewriteRule to "redirect" 
> requests sent to say, auth_kerb_jk1/, to auth_kerb_jk/. I figured Apache's 
> SPNEGO authentication had to take place before requests were forwarded to 
> Tomcat and this was one way to achieve it.
> 
> The .htaccess file in /auth_kerb_jk1 is follows.
> 
> # mod_auth_kerb
> 
> AuthType Kerberos
> AuthName "Kerberos"
> KrbAuthRealms TESTSYSTEM.COM
> Krb5Keytab /spnego/sung-linux.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> require valid-user
> 
> # mod_rewrite
> 
> RewriteEngine on
> RewriteBase /
> RewriteCond %{REMOTE_USER} ^(.*)$
> Rewriterule (.*) auth_kerb_jk/$1 [E=E_USER:%{REMOTE_USER}]
> RequestHeader set my_new_header %{E_USER}e
> 
> However, this seems rather long-winded. Is this the only way to pass 
> REMOTE_USER to Tomcat?
> 
> Regards,
> 
> Sung.

Are you using mod_jk ?

The statement:

JkEnvVar REMOTE_USER foo

will stick the REMOTE_USER variable in the environment of the mod_jk 
session defined as 'foo'.

Then later in your config, you can do:

JkMount /auth_kerb_jk foo

HTH,
Craig

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Need help compiling mod_auth_kerb on HPUX 11.11

Hi-  I'm trying to compile mod_auth_kerb on HPUX 11.11.

I'm using the HP distribution of Apache 2.0, the HP-supplied Krb5 client
libraries, and gcc 3.3.2.  I looked through the list archives and did
not come across this problem or solution that I saw.

I used:
 ./configure --with-apache=/opt/hpws/apache

and got the following warning
-------------------------------
checking netdb.h usability... no
checking netdb.h presence... yes
configure: WARNING: netdb.h: present but cannot be compiled
configure: WARNING: netdb.h: check for missing prerequisite headers?
configure: WARNING: netdb.h: proceeding with the preprocessor's result
configure: WARNING:     ## ------------------------------------ ##
configure: WARNING:     ## Report this to bug-autoconf <at> gnu.org. ##
configure: WARNING:     ## ------------------------------------ ##
-------------------------------
I don't know what it means; some web pages report it as a configuration
error in "configure.ac", but I don't know if that applies here.

The rest of the ./configure output indicated success.

Then at make time I get the following:
-------------------------------------------------------------
$ make
        /opt/hpws/apache/bin/apxs -c -I. -Ispnegokrb5 -I/include    -
L/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err   src/mod_auth_kerb.c
spnegokrb5/asn1_MechType.c
spnegokrb5/asn1_MechTypeList.c
spnegokrb5/asn1_ContextFlags.c
spnegokrb5/asn1_NegTokenInit.c
spnegokrb5/asn1_NegTokenTarg.c            spnegokrb5/der_get.c
spnegokrb5/der_put.c                       spnegokrb5/der_free.c
spnegokrb5/der_length.c                    spnegokrb5/der_copy.c
spnegokrb5/timegm.c                        spnegokrb5/init_sec_context.c
spnegokrb5/accept_sec_context.c            spnegokrb5/encapsulate.c
spnegokrb5/decapsulate.c                   spnegokrb5/external.c
/opt/hpws/apache/build/libtool --silent --mode=compile gcc -prefer-pic -
O2 -D_USE_BIG_FDS -DWEBPROXY -O2 -D_USE_BIG_FDS -DWEBPROXY -fPIC -
DUSE_SSL -DCHROOT -D_USE_BIG_FDS -D_LARGEFILE_SOURCE -
DFILE_OFFSET_SIZE=64 -DAUTH_LDAP_FRONTPAGE_HACK -
I/home/cvspublic/crypto/hpcrypto/pa11_32/include -
DSSL_EXPERIMENTAL_ENGINE -DAP_HAVE_DESIGNATED_INITIALIZER -DHPUX11 -
D_REENTRANT -D_XOPEN_SOURCE_EXTENDED -I/include -
I/opt/hpws/apache/include  -I/opt/hpws/apache/include   -
I/opt/hpws/apache/include -I/opt/hpws/apache/ldap/include/  -I. -
Ispnegokrb5 -I/include  -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c
&& touch src/mod_auth_kerb.slo
src/mod_auth_kerb.c:70:37: gssapi/gssapi_generic.h: No such file or
directory
src/mod_auth_kerb.c:71:34: gssapi/gssapi_krb5.h: No such file or
directory
src/mod_auth_kerb.c:155: warning: initialization from incompatible
pointer type
src/mod_auth_kerb.c:158: warning: initialization from incompatible
pointer type
src/mod_auth_kerb.c: In function `get_gss_creds':
src/mod_auth_kerb.c:1003: error: `gss_nt_service_name' undeclared (first
use in this function)
src/mod_auth_kerb.c:1003: error: (Each undeclared identifier is reported
only once
src/mod_auth_kerb.c:1003: error: for each function it appears in.)
apxs:Error: Command failed with rc=65536
.
*** Error exit code 1

Stop.
-------------------------------------------------------------

It appears to be looking for "gssapi_generic.h", which I don't have.

Swlist tells me that I have:
  GSS-API.Development.GSSAPI-PRG                B.11.11        GSSAPI-
PRG
  /usr/include/gssapi
  /usr/include/gssapi.h
  /usr/include/gssapi/gssapi.h
  /usr/include/gssapi_ext.h

and:
  KRB5-Client.Development.KRB5-PRG              B.11.11        KRB5-PRG
  /usr/include/com_err.h
  /usr/include/krb5
  /usr/include/krb5.h
  /usr/include/krb5/gssapi.h
  /usr/include/profile.h

According to the docs at http://docs.hp.com/en/J5849-90006/ch01s02.html
there was a gssapi_generic.h in HPUX 11.0, but it appears to have
disappeared in 11.11.

I'm not a developer, so I'm learning as I go on this.  Any thoughts or
advice, or insight into the above errors would be greatly appreciated.
Thanks.

- Alan

--

-- 
Alan Millar                  Email: Alan.Millar <at> LPCorp.com
System Administrator         Voice: 503-821-5450
Louisiana-Pacific            Fax:   503-821-5206

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Re: NTLM vs Kerberos again

mod_auth_kerb does not support NTLM.  If it works at all then you're  
not using NTLM.

On Nov 2, 2005, at 8:13 PM, Sergey Koulik wrote:

> Hi all,
>
> I have examined mail archive. But I still don't see correct solution.
> I want to force my windows clients to use Kerberos authentification  
> instead of NTLM when contacting web server kerberized with  
> mod_auth_kerb. I use MIT kerberos KDC located at lunux machine. My  
> windows XP machine is not connected to any domain.
> Did anyone get it work?
> Does anyone have step-by-step documentation how to configure MIT KDC,  
> mod_auth_kerb and clients to use Kerberos instead of NTLM?
>
> --  
> Sincerely,
> Sergey Koulik
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Negotiating Web Browsers List (additions appreciated)

At my job, we run the latest release of mod_auth_kerb (not CVS) on
Apache 2 on RHEL3 with MIT krb5 and Negotiate authentication.  We've
tested that the following client configurations work with negotiation.
Additions to the list would be most appreciated.  We're mostly looking
for "stock" browsers that do not need special plugins or custom
compilation, though knowledge of those alternatives would be useful
too.

Windows XP Pro (support seems independent of service pack level)
  - Netscape 8.0+ (different than other OSes)
  - Mozilla Suite 1.7.5+
  - Mozilla Firefox 1.0+
  - MSIE 6.0+

RHEL3 (Linux)
  - Netscape 7.2+
  - Mozilla Suite 1.7.5+
  - Mozilla Firefox 1.0+
  - Konqueror (with kdelibs 3.3+ and special compilation, reported but
not tested)

Max OS X
  - Netscape 7.2+
  - Mozilla Suite 1.7.5+
  - Mozilla Firefox 1.0+
  - Safari 2 (latest patch) on OSX 10.4.3

For example if you got Safari to work on OSX 10.4.1, or if you got
Mozilla 1.7.2 or any version of Opera to cooperate, please let me
know!

Safari seems to do Negotiation without any special configuration. 
Have you seen that as well?  Most other browsers require explicit
configuration to engage in Negotiation, apparently to prevent your
Kerberos credentials from going out to untrusted servers?  Thanks!

--Curby

P.S. For those interested in Kerberos in general, Mozilla Thunderbird
1.5 is kerberized. =)

-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click

Re: Negotiating Web Browsers List (additions appreciated)

That's a fix that we got them to agree to at the last WWDC.  Glad to  
see it finally made it.  Before it would try with a lower case http  
principal, and on 10.3.something it did something else even less  
functional.

If you have no krb credentials at all then it shouldn't try to  
negotiate.

Kerberos is designed to be robust to network snooping so there's no  
reason not to try it as far as the browser is concerned.  On the  
server side you do have to worry about TCP hijacking and such so ssl/ 
tls is advisable.

On Nov 14, 2005, at 9:32 PM, curby . wrote:

> Safari seems to do Negotiation without any special configuration.
> Have you seen that as well?  Most other browsers require explicit
> configuration to engage in Negotiation, apparently to prevent your
> Kerberos credentials from going out to untrusted servers?  Thanks!
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click