Re: Also, once you begin the process, You will not make payments on your Account r817 8nh

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

About cross-realm authentication

  Hello,

 I have used this really good tutorial http://www.grolmsnet.de/kerbtut/
 to get working a Apache2 server on Linux with a "A" ActiveDirectory
 server and the service credential "HTTP/srvapache.domain <at> A".

 With a user <at> A, it works perfectly with my Firefox on Linux, IE on
 Windows and also svn client 1.3.2 or 1.4.2 (with neon 0.25.5)
 over HTTPS with SPNEGO and Basic authentication.

 The next step for me is to enable users from domain "B" in a
 completely disconnected ActiveDirectory to authenticate on
 "srvapache.domain" with its "B" Kerberos credential.

 A user with service credential "HTTP/srvapache.domain <at> B" is
 created in ActiveDirectory "B".
 I have concatenated both service credentials " <at> A" and " <at> B"
 in the Apache2/mod_auth_kerb key tab with "ktutil"

 I changed the Apache2 configuration with "KrbAuthRealms A B".

 Currently, user <at> A is still able to authenticate with SPNEGO
 on "srvapache".
 But user <at> B authentication does not work yet with SPNEGO.
 ( I do not expect basic authentication to work with a user on
   "B" because of the default realm in mod_auth_kerb )

 Here is the debug output of the user <at> B connection trial in
 mod_auth_kerb

[Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1322): [client
192.168.200.220] kerb_authenticate_user entered with user (NULL) a
nd auth_type Kerberos
[Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1023): [client
192.168.200.220] Acquiring creds for HTTP/srvapache <at> A
[Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1152): [client
192.168.200.220] Verifying client data using SPNEGO GSS-API
[Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1168): [client
192.168.200.220] Verification returned code 851968
[Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1186): [client
192.168.200.220] GSS-API token of length 851968 bytes will be sent
 back
[Tue Jan 09 11:04:31 2007] [error] [client 192.168.200.220]
gss_accept_sec_context() failed: Miscellaneous failure (Wrong principal
in request)

 What is wrong in my configuration ?
 According to my understanding, I have expected
  "Acquiring creds for HTTP/srvapache <at> B" 
 instead of " <at> A" in mod_auth_kerb log.

 Thank you in advance for your help
--

-- 
Yves Martin

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: About cross-realm authentication

Yves Martin wrote:
>   Hello,
> 
>  I have used this really good tutorial http://www.grolmsnet.de/kerbtut/
>  to get working a Apache2 server on Linux with a "A" ActiveDirectory
>  server and the service credential "HTTP/srvapache.domain <at> A".
> 
>  With a user <at> A, it works perfectly with my Firefox on Linux, IE on
>  Windows and also svn client 1.3.2 or 1.4.2 (with neon 0.25.5)
>  over HTTPS with SPNEGO and Basic authentication.
>   
>  The next step for me is to enable users from domain "B" in a
>  completely disconnected ActiveDirectory to authenticate on
>  "srvapache.domain" with its "B" Kerberos credential.
> 

So this is not really "cross-realm authentication" as that implies
the two realms share keys, and the user is in one realm, and the
service is in the other realm. The client code can then get a
cross realm TGT ven the user realm for the service realm,
and then use this to get a service ticket from the services's realm.

What you are describing is having a service accept authentication
from separate realms.

>  A user with service credential "HTTP/srvapache.domain <at> B" is
>  created in ActiveDirectory "B".
>  I have concatenated both service credentials " <at> A" and " <at> B"
>  in the Apache2/mod_auth_kerb key tab with "ktutil"
> 
>  I changed the Apache2 configuration with "KrbAuthRealms A B".
> 
>  Currently, user <at> A is still able to authenticate with SPNEGO
>  on "srvapache".
>  But user <at> B authentication does not work yet with SPNEGO.
>  ( I do not expect basic authentication to work with a user on
>    "B" because of the default realm in mod_auth_kerb )
> 
>  Here is the debug output of the user <at> B connection trial in
>  mod_auth_kerb
>  
> [Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.200.220] kerb_authenticate_user entered with user (NULL) a
> nd auth_type Kerberos
> [Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1023): [client
> 192.168.200.220] Acquiring creds for HTTP/srvapache <at> A
> [Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1152): [client
> 192.168.200.220] Verifying client data using SPNEGO GSS-API
> [Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1168): [client
> 192.168.200.220] Verification returned code 851968
> [Tue Jan 09 11:04:31 2007] [debug] src/mod_auth_kerb.c(1186): [client
> 192.168.200.220] GSS-API token of length 851968 bytes will be sent
>  back
> [Tue Jan 09 11:04:31 2007] [error] [client 192.168.200.220]
> gss_accept_sec_context() failed: Miscellaneous failure (Wrong principal
> in request)
> 
>  What is wrong in my configuration ?

It is not clear if you are using the KrbAuthRealms as intended. It looks like 
this is used when using Kerberos with a passwrod, not gssapi.
The problem may be is in the way the GSSAPI specifications and implementation. 
It is assumed the service is in only one realm and thus it will only look for 
the service in the single realm.

We have used a mod in the MIT krb5
src/lib/gssapi/krb5/accept_sec_context.c
to use and ticket in the keytab that has the correctservice and hostname
thus alloowing for a service to accepttickets from multiple realms. (We have not
used this with Apache, but have used it with other services.)

>  According to my understanding, I have expected
>   "Acquiring creds for HTTP/srvapache <at> B" 
>  instead of " <at> A" in mod_auth_kerb log.
> 
>  Thank you in advance for your help

--

-- 

  Douglas E. Engert  <DEEngert <at> anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

unsupported mechanism?

All,

I've working on getting mod_auth_kerb to work on my Solaris 10 system.

I have been able to get it compiled and installed finally but now i have
one last problem that i need to address. But first... The delicate
history here which i'm sure everyone will need to know..

Solaris 10 as you know includes its own version of
Kerberos....(ugh!)This is of course installed by default on my system. I
quickly realized that this coveted module would not work with solaris
Kerberos so i got the MIT K5 installed on my system. 
The apache installation that i am using is not the one that was bundles
with Solaris but rather one that i have downloaded and manually compiled
to suit my needs.(Apache 2.0)  It launches without a problem and serves
up web pages i have also made sure to enable DSO support... As far as i
am concerned, apache is running like a champ.  I have also verified that
my MIT kerberos installation is working properly by way of the
following...

# ./kinit -5 -V -k -t /usr/home/myalenti/apache.keytab
HTTP/apache.toll-kerberos.com
Authenticated to Kerberos v5
(So i know that kerberos is working....)

Ok the sticky stuff...

1- I removed the Solaris implementation of Kerberos. So only MIT kerb is
on the system and still functions fine.
2- My configure command looked like the following....
	./configure --without-krb4 --with-krb5=/usr/kerberos5/
--with-apache=/opt/apache2/
	No errors were reported in this phase of the build process.
3- time for "make" ...This is where things got really messy.
	the resulting make file, it turns out, is bad... the linking and
compiler options that are cited at the begining of the file end up
getting wipped out by the time they are applied to the apxs command.
Needless to say the make is riddled with errors, of which at the very
begining mentions that it cannot find header files that i know are
included. There is evidently something wrong with with the following
lines....

APXS_CPPFLAGS = ${shell [ -n "${CPPFLAGS}" ] && echo ${CPPFLAGS} | sed
-e 's/\([^ ]*\)/-Wc,\1/g'}
APXS_LDFLAGS  = ${shell [ -n "${LDFLAGS}"  ] && echo ${LDFLAGS} | sed -e
's/\([^ ]*\)/-Wl,\1/g'}

So i fixed (or some variation of fixed) the problem by manually
re-writing the lines to say....

APXS_CPPFLAGS = $(CPPFLAGS)
APXS_LDFLAGS= $(LDFLAGS)
	thereby skipping the sed statements and the check for a null
value...I could not determine why my vars got cleared but i was able to
verify that this step is what did it.

so at this point my vars look like this.

echo "APXS_CPPFLAGS= -I. -Ispnegokrb5 -I/usr/kerberos5/include  "

echo "APXS_LDFLAGS= -L/usr/kerberos5/lib -R/usr/kerberos/lib
-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -lsocket -lnsl
-lresolv"

But there is still another problem  apxs chokes on "-R/usr/kerberos/lib"
it does not like the -R option! So i kinda just removed it...(I still
don't know what effect this will have, nor an i identify what the
purpose of -R is for apxs!)

Having made these changes, i can get the module to compile and install.
Once installed, I follow all the directions that are listed on the
support site to configure a directory and a .htaccess file that looks
like the following.

# cat /opt/apache2/htdocs/krb5/.htaccess
AuthType Kerberos
KrbAuthRealms TOLL-KERBEROS.com
KrbServiceName HTTP
Krb5Keytab /usr/home/myalenti/apache.keytab
Require valid-user

With the appropriate lines in the httpd.conf file which are....

LoadModule auth_kerb_module modules/mod_auth_kerb.so
and
<Directory "/opt/apache2/htdocs/krb5">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
</Directory>

So far everyone is happy. I can launch apache and it comes up like a
good little program... So i try to access the protected web site....And
to my great joy i am presented with a Login Pop-up from my browser... I
type in the appropriate credentials, (credentials that i have tested
with kinit btw) and wait...and wait....and wait... to finally get and
"internal error message."

Ok fine...What's the deal... I look into apache's error_log file to find
the following...

[Tue Jan 09 13:26:39 2007] [error] [client 10.2.242.6]
gss_acquire_cred() failed: An unsupported mechanism was req
uested

So close and yet so far! I can't be too far away now! Can someone shed
some desparately needed light?
Please keep in mind that i am not a programmer, although i do understand
programming.

I was wondering if the sed statements that i stripped out of my makefile
would have led to this problem. Also, i'm not entirely sure what the
error message is trying to tell me. "unsupported mechanism" Its a run
time issue, no load time, so i can only assume that my module has been
built correctly....

And just in case you would like to have the config.log... its
attached....

Thanks in advance for your help! <<config.log>> 

BTW

Mark Yalenti
Systems Support and Deployment
Tollgrade Communications
685 US RT 202/206 South
Bridgewater, NJ 08807
-------------------------------------
Toll-Free: 1-800-777-5405
Office: (908) 243 - 3940
Cell: (908) 246 - 2922
AIM: myalenti
Skype: myalenti

“Notice: This electronic mail message is intended exclusively for the
individual or entity to which it is addressed. This message, together
with any attachments, may contain confidential and privileged information.
Any unauthorized review, use, printing , retention, copying , 
disclosure or distribution is strictly prohibited. If you have received this 
message in error, please immediately advise the sender by reply email message
to the sender and delete all copies of this message.”

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

Re: unsupported mechanism?

Have you read:

http://blogs.sun.com/wyllys/date/20050310

Yalenti, Mark wrote:
> All,
> 
> I've working on getting mod_auth_kerb to work on my Solaris 10 system.
> 
> I have been able to get it compiled and installed finally but now i have 
> one last problem that i need to address. But first... The delicate 
> history here which i'm sure everyone will need to know..
> 
> Solaris 10 as you know includes its own version of 
> Kerberos....(ugh!)This is of course installed by default on my system. I 
> quickly realized that this coveted module would not work with solaris 
> Kerberos so i got the MIT K5 installed on my system.
> 
> The apache installation that i am using is not the one that was bundles 
> with Solaris but rather one that i have downloaded and manually compiled 
> to suit my needs.(Apache 2.0)  It launches without a problem and serves 
> up web pages i have also made sure to enable DSO support... As far as i 
> am concerned, apache is running like a champ.  I have also verified that 
> my MIT kerberos installation is working properly by way of the following...
> 
> # ./kinit -5 -V -k -t /usr/home/myalenti/apache.keytab 
> HTTP/apache.toll-kerberos.com
> Authenticated to Kerberos v5
> (So i know that kerberos is working....)
> 
> Ok the sticky stuff...
> 
> 1- I removed the Solaris implementation of Kerberos. So only MIT kerb is 
> on the system and still functions fine.
> 2- My configure command looked like the following....
>         ./configure --without-krb4 --with-krb5=/usr/kerberos5/ 
> --with-apache=/opt/apache2/
>         No errors were reported in this phase of the build process.
> 3- time for "make" ...This is where things got really messy.
>         the resulting make file, it turns out, is bad... the linking and 
> compiler options that are cited at the begining of the file end up 
> getting wipped out by the time they are applied to the apxs command. 
> Needless to say the make is riddled with errors, of which at the very 
> begining mentions that it cannot find header files that i know are 
> included. There is evidently something wrong with with the following 
> lines....
> 
> APXS_CPPFLAGS = ${shell [ -n "${CPPFLAGS}" ] && echo ${CPPFLAGS} | sed 
> -e 's/\([^ ]*\)/-Wc,\1/g'}
> APXS_LDFLAGS  = ${shell [ -n "${LDFLAGS}"  ] && echo ${LDFLAGS} | sed -e 
> 's/\([^ ]*\)/-Wl,\1/g'}
> 
> So i fixed (or some variation of fixed) the problem by manually 
> re-writing the lines to say....
> 
> APXS_CPPFLAGS = $(CPPFLAGS)
> APXS_LDFLAGS= $(LDFLAGS)
>         thereby skipping the sed statements and the check for a null 
> value...I could not determine why my vars got cleared but i was able to 
> verify that this step is what did it.
> 
> so at this point my vars look like this.
> 
> echo "APXS_CPPFLAGS= -I. -Ispnegokrb5 -I/usr/kerberos5/include  "
> 
> echo "APXS_LDFLAGS= -L/usr/kerberos5/lib -R/usr/kerberos/lib 
> -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -lsocket -lnsl  -lresolv"
> 
> But there is still another problem  apxs chokes on "-R/usr/kerberos/lib" 
> it does not like the -R option! So i kinda just removed it...(I still 
> don't know what effect this will have, nor an i identify what the 
> purpose of -R is for apxs!)
> 
> Having made these changes, i can get the module to compile and install. 
> Once installed, I follow all the directions that are listed on the 
> support site to configure a directory and a .htaccess file that looks 
> like the following.
> 
> # cat /opt/apache2/htdocs/krb5/.htaccess
> AuthType Kerberos
> KrbAuthRealms TOLL-KERBEROS.com
> KrbServiceName HTTP
> Krb5Keytab /usr/home/myalenti/apache.keytab
> Require valid-user
> 
> With the appropriate lines in the httpd.conf file which are....
> 
> 
> LoadModule auth_kerb_module modules/mod_auth_kerb.so
> and
> <Directory "/opt/apache2/htdocs/krb5">
>         Options Indexes FollowSymLinks MultiViews
>         AllowOverride All
>         Order allow,deny
>         Allow from all
> </Directory>
> 
> So far everyone is happy. I can launch apache and it comes up like a 
> good little program... So i try to access the protected web site....And 
> to my great joy i am presented with a Login Pop-up from my browser... I 
> type in the appropriate credentials, (credentials that i have tested 
> with kinit btw) and wait...and wait....and wait... to finally get and 
> "internal error message."
> 
> Ok fine...What's the deal... I look into apache's error_log file to find 
> the following...
> 
> [Tue Jan 09 13:26:39 2007] [error] [client 10.2.242.6] 
> gss_acquire_cred() failed: An unsupported mechanism was req
> uested
> 
> So close and yet so far! I can't be too far away now! Can someone shed 
> some desparately needed light?
> Please keep in mind that i am not a programmer, although i do understand 
> programming.
> 
> I was wondering if the sed statements that i stripped out of my makefile 
> would have led to this problem. Also, i'm not entirely sure what the 
> error message is trying to tell me. "unsupported mechanism" Its a run 
> time issue, no load time, so i can only assume that my module has been 
> built correctly....
> 
> And just in case you would like to have the config.log... its attached....
> 
> Thanks in advance for your help! <<config.log>>
> 
> 
> BTW
> 
> /Mark Yalenti/
> Systems Support and Deployment
> Tollgrade Communications
> 685 US RT 202/206 South
> Bridgewater, NJ 08807
> -------------------------------------
> Toll-Free: 1-800-777-5405
> Office: (908) 243 - 3940
> Cell: (908) 246 - 2922
> AIM:* **myalenti*
> Skype:* myalenti*
> 
> ------------------------------------------------------------------------
> “Notice: This electronic mail message is intended exclusively for the
> individual or entity to which it is addressed. This message, together
> with any attachments, may contain confidential and privileged information.
> Any unauthorized review, use, printing , retention, copying ,
> disclosure or distribution is strictly prohibited. If you have received 
> this
> message in error, please immediately advise the sender by reply email 
> message
> to the sender and delete all copies of this message.”
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

--

-- 

  Douglas E. Engert  <DEEngert <at> anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

FW: unsupported mechanism?

In Fact I did...

But the library that is supposed to be provided by sun was not delivered...
Not as of release of 03/05 of Solaris anyhow... There are bugs listed to
track the problem and it seems like the case has been closed. I suppose I
just need to install the latest apache installation from sun and grab the
module from there. But then I don't think it will work on an Apache
installation that isn't identically configured to the SUN implementation of
apache. Alas, I am sure the module will have to be recompiled so that it can
be made aware of my apache layout.

And I also did not want to develop a dependency on Sun either. The apache
installation that I am using is also not from Sun and because of my specific
needs, I cannot use the sun version of apache either. 

So here is another question in addition to my original one.... Do you think
it will be possible for me to get the appropriate source from the Solaris 10
cds so that the module can be built with my apache implementation?

Thanks for the insight!

Mark 

-----Original Message-----
From: modauthkerb-help-bounces <at> lists.sourceforge.net
[mailto:modauthkerb-help-bounces <at> lists.sourceforge.net] On Behalf Of Douglas
E. Engert
Sent: Tuesday, January 09, 2007 5:36 PM
To: Yalenti, Mark
Cc: modauthkerb-help <at> lists.sourceforge.net
Subject: Re: [modauthkerb] unsupported mechanism?

Have you read:

http://blogs.sun.com/wyllys/date/20050310

Yalenti, Mark wrote:
> All,
> 
> I've working on getting mod_auth_kerb to work on my Solaris 10 system.
> 
> I have been able to get it compiled and installed finally but now i have 
> one last problem that i need to address. But first... The delicate 
> history here which i'm sure everyone will need to know..
> 
> Solaris 10 as you know includes its own version of 
> Kerberos....(ugh!)This is of course installed by default on my system. I 
> quickly realized that this coveted module would not work with solaris 
> Kerberos so i got the MIT K5 installed on my system.
> 
> The apache installation that i am using is not the one that was bundles 
> with Solaris but rather one that i have downloaded and manually compiled 
> to suit my needs.(Apache 2.0)  It launches without a problem and serves 
> up web pages i have also made sure to enable DSO support... As far as i 
> am concerned, apache is running like a champ.  I have also verified that 
> my MIT kerberos installation is working properly by way of the
following...
> 
> # ./kinit -5 -V -k -t /usr/home/myalenti/apache.keytab 
> HTTP/apache.toll-kerberos.com
> Authenticated to Kerberos v5
> (So i know that kerberos is working....)
> 
> Ok the sticky stuff...
> 
> 1- I removed the Solaris implementation of Kerberos. So only MIT kerb is 
> on the system and still functions fine.
> 2- My configure command looked like the following....
>         ./configure --without-krb4 --with-krb5=/usr/kerberos5/ 
> --with-apache=/opt/apache2/
>         No errors were reported in this phase of the build process.
> 3- time for "make" ...This is where things got really messy.
>         the resulting make file, it turns out, is bad... the linking and 
> compiler options that are cited at the begining of the file end up 
> getting wipped out by the time they are applied to the apxs command. 
> Needless to say the make is riddled with errors, of which at the very 
> begining mentions that it cannot find header files that i know are 
> included. There is evidently something wrong with with the following 
> lines....
> 
> APXS_CPPFLAGS = ${shell [ -n "${CPPFLAGS}" ] && echo ${CPPFLAGS} | sed 
> -e 's/\([^ ]*\)/-Wc,\1/g'}
> APXS_LDFLAGS  = ${shell [ -n "${LDFLAGS}"  ] && echo ${LDFLAGS} | sed -e 
> 's/\([^ ]*\)/-Wl,\1/g'}
> 
> So i fixed (or some variation of fixed) the problem by manually 
> re-writing the lines to say....
> 
> APXS_CPPFLAGS = $(CPPFLAGS)
> APXS_LDFLAGS= $(LDFLAGS)
>         thereby skipping the sed statements and the check for a null 
> value...I could not determine why my vars got cleared but i was able to 
> verify that this step is what did it.
> 
> so at this point my vars look like this.
> 
> echo "APXS_CPPFLAGS= -I. -Ispnegokrb5 -I/usr/kerberos5/include  "
> 
> echo "APXS_LDFLAGS= -L/usr/kerberos5/lib -R/usr/kerberos/lib 
> -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -lsocket -lnsl
-lresolv"
> 
> But there is still another problem  apxs chokes on "-R/usr/kerberos/lib" 
> it does not like the -R option! So i kinda just removed it...(I still 
> don't know what effect this will have, nor an i identify what the 
> purpose of -R is for apxs!)
> 
> Having made these changes, i can get the module to compile and install. 
> Once installed, I follow all the directions that are listed on the 
> support site to configure a directory and a .htaccess file that looks 
> like the following.
> 
> # cat /opt/apache2/htdocs/krb5/.htaccess
> AuthType Kerberos
> KrbAuthRealms TOLL-KERBEROS.com
> KrbServiceName HTTP
> Krb5Keytab /usr/home/myalenti/apache.keytab
> Require valid-user
> 
> With the appropriate lines in the httpd.conf file which are....
> 
> 
> LoadModule auth_kerb_module modules/mod_auth_kerb.so
> and
> <Directory "/opt/apache2/htdocs/krb5">
>         Options Indexes FollowSymLinks MultiViews
>         AllowOverride All
>         Order allow,deny
>         Allow from all
> </Directory>
> 
> So far everyone is happy. I can launch apache and it comes up like a 
> good little program... So i try to access the protected web site....And 
> to my great joy i am presented with a Login Pop-up from my browser... I 
> type in the appropriate credentials, (credentials that i have tested 
> with kinit btw) and wait...and wait....and wait... to finally get and 
> "internal error message."
> 
> Ok fine...What's the deal... I look into apache's error_log file to find 
> the following...
> 
> [Tue Jan 09 13:26:39 2007] [error] [client 10.2.242.6] 
> gss_acquire_cred() failed: An unsupported mechanism was req
> uested
> 
> So close and yet so far! I can't be too far away now! Can someone shed 
> some desparately needed light?
> Please keep in mind that i am not a programmer, although i do understand 
> programming.
> 
> I was wondering if the sed statements that i stripped out of my makefile 
> would have led to this problem. Also, i'm not entirely sure what the 
> error message is trying to tell me. "unsupported mechanism" Its a run 
> time issue, no load time, so i can only assume that my module has been 
> built correctly....
> 
> And just in case you would like to have the config.log... its attached....
> 
> Thanks in advance for your help! <<config.log>>
> 
> 
> BTW
> 
> /Mark Yalenti/
> Systems Support and Deployment
> Tollgrade Communications
> 685 US RT 202/206 South
> Bridgewater, NJ 08807
> -------------------------------------
> Toll-Free: 1-800-777-5405
> Office: (908) 243 - 3940
> Cell: (908) 246 - 2922
> AIM:* **myalenti*
> Skype:* myalenti*
> 
> ------------------------------------------------------------------------
> “Notice: This electronic mail message is intended exclusively for the
> individual or entity to which it is addressed. This message, together
> with any attachments, may contain confidential and privileged information.
> Any unauthorized review, use, printing , retention, copying ,
> disclosure or distribution is strictly prohibited. If you have received 
> this
> message in error, please immediately advise the sender by reply email 
> message
> to the sender and delete all copies of this message.”
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

-- 

  Douglas E. Engert  <DEEngert <at> anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

--

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

Re: FW: unsupported mechanism?

OK... more information this evening...

I grabbed the mod_auth_gss module from the sun.opensource site at 
http://src.opensolaris.org/source/xref/sfw/usr/src/cmd/apache/mod_auth_gss/m
od_auth_gss.c But as you can see it is only found in the apache 1.x
directory... Not in the apache2 directory... There is nothing to compile in
Apache 2.

So I took the apache1 version... According to the docs, it should work just
find with Apache2... In any case...

I have compiled it successfully pointing it to the MIT KerbV5
installation...

Loaded it into apache... Apache starts like a champ!

Go to the protected web site... I enter username and password... and wait...
Finally "internal error" is displayed....

And behold, the error that is cited in the apache log is our old friend...

[Tue Jan 09 21:39:58 2007] [error] [client 10.2.1.1] gss_acquire_cred()
failed: An unsupported mechanism was requested

Any ideas? Anyone? (Although I have not achieved my final goal, I can
honestly say that I am really learning something here...)

Mark

-----Original Message-----
From: modauthkerb-help-bounces <at> lists.sourceforge.net
[mailto:modauthkerb-help-bounces <at> lists.sourceforge.net] On Behalf Of Mark
Yalenti
Sent: Tuesday, January 09, 2007 9:25 PM
To: modauthkerb-help <at> lists.sourceforge.net
Subject: [modauthkerb] FW: unsupported mechanism?

In Fact I did...

But the library that is supposed to be provided by sun was not delivered...
Not as of release of 03/05 of Solaris anyhow... There are bugs listed to
track the problem and it seems like the case has been closed. I suppose I
just need to install the latest apache installation from sun and grab the
module from there. But then I don't think it will work on an Apache
installation that isn't identically configured to the SUN implementation of
apache. Alas, I am sure the module will have to be recompiled so that it can
be made aware of my apache layout.

And I also did not want to develop a dependency on Sun either. The apache
installation that I am using is also not from Sun and because of my specific
needs, I cannot use the sun version of apache either. 

So here is another question in addition to my original one.... Do you think
it will be possible for me to get the appropriate source from the Solaris 10
cds so that the module can be built with my apache implementation?

Thanks for the insight!

Mark 

-----Original Message-----
From: modauthkerb-help-bounces <at> lists.sourceforge.net
[mailto:modauthkerb-help-bounces <at> lists.sourceforge.net] On Behalf Of Douglas
E. Engert
Sent: Tuesday, January 09, 2007 5:36 PM
To: Yalenti, Mark
Cc: modauthkerb-help <at> lists.sourceforge.net
Subject: Re: [modauthkerb] unsupported mechanism?

Have you read:

http://blogs.sun.com/wyllys/date/20050310

Yalenti, Mark wrote:
> All,
> 
> I've working on getting mod_auth_kerb to work on my Solaris 10 system.
> 
> I have been able to get it compiled and installed finally but now i have 
> one last problem that i need to address. But first... The delicate 
> history here which i'm sure everyone will need to know..
> 
> Solaris 10 as you know includes its own version of 
> Kerberos....(ugh!)This is of course installed by default on my system. I 
> quickly realized that this coveted module would not work with solaris 
> Kerberos so i got the MIT K5 installed on my system.
> 
> The apache installation that i am using is not the one that was bundles 
> with Solaris but rather one that i have downloaded and manually compiled 
> to suit my needs.(Apache 2.0)  It launches without a problem and serves 
> up web pages i have also made sure to enable DSO support... As far as i 
> am concerned, apache is running like a champ.  I have also verified that 
> my MIT kerberos installation is working properly by way of the
following...
> 
> # ./kinit -5 -V -k -t /usr/home/myalenti/apache.keytab 
> HTTP/apache.toll-kerberos.com
> Authenticated to Kerberos v5
> (So i know that kerberos is working....)
> 
> Ok the sticky stuff...
> 
> 1- I removed the Solaris implementation of Kerberos. So only MIT kerb is 
> on the system and still functions fine.
> 2- My configure command looked like the following....
>         ./configure --without-krb4 --with-krb5=/usr/kerberos5/ 
> --with-apache=/opt/apache2/
>         No errors were reported in this phase of the build process.
> 3- time for "make" ...This is where things got really messy.
>         the resulting make file, it turns out, is bad... the linking and 
> compiler options that are cited at the begining of the file end up 
> getting wipped out by the time they are applied to the apxs command. 
> Needless to say the make is riddled with errors, of which at the very 
> begining mentions that it cannot find header files that i know are 
> included. There is evidently something wrong with with the following 
> lines....
> 
> APXS_CPPFLAGS = ${shell [ -n "${CPPFLAGS}" ] && echo ${CPPFLAGS} | sed 
> -e 's/\([^ ]*\)/-Wc,\1/g'}
> APXS_LDFLAGS  = ${shell [ -n "${LDFLAGS}"  ] && echo ${LDFLAGS} | sed -e 
> 's/\([^ ]*\)/-Wl,\1/g'}
> 
> So i fixed (or some variation of fixed) the problem by manually 
> re-writing the lines to say....
> 
> APXS_CPPFLAGS = $(CPPFLAGS)
> APXS_LDFLAGS= $(LDFLAGS)
>         thereby skipping the sed statements and the check for a null 
> value...I could not determine why my vars got cleared but i was able to 
> verify that this step is what did it.
> 
> so at this point my vars look like this.
> 
> echo "APXS_CPPFLAGS= -I. -Ispnegokrb5 -I/usr/kerberos5/include  "
> 
> echo "APXS_LDFLAGS= -L/usr/kerberos5/lib -R/usr/kerberos/lib 
> -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -lsocket -lnsl
-lresolv"
> 
> But there is still another problem  apxs chokes on "-R/usr/kerberos/lib" 
> it does not like the -R option! So i kinda just removed it...(I still 
> don't know what effect this will have, nor an i identify what the 
> purpose of -R is for apxs!)
> 
> Having made these changes, i can get the module to compile and install. 
> Once installed, I follow all the directions that are listed on the 
> support site to configure a directory and a .htaccess file that looks 
> like the following.
> 
> # cat /opt/apache2/htdocs/krb5/.htaccess
> AuthType Kerberos
> KrbAuthRealms TOLL-KERBEROS.com
> KrbServiceName HTTP
> Krb5Keytab /usr/home/myalenti/apache.keytab
> Require valid-user
> 
> With the appropriate lines in the httpd.conf file which are....
> 
> 
> LoadModule auth_kerb_module modules/mod_auth_kerb.so
> and
> <Directory "/opt/apache2/htdocs/krb5">
>         Options Indexes FollowSymLinks MultiViews
>         AllowOverride All
>         Order allow,deny
>         Allow from all
> </Directory>
> 
> So far everyone is happy. I can launch apache and it comes up like a 
> good little program... So i try to access the protected web site....And 
> to my great joy i am presented with a Login Pop-up from my browser... I 
> type in the appropriate credentials, (credentials that i have tested 
> with kinit btw) and wait...and wait....and wait... to finally get and 
> "internal error message."
> 
> Ok fine...What's the deal... I look into apache's error_log file to find 
> the following...
> 
> [Tue Jan 09 13:26:39 2007] [error] [client 10.2.242.6] 
> gss_acquire_cred() failed: An unsupported mechanism was req
> uested
> 
> So close and yet so far! I can't be too far away now! Can someone shed 
> some desparately needed light?
> Please keep in mind that i am not a programmer, although i do understand 
> programming.
> 
> I was wondering if the sed statements that i stripped out of my makefile 
> would have led to this problem. Also, i'm not entirely sure what the 
> error message is trying to tell me. "unsupported mechanism" Its a run 
> time issue, no load time, so i can only assume that my module has been 
> built correctly....
> 
> And just in case you would like to have the config.log... its attached....
> 
> Thanks in advance for your help! <<config.log>>
> 
> 
> BTW
> 
> /Mark Yalenti/
> Systems Support and Deployment
> Tollgrade Communications
> 685 US RT 202/206 South
> Bridgewater, NJ 08807
> -------------------------------------
> Toll-Free: 1-800-777-5405
> Office: (908) 243 - 3940
> Cell: (908) 246 - 2922
> AIM:* **myalenti*
> Skype:* myalenti*
> 
> ------------------------------------------------------------------------
> “Notice: This electronic mail message is intended exclusively for the
> individual or entity to which it is addressed. This message, together
> with any attachments, may contain confidential and privileged information.
> Any unauthorized review, use, printing , retention, copying ,
> disclosure or distribution is strictly prohibited. If you have received 
> this
> message in error, please immediately advise the sender by reply email 
> message
> to the sender and delete all copies of this message.”
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

-- 

  Douglas E. Engert  <DEEngert <at> anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

--

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.8/621 - Release Date: 1/9/2007
1:37 PM

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

Re: About cross-realm authentication

On Tue, 2007-01-09 at 09:33 -0600, Douglas E. Engert wrote:

> What you are describing is having a service accept authentication
> from separate realms.

 Thank you Douglas,

 You're right, I want my service to accept authentication from two 
 separate realms.

> It is not clear if you are using the KrbAuthRealms as intended. It looks like 
> this is used when using Kerberos with a passwrod, not gssapi.
> The problem may be is in the way the GSSAPI specifications and implementation. 
> It is assumed the service is in only one realm and thus it will only look for 
> the service in the single realm.

> We have used a mod in the MIT krb5
> src/lib/gssapi/krb5/accept_sec_context.c
> to use and ticket in the keytab that has the correctservice and hostname
> thus alloowing for a service to accepttickets from multiple realms. (We have not
> used this with Apache, but have used it with other services.)

 If mod_auth_kerb is not able to accept tickets from two realms,
 I'm looking for a work-around.

 I'm just trying to publish my service with two different URL:
   https://srvapache.domain/authA/
   https://srvapache.domain/authB/

 Each one configured for a realm with a dedicated service in keytab.
 I have no trouble for "authA" to accept users from "A".
 What should be the service name in AD "B" and in keytab for "authB/"
 location to accept users from "B" ?
   HTTP/srvapache.domain <at> A or HTTP/srvapache.domain <at> B 

 Thank you in advance

 PS: I just subscribed to the list and sourceforge archives do 
 not seem up-to-date for me to read previous answers,
 if you have answered without my email in cc, please
 forward your answer at my email address. Thank you
--

-- 
Yves Martin

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Re: About cross-realm authentication

On Wednesday 10 January 2007 10:36, Yves Martin wrote:

>  PS: I just subscribed to the list and sourceforge archives do
>  not seem up-to-date for me to read previous answers,

A question I have, too:
The archive of this Mailinglist modauthkerb-help <at> lists.sourceforge.net
seems not to be working.

Is there a chance to get a working archive again?

Achim

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Verification returned code 589824

Anybody know what this is ?
I have installed mod_auth_kerb with apache 2.0, had an
HTTP/host.domain.tld <at> XSX.COM keytab generated, the keytab is readable by
apache (the user that runs the web server), I've got the fqdn first in
/etc/hosts, time is synchronised by ntpd (and I verified, it's good). Yes,
I get this in the httpd error log:

[debug] src/mod_auth_kerb.c(1485): [client 123.456.789.2]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1485): [client 123.456.789.2]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1172): [client 123.456.789.2] Acquiring creds
for HTTP/webserver.mydomain.com <at> MYDOMAIN.COM
[debug] src/mod_auth_kerb.c(1316): [client 123.456.789.2] Verifying client
data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1332): [client 123.456.789.2] Verification
returned code 589824
[error] [client 162.139.50.149] gss_accept_sec_context() failed: A token
was invalid (Mechanism is incorrect)

>From searching on the web, it looks like "Verification returned code
589824" means there is something wrong with my keytab. I can't generate
the keytab myself, I have the guys responsible for Active Directory do it.
They've just re-generated a key for me, but I get the same result... How
can I tell for sure there is a problem (or not) with a key ?

What else should I look at ?

Thanks.

Yves.
----
Yves Dorfsman                                             yves <at> zioup.com
                                                   http://www.SollerS.ca

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV