Ivo Linder | 2 Jul 11:44 2009

Re: Problem with different domain names

Finally, problem is solved. It was much easier than it looks like first.

1st problem was, that with testing etc. unfortunately the service principal existed twice in
ActiveDirectory. With ADSIEdit, it was easy to find the second entry.

Then, for the problem with the different dns zone. In the dns server in the zone acme.com I placed a TXT record:
Name:	_kerberos
Type: Text (TXT)
Data: ADS.ACME.COM

With this entry, the XP clients are able to "reroute" to the ads.acme.com dns zone / realm, find the KDC and
got the ticket for the service principal.

Again, thank you all very much for your support.
Greetings
Ivo Linder

-----Ursprüngliche Nachricht-----
Von: Atte Peltomäki [mailto:atte.peltomaki <at> f-secure.com] 
Gesendet: Mittwoch, 3. Juni 2009 09:38
An: Henry B. Hotz
Cc: Ivo Linder; modauthkerb-help <at> lists.sourceforge.net
Betreff: Re: [modauthkerb] Problem with different domain names

On Tue, Jun 02, 2009 at 09:12:24AM -0700, Henry B. Hotz wrote:
> The production web server, www.acme.com, needs a HTTP/www.acme.com <at> ACME.COM 
>   service principal issued by the production AD for ACME.COM.
> 
> VISTA has some new domain to realm mapping options, and you can put  
> similar stuff in the [domain_realm] section of a unix krb5.conf file.   
(Continue reading)

Ahmar Nauman | 10 Jul 22:37 2009
Picon

windows 2003 domain controller, mod_auth_kerb in linux, issue witt kerberos

 Hi,

 I'm using windows server 2003 as domain controller,
 i've succesfully followed all the necessary steps required for setting up an SSO, generated keytab files which gives me correct info if i type klist -k , integrated mod_auth_kerb and configured machines.
 My browser setting are just fine as well,
 
 
 My httpd.conf is like
 <Location /myURL 
 AuthType Kerberos
 AuthName "Test Kerberos Login"
 KrbVerifyKDC off # it doesn't work if i remove this line
 KrbMethodNegotiate On
 KrbMethodK5Passwd On
 KrbAuthRealms LAB1.MYDOMAIN.COM
 Krb5KeyTab /etc/krb5.keytab
 KrbSaveCredentials On
 KrbServiceName HTTP
 require valid-user
 </Location 
 
 Now when i tried to test from IE(v 6) it open a login box, if i supply username and password as setup in active directory, it allows me to enter. I dont want to get this login box,
 I cann't login, if i comment KrbVerifyKDC to on.
If i change KrbMethodK5Passwd to Off, it simply refuses me to get in by Authorization Required message in browser and in apache logs, i get the following errors,
 
 [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1266): [client x.x.x.x] Verifying client data using KRB5 GSS-API
 [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1282): [client ......] Verification returned code 589824
 [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1309): [client ......] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
 [Fri Jul 10 20:31:25 2009] [error] [client ......9] gss_accept_sec_context() failed: Invalid token was supplied (No error)
 
 I'm trying to resolve this issue, but nothing work out so far.
 Can anybody please help here??
 
 regards
 - Ahmar



What can you do with the new Windows Live? Find out

check out the rest of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. More than messages
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Matthew.GARRETT | 14 Jul 11:32 2009

AuthUserFile


Folks

I am using mod_auth_kerb-5.0-1.3 , as Supplied by RedHat (4U7)
The module works very well and all users can Access the Web using there Kerberos Password (MIT)

However I would like to restrict to a list of users in a flat file.
Normally in Apache I would use the following syntax

     
        AuthUserFile "/etc/httpd/conf/.wp"

But I believe the module does not support AuthUserFile

Does any body know how I can get this to work ?
Preferred solution would be to use Netgroup or Group but I could live with a flat file.
There will be approx 20 -  30 odd users

Thanks

Matthew

FYI Copy of the Apache code that I am using.

        AuthType Kerberos
        AuthName "WOW Unix via Kerberos"
        AuthUserFile "/etc/httpd/conf/.wp"
        KrbAuthRealms XX.YY.ZZ
        Krb5KeyTab /etc/httpd/conf/http_keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        KrbVerifyKDC on
        Require valid-user
Registered in England and Wales No.811900          Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.  If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Henry B. Hotz | 14 Jul 19:38 2009
Picon
Picon

Re: AuthUserFile


On Jul 14, 2009, at 2:32 AM, Matthew.GARRETT <at> external.total.com wrote:

>
> Folks
>
> I am using mod_auth_kerb-5.0-1.3 , as Supplied by RedHat (4U7)
> The module works very well and all users can Access the Web using  
> there Kerberos Password (MIT)
>
> However I would like to restrict to a list of users in a flat file.
> Normally in Apache I would use the following syntax
>
>
>         AuthUserFile "/etc/httpd/conf/.wp"
>
> But I believe the module does not support AuthUserFile
>
> Does any body know how I can get this to work ?
> Preferred solution would be to use Netgroup or Group but I could  
> live with a flat file.
> There will be approx 20 -  30 odd users
>
> Thanks
>
> Matthew
>
> FYI Copy of the Apache code that I am using.
>
>         AuthType Kerberos
>         AuthName "WOW Unix via Kerberos"
>         AuthUserFile "/etc/httpd/conf/.wp"
>         KrbAuthRealms XX.YY.ZZ
>         Krb5KeyTab /etc/httpd/conf/http_keytab
>         KrbMethodNegotiate on
>         KrbMethodK5Passwd on
>         KrbVerifyKDC on
>         Require valid-user

It should work, but you need to "Require user", not "Require valid- 
user", and you need to put the full kerberos principal name in the  
file, not just the first component.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
Picon

Help needed compiling Mod_auth_kerb v5.4 with Suse 10

My system is a SuSE10 64 bit server with Oracle HTTP Server 10.1.2  (Apache 1.x I believe)

MIT Kerberos 1.4.3 (64 and 32 bit) installed from the systems bundled RPMs.

 

My configure command used.

 

linux32 ./configure --with-apache=/oracle/http/Apache/Apache --with-krb4=no --with-krb5=/usr/lib/mit

 

My make output

 

make

./apxs.sh "-m32 -I. -Ispnegokrb5 -I/usr/include  " "-melf_i386 -L/usr/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lkrb5support -lcom_err -lresolv  -lresolv" "spnegokrb5/asn1_MechType.c                   spnegokrb5/asn1_MechTypeList.c                  spnegokrb5/asn1_ContextFlags.c              spnegokrb5/asn1_NegTokenInit.c                  spnegokrb5/asn1_NegTokenTarg.c                  spnegokrb5/der_get.c                        spnegokrb5/der_put.c                            spnegokrb5/der_free.c                           spnegokrb5/der_length.c                     spnegokrb5/der_copy.c                           spnegokrb5/timegm.c                        spnegokrb5/init_sec_context.c                    spnegokrb5/accept_sec_context.c                 spnegokrb5/encapsulate.c                    spnegokrb5/decapsulate.c                        spnegokrb5/external.c" "/oracle/http/Apache/Apache/bin/apxs" "-c" "src/mod_auth_kerb.c"

cc -O       -DNO_RC2 -DNO_RC5 -DNO_IDEA -DBSAFE -fPIC -DLINUX=260 -DMOD_SSL=206104 -DMOD_PERL -DUSE_PERL_SSI -I/include -DEAPI -DUSE_EXPAT -I../lib/expat-lite -fPIC -DSHARED_MODULE -I/oracle/http/Apache/Apache/include -m32 -I. -Ispnegokrb5 -I/usr/include  -c src/mod_auth_kerb.c

In file included from /oracle/http/Apache/Apache/include/httpd.h:435,

                 from src/mod_auth_kerb.c:58:

/oracle/http/Apache/Apache/include/ap_oracle_version.h:17:8: warning: extra tokens at end of #endif directive

src/mod_auth_kerb.c: In function 'create_krb5_ccache':

src/mod_auth_kerb.c:873: warning: passing argument 3 of 'ap_register_cleanup' from incompatible pointer type

src/mod_auth_kerb.c: In function 'authenticate_user_krb5pwd':

src/mod_auth_kerb.c:1030: warning: passing argument 8 of 'verify_krb5_user' discards qualifiers from pointer target type

src/mod_auth_kerb.c: In function 'already_succeeded':

src/mod_auth_kerb.c:1559: error: 'conn_rec' has no member named 'id'

src/mod_auth_kerb.c: In function 'kerb_authenticate_user':

src/mod_auth_kerb.c:1712: error: 'conn_rec' has no member named 'id'

apxs:Break: Command failed with rc=65536

make: *** [src/mod_auth_kerb.so] Error 1

 

Any help is appreciated.

 

Thanks

Bob

This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited.

All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto, including its subsidiaries. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto, along with its subsidiaries, accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment.

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Matthew.GARRETT | 15 Jul 10:29 2009

Parse REMOTE_USER


Folks

Thanks for all the Email's regarding my previous Email " AuthUserFile"
I got this working fine using Groups.

However I have come across one more little problem.

The module Returns to apache REMOTE_USER in the form of USERNAME <at> RELEAM
The underlying Application is only expecting REMOTE_USER in to form of USERNAME

As the Underlying Application is a commercial application I don't think they are going to change there code just to suit me and using this module.
Is there any way to make the module just return REMOTE_USER in the form USERNAME

Thanks

Matthew

Registered in England and Wales No.811900          Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.  If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Henry B. Hotz | 16 Jul 02:26 2009
Picon
Picon

Re: Parse REMOTE_USER


On Jul 15, 2009, at 1:29 AM, Matthew.GARRETT <at> external.total.com wrote:

> Folks
>
> Thanks for all the Email's regarding my previous Email " AuthUserFile"
> I got this working fine using Groups.
>
> However I have come across one more little problem.
>
> The module Returns to apache REMOTE_USER in the form of  
> USERNAME <at> RELEAM
> The underlying Application is only expecting REMOTE_USER in to form  
> of USERNAME
>
> As the Underlying Application is a commercial application I don't  
> think they are going to change there code just to suit me and using  
> this module.
> Is there any way to make the module just return REMOTE_USER in the  
> form USERNAME
>
> Thanks
>
> Matthew

KrbLocalUserMapping on

in version 5.4.

THIS IS OFF FOR A REASON.  MAKE SURE YOU UNDERSTAND THE IMPLICATIONS  
OF USING THIS OPTION.  If you only have one Kerberos realm and no  
cross-realm trusts, it's probably OK.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
Matthew.GARRETT | 16 Jul 11:03 2009

Re: Parse REMOTE_USER




Henry

Thanks download 5.4 and configured with "KrbLocalUserMapping on"
Application is working as it should.

Matthew

"Henry B. Hotz" <hotz <at> jpl.nasa.gov> wrote on 16/07/2009 01:26:42:

>
> On Jul 15, 2009, at 1:29 AM, Matthew.GARRETT <at> external.total.com wrote:
>
> > Folks
> >
> > Thanks for all the Email's regarding my previous Email " AuthUserFile"
> > I got this working fine using Groups.
> >
> > However I have come across one more little problem.
> >
> > The module Returns to apache REMOTE_USER in the form of  
> > USERNAME <at> RELEAM
> > The underlying Application is only expecting REMOTE_USER in to form  
> > of USERNAME
> >
> > As the Underlying Application is a commercial application I don't  
> > think they are going to change there code just to suit me and using  
> > this module.
> > Is there any way to make the module just return REMOTE_USER in the  
> > form USERNAME
> >
> > Thanks
> >
> > Matthew
>
>
> KrbLocalUserMapping on
>
> in version 5.4.
>
> THIS IS OFF FOR A REASON.  MAKE SURE YOU UNDERSTAND THE IMPLICATIONS  
> OF USING THIS OPTION.  If you only have one Kerberos realm and no  
> cross-realm trusts, it's probably OK.
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu
>
>
>
Registered in England and Wales No.811900          Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.  If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
David Christensen | 23 Jul 22:33 2009

Configure Modauthkerb with mod_proxy


I have been trying to configure apache as a proxy using kerberos
authentication.  I want apache to authenticate users trying to use it as
a proxy, using kerberos.

So far I have both modules integrated into apache and apache is working
as a proxy, and I have what I believe are the correct statements in an
apache conf file.  However every request for a website is causing
mod_auth_kerb to attempt to acquire creds from the kdc for the website
that was by the client.

How do you configure mod_auth_kerb and mod_proxy so that users are
authenticated for using the proxy and not the site they are requestings?

Thanks.
Pressman, Steven D | 31 Jul 21:50 2009

Sporadic Problems Authenticating

I hope this isn’t too much of a repeated question, but I have not found good answers on the web anywhere for it.

 

I’m running httpd 2.2.3 with mod_auth_kerb 5.4 (modified to add KrbStripRealm) configured for negotiated authentication.  I have users with IE7 and Firefox 3+.  Both are configured to use integrated authentication.

 

For the most part, everything works swimmingly.  However, every once in a while, a user’s negotiated authentication will fail and a basic auth popup will appear.  They cannot authenticate with this.  The only thing they can do is bounce their browser and go back in.  Not ideal, for sure.

 

This was happening very frequently before.  When I set KrbVerifyKDC off, the instances decreased greatly.  But it still happens.

 

The error in the logs is:

gss_accept_sec_context() failed: Invalid token was supplied (, No error),

 

My best theory is that the browser is failing back to NTLM for whatever reason.

 

My question is this – is there any way to have mod_auth_kerb accept an NTLM token?

 

Thanks for your help and thanks for a great product.

 

-Steve Pressman

 

Attachment (smime.p7s): application/x-pkcs7-signature, 13 KiB
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

Gmane