Bug 301061 - credential caching does not work with the MIT spnego code but does with the included mod_auth_kerb version
Summary: credential caching does not work with the MIT spnego code but does with the i...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mod_auth_kerb (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: All Linux
low
low
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On: 314651 319351
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-21 19:03 UTC by Simo Sorce
Modified: 2012-08-31 15:43 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-31 15:43:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix kerberos ticket forwarding (569 bytes, patch)
2007-10-01 20:09 UTC, Rob Crittenden
no flags Details | Diff
Patch against correct version. (569 bytes, patch)
2007-10-01 20:41 UTC, Rob Crittenden
no flags Details | Diff
like Rob's patch, but also checks for GSS_C_DELEG_FLAG in the returned flags set (1.07 KB, patch)
2007-10-01 21:49 UTC, Nalin Dahyabhai
no flags Details | Diff

Description Simo Sorce 2007-09-21 19:03:42 UTC
Description of problem:
trying to use forwarded tickets with the standard module result in the
application behind it being unable to retrieve the cache with the TGT

This happens with the default compiled MIT libgssapi provide spnego.

mod works fine when compiled using the implementation included whithin the
mod_auth_kerb code.

Comment 3 Rob Crittenden 2007-10-01 20:09:42 UTC
Created attachment 212781 [details]
Fix kerberos ticket forwarding

I tested this with:

<Directory /var/www/cgi-bin>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms MYREALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
</Directory>

And a CGI that looks something like:

#!/bin/sh
echo Content-type: text/plain
echo

if [ -z "$KRB5CCNAME" ]; then
	echo 'Kerberos credential cache name $KRB5CCNAME does not exist.'
	exit 1
fi
/usr/kerberos/bin/klist

You should receive a page back that lists the forwarded ticket.

Comment 4 Rob Crittenden 2007-10-01 20:10:56 UTC
Crud, didn't read the bug closely. I tested this against the Fedora 7 kerberos
implementation.

Comment 5 Rob Crittenden 2007-10-01 20:41:02 UTC
Created attachment 212861 [details]
Patch against correct version.

Comment 6 Nalin Dahyabhai 2007-10-01 21:49:11 UTC
Created attachment 212911 [details]
like Rob's patch, but also checks for GSS_C_DELEG_FLAG in the returned flags set

Comment 8 Rob Crittenden 2007-10-04 18:00:28 UTC
I did all my testing with curl and a python kerberos implementation (PyKerberos
from the Apple calendar project). Testing with Firefox results in no credentials
cached:

[Thu Oct 04 13:57:02 2007] [debug] src/mod_auth_kerb.c(1406): [client
192.168.0.1] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Oct 04 13:57:02 2007] [debug] src/mod_auth_kerb.c(1148): [client
192.168.0.1] Acquiring creds for HTTP@test.example.com
[Thu Oct 04 13:57:02 2007] [debug] src/mod_auth_kerb.c(1241): [client
192.168.0.1] Verifying client data using KRB5 GSS-API
[Thu Oct 04 13:57:02 2007] [debug] src/mod_auth_kerb.c(1257): [client
192.168.0.1] Verification returned code 0
[Thu Oct 04 13:57:02 2007] [debug] src/mod_auth_kerb.c(1275): [client
192.168.0.1] GSS-API token of length 22 bytes will be sent back
[Thu Oct 04 13:57:02 2007] [debug] src/mod_auth_kerb.c(1322): [client
192.168.0.1] set cached name admin@EXAMPLE.COM for connection
[Thu Oct 04 13:57:02 2007] [error] [client 192.168.x.x] Cannot store delegated
credential (gss_krb5_copy_ccache: Invalid credential was supplied (No error))

So the Kerberos connection succeeds but the caching fails.

It does cache the ticket with the mod_auth_kerb internal SPNEGO code.

Comment 9 Nalin Dahyabhai 2007-10-04 18:14:11 UTC
Hmm, I was actually using elinks.  You're sure that firefox has delegation
enabled in addition to negotiate ("network.negotiate-auth.delegation-uris")? 
And just to be sure, that your credentials are forwardable ("klist -f" lists the
"F" flag for the TGT)?

Comment 10 Nalin Dahyabhai 2007-10-04 19:40:35 UTC
Nope, that's a bug alright.  Firefox is sending for-real spnego client packets,
and the gssapi library's getting a little confused trying to save delegated
credentials.

Comment 11 RHEL Product and Program Management 2007-12-03 20:46:30 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.

Comment 13 RHEL Product and Program Management 2012-04-19 11:47:08 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.


Note You need to log in before you can comment on or make changes to this bug.