Created attachment 485608 [details] Move credential cache destruction to the destruction of the CONNECTION not the REQUEST Description of problem: mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection Version-Release number of selected component (if applicable): mod_auth_kerb-5.4-5.1.fc14 How reproducible: Tricky to reproduce since it requires multiple connections to a Kerberos password protected space using a compatible web browser with keep-alive enabled Steps to Reproduce: 1. Set up Kerberos authentication: <Location /private> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate Off KrbMethodK5Passwd On KrbSaveCredentials On KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/krb5-apache.keytab require valid-user </Location> 2. Set up your web browser to support Keberos Auth with delegation http://www.grolmsnet.de/kerbtut/firefox.html (Note that the link doesn't include setting up delegation; set network.negotiate-auth.delegation-uris to be the same as trusted-uris) 3. Create a CGI script which checks $KRB5CCNAME and $REMOTE_USER http://modauthkerb.sourceforge.net/credential-cache-example.script 4. Turn on keep-alive 5. Start the web server 6. Reload a lot Actual results: Requests on the kept-alive connection, after the first one, will not have a valid $KRB5CCNAME environment variable Expected results: Every request should have correct credentials Additional info: See attached patch for fix.
Created attachment 522350 [details] Updated patch by mgbowman to solve resource leak Updated patch by mgbowman to solve resource leak
Commit: http://pkgs.fedoraproject.org/gitweb/?p=mod_auth_kerb.git;a=commitdiff;h=79c52de66cd5351b31e06f29cb883934c7ea57f0 Package: mod_auth_kerb-5.4-13.fc18 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=316630
mod_auth_kerb-5.4-13.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mod_auth_kerb-5.4-13.fc17
Package mod_auth_kerb-5.4-13.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing mod_auth_kerb-5.4-13.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7030/mod_auth_kerb-5.4-13.fc17 then log in and leave karma (feedback).
mod_auth_kerb-5.4-13.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.