Posts:
69
From:
Registered:
2/6/07
|
|
|
|
Storing delegated credentials from mod_auth_kerb
on Solaris 10
Posted:
May 5, 2008 7:03 AM
|
|
I am trying to use mod_auth_kerb 5.3, with Apache 2.2.8 on Solaris 10
using the Solaris provided Kerberos. I am interested in getting the
delegated credentials stored.
(Although Solaris 10 comes with a mod_auth_gss, it does not support
the storing of the delegated credentials, and does not support Kerberos
with passwords, and thus I am using mod_auth_kerb.)
I have been able to get this to some what work but the Solaris 10
Kerberos is missing some features for storing the delegated credential.
Solaris Kerberos has a number of problems:
(1) The gss_store_cred will only store in to the default cred,
but will look for the KRB5CCNAME environment variable. Setting
the environment from within an Apache authn module for use
by the module is tricky. I have not worked out all the details,
and it may only work with a MPM prefork type server.
(2) The Solaris SPNEGO mechanism does not support calling
gss_store_cred even though it returned a delegated cred from a
sub mechanism. I had to resort to using something similar to
__gss_get_mechanism_cred which is not exported from libgss.so,
to get the Kerberos delegated_cred out of the union_cred_id_t
delegated_cred form SPNEGO then calling gss_store_cred.
(3) Trying to avoid using gss_store_cred, and using gss_krb5_copy_ccache
which is what mod_auth_kerb does with other Kerberos implementations
also did not work. It produced a validation error.
gss major_status=0x030a0000 It appears the Solaris Kerberos delegated
credential is not a full credential. I also had to use dlopen and
dlsym to get at the entry for gss_krb5_copy_ccache.
The KDC is Windows AD 2003, and the OK_TO_DELEGATE bit is set on the
service account. I can get IE 7 on XP, Solaris 10 provided Mozilla 1.7,
and FireFox 2.0.0.14 on Ubuntu to send delegated credentials and get them
stored. FireFox 2.0.0.14 on Solaris 10 will authenticate but for some reason
does not delegate.
What I am hopping will come of this, is Sun will fix (1) and provide
a way to pass in the ccache or a cache name, and will fix (2) and have SPNEGO
call the sub mechanism's gss_store_cred, or at least expose gss_get_mechanism_cred.
I have been an advocate for using the vendor's version of Kerberos when available,
and Sun has been responsive in the past by exposing the Kerberos API in Solaris 10.
--
Douglas E. Engert <DEEngert at anl dot gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
kerberos-discuss mailing list
kerberos-discuss at opensolaris dot org
http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
|
|
|
Posts:
54
From:
Registered:
3/9/05
|
|
|
|
Re: Storing delegated credentials from
mod_auth_kerb on Solaris 10
Posted:
May 6, 2008 5:14 PM
in response to: dengert
|
|
Douglas E. Engert wrote:
> I am trying to use mod_auth_kerb 5.3, with Apache 2.2.8 on Solaris 10
> using the Solaris provided Kerberos. I am interested in getting the
> delegated credentials stored.
>
> (Although Solaris 10 comes with a mod_auth_gss, it does not support
> the storing of the delegated credentials, and does not support Kerberos
> with passwords, and thus I am using mod_auth_kerb.)
>
> I have been able to get this to some what work but the Solaris 10
> Kerberos is missing some features for storing the delegated credential.
>
> Solaris Kerberos has a number of problems:
>
> (1) The gss_store_cred will only store in to the default cred,
> but will look for the KRB5CCNAME environment variable. Setting
> the environment from within an Apache authn module for use
> by the module is tricky. I have not worked out all the details,
> and it may only work with a MPM prefork type server.
>
> (2) The Solaris SPNEGO mechanism does not support calling
> gss_store_cred even though it returned a delegated cred from a
> sub mechanism. I had to resort to using something similar to
> __gss_get_mechanism_cred which is not exported from libgss.so,
> to get the Kerberos delegated_cred out of the union_cred_id_t
> delegated_cred form SPNEGO then calling gss_store_cred.
>
> (3) Trying to avoid using gss_store_cred, and using gss_krb5_copy_ccache
> which is what mod_auth_kerb does with other Kerberos implementations
> also did not work. It produced a validation error.
> gss major_status=0x030a0000 It appears the Solaris Kerberos delegated
> credential is not a full credential. I also had to use dlopen and
> dlsym to get at the entry for gss_krb5_copy_ccache.
>
> The KDC is Windows AD 2003, and the OK_TO_DELEGATE bit is set on the
> service account. I can get IE 7 on XP, Solaris 10 provided Mozilla 1.7,
> and FireFox 2.0.0.14 on Ubuntu to send delegated credentials and get them
> stored. FireFox 2.0.0.14 on Solaris 10 will authenticate but for some reason
> does not delegate.
>
>
> What I am hopping will come of this, is Sun will fix (1) and provide
> a way to pass in the ccache or a cache name, and will fix (2) and have SPNEGO
> call the sub mechanism's gss_store_cred, or at least expose gss_get_mechanism_cred.
>
these look doable and useful; pls file a bug or feature request at
http://bugs.opensolaris.org/
> I have been an advocate for using the vendor's version of Kerberos when available,
> and Sun has been responsive in the past by exposing the Kerberos API in Solaris 10.
>
>
yup, much appreciated.
thx...glenn
_______________________________________________
kerberos-discuss mailing list
kerberos-discuss at opensolaris dot org
http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
|
|
|
|
|
Posts:
69
From:
Registered:
2/6/07
|
|
|
|
Re: Storing delegated credentials from
mod_auth_kerb on Solaris 10
Posted:
May 7, 2008 9:25 AM
in response to: gtb
|
|
Glenn Barry wrote:
>
> these look doable and useful; pls file a bug or feature request at
>
> http://bugs.opensolaris.org/
>
OK, reported as two feature requests:
CR 6698719 Updated P4 gssapi/generic GSSAPI SPNEGO does not support calling gss_store_cred
CR 6698729 Updated P4 opensolaris/triage-queue GSSAPI gss_store_cred inflexible in where to store delegated credential
--
Douglas E. Engert <DEEngert at anl dot gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
kerberos-discuss mailing list
kerberos-discuss at opensolaris dot org
http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
|
|
|
|
|
Posts:
91
From:
Pasadena, CA 91109
Registered:
5/4/06
|
|
|
|
Re: [modauthkerb] Storing delegated credentials
from mod_auth_kerb on Solaris 10
Posted:
May 7, 2008 5:29 PM
in response to: dengert
|
|
On May 7, 2008, at 9:25 AM, Douglas E. Engert wrote:
> Glenn Barry wrote:
>>
>> these look doable and useful; pls file a bug or feature request at
>>
>> http://bugs.opensolaris.org/
>>
>
> OK, reported as two feature requests:
>
> CR 6698719 Updated P4 gssapi/generic GSSAPI SPNEGO does not support
> calling gss_store_cred
> CR 6698729 Updated P4 opensolaris/triage-queue GSSAPI gss_store_cred
> inflexible in where to store delegated credential
>
> --
>
> Douglas E. Engert <DEEngert at anl dot gov>
Thanks, Doug.
And thanks to Sun for being interested in addressing the issues.
As I've said elsewhere I really like the level of integration that
Kerberos has in Solaris 10. I wish that RedHat would use Sun SSH
instead of OpenSSH (or at least include the keyexchange patches that
everyone else applies to OpenSSH, even if they don't fix the PAM
integration).
No I don't work for Sun, and nobody is paying me for the plug.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry dot B dot Hotz at jpl dot nasa dot gov, or hbhotz at oxy dot edu
_______________________________________________
kerberos-discuss mailing list
kerberos-discuss at opensolaris dot org
http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
|
|
|
|
|
