Andrew Mortensen wrote: > > On Apr 28, 2009, at 11:06 AM, Steve Devine wrote: > >> I am now successfully getting authenticated by cosign. But I do not >> initially get a ticket in /ticket on the application server. >> If I go into /var/cosign/filter and delete the files in there and then >> refresh the browser I will then get the ticket. >> On the cosign server the /ticket directory does get a ticket immediately. > > What's your Apache config look like? cosign 3.0 exercises a > long-standing bug, as described here: > > <http://sourceforge.net/mailarchive/message.php?msg_name=CD9EB616-B9C9-422A-96FF-DFEBF9214E83%40umich.edu> > > >> Also these tickets are not working with modwaklog - I know thats a >> different list but maybe others are running into this. > > The tickets will need to be forwardable. Check the flags on the tickets > with "klist -f /path/to/ticket". You should see something like this: > > Ticket cache: FILE:/ticket/5vr2tG3aYBIz > Default principal: [email protected] > > Valid starting Expires Service principal > 04/28/09 13:52:32 04/28/09 23:52:32 krbtgt/[email protected] > Flags: FIA, Etype (skey, tkt): DES cbc mode with CRC-32, AES-256 CTS > mode with 96-bit SHA-1 HMAC > > You're interested in the Flags section. 'F' means the ticket is > forwardable. > > andrew > Andrew It is indeed this bug. If I put "CosignGetKerberosTickets on" in the 'global' section of the apache configs rather then inside the <Directory> tags I get the ticket immediately. I can live with this since I will always need the ticket.
As for my other problem with modwaklog not getting a token. Here is output of klist -f /ticket/lKgE2p06hwk3 Ticket cache: FILE:/ticket/lKgE2p06hwk3 Default principal: [email protected] Valid starting Expires Service principal 04/28/09 16:06:08 04/29/09 02:06:08 krbtgt/[email protected] Flags: FIA 04/28/09 16:06:08 04/29/09 02:06:08 [email protected] Flags: FAT Also when I run php_info() I get this in the apache environment section. KRB5CCNAME no value So I put the line in the cosign.conf file set cosigndticketcache /ticket and I passed it as a configure switch like so: -with-ticketcache=/ticket Still no joy. Is cosignd (on the cosign server) supposed to set this environment variable? Thanks /sd -- Steve Devine Email & Storage Academic Technology Services Michigan State University 313 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
