I am having trouble getting a new 3.0.2 installation working. It seems
as though every successful login results in "WEB LOGIN IS UNAVAILABLE::"
with "Technical Info: Permission denied". Entering an incorrect
password gives the expected result.
The following appears in my Apache error log when the behavior is triggered:
cosign_choose_conn: some servers returned UNKNOWN
And in syslog on the cosign server:
Sep 22 15:03:41 cosignd[3821]: connect: 134.10.139.133
Sep 22 15:03:41 cosignd[3821]: STARTTLS 134.10.139.133 2 weblogin3.reed.edu
And in syslog on the KDC:
krb5kdc[20221]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 134.10.139.133:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
krb5kdc[20221]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 134.10.139.133:
ISSUE: authtime 1253640915, etypes {rep=18 tkt=16 ses=16},
[email protected] for krbtgt/[email protected]
And when running cosignd -d:
debug: STARTTLS 2
debug: CHECK
cosign=kh-LvCIhWg7F2xo8v0WCFh9Q+snM3E8bayWMx4HixECRQtu-1yQ5+atDElwv1FiXFiVHZVMVveismzCHHU-lX9xgk5+TIqwTzo6--WS7VlQrndXPDMOfUJIEegbR
Here is my cosign.conf:
cgi weblogin3\.reed\.edu
service cosign-(.*) https://$1/cosign/valid 0 (.*\.reed\.edu) cosign-$1
set cosigndb /var/cosign/daemon
set cosignhost weblogin3.reed.edu
set keytabpath /etc/cosign.keytab
And the CoSign stanza for the service I am testing:
CosignValidReference ^https?:\/\/.*\.reed\.edu(/.*)?
CosignProtected on
CosignHostname weblogin3.reed.edu
CosignRedirect https://weblogin3.reed.edu/
CosignPostErrorRedirect https://weblogin3.reed.edu/post_error.html
CosignCrypto
/etc/apache2/ssl/key/roundcube.reed.edu.key
/etc/apache2/ssl/crt/roundcube.reed.edu.crt /etc/ssl/certs
CosignService roundcube
CosignValidationErrorRedirect
http://weblogin3.reed.edu/validation_error.html
All certs are signed by our local CA. For comparison, this is what a
successful login looks like from the KDC syslog for our CoSign 2.0.2a
deployment:
krb5kdc[20221]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 134.10.2.67:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
krb5kdc[20221]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 134.10.2.67:
ISSUE: authtime 1253641268, etypes {rep=18 tkt=16 ses=16},
[email protected] for krbtgt/[email protected]
krb5kdc[20221]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 134.10.2.67:
ISSUE: authtime 1253641268, etypes {rep=16 tkt=1 ses=18},
[email protected] for cosign/[email protected]
I would appreciate any suggestions as to how to debug this behavior.
Thanks,
Jason Meinzer
Technology Infrastructure Services
Reed College
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
