Bug#457341: libapache2-mod-auth-kerb: KrbAuthoritative is broken

Fri, 21 Dec 2007 09:51:30 -0800 

Package: libapache2-mod-auth-kerb
Version: 5.3-1.3
Severity: important

Here is a fragment of what I was attempting to accomplish:
        AuthType Basic
        AuthName "w3"
        AuthBasicProvider ldap file
        AuthUserFile /etc/apache2/htpasswd
        AuthzLDAPAuthoritative off
        AuthLDAPURL ldapi:///ou=bluepages,o=ibm.com?mail?sub?
        AuthType Kerberos
        KrbAuthRealms COBPLI.SVL.IBM.COM SVLDEV.SVL.IBM.COM
        KrbAuthoritative off
        KrbDelegateBasic on
        Krb5Keytab /etc/apache2/apache.keytab
        require valid-user

So, the goal was to first do KRB, and if that failed, drop back to
LDAP, and if that failed, check the htpasswd file.

All that worked fine until I added Kerberos (LDAP falling back to file).

No, if KRB auth works, everything is fine, but KRB failures are *not*
being delegated to lower levels:
[error] [client 9.30.102.134] Specified realm `us.ibm.com' not allowed by 
configuration

There are a plethora of <cc>.ibm.com addresses, and I'm not going to be
able to keep the AuthRealms uptodate with them all, nor should I - as
they don't have KRB realms behind them.  COBPLI and SVLDEV are the only two
domains with KRB backing them (both are local and have cross-domain
trust setup.

I noticed the earlier bug (288745) on multiple Realms, tagged moreinfo, so I 
removed one from the list and tried again - but I get the same error :(

I can easily reproduce (and test) this error - and am could easily
verify any updates

-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.23.11 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-auth-kerb depends on:
ii  apache2.2-common      2.2.6-3            Next generation, scalable, extenda
ii  krb5-config           1.17               Configuration files for Kerberos V
ii  libc6                 2.7-4              GNU C Library: Shared libraries
ii  libcomerr2            1.40.3-1           common error description library
ii  libkrb53              1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries

libapache2-mod-auth-kerb recommends no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to