I am trying to use mod_auth_kerb 5.3, with Apache 2.2.8 on Solaris 10
using the Solaris provided Kerberos. I am interested in getting the
delegated credentials stored.
(Although Solaris 10 comes with a mod_auth_gss, it does not support
the storing of the delegated credentials, and does not support Kerberos
with passwords, and thus I am using mod_auth_kerb.)
I have been able to get this to some what work but the Solaris 10
Kerberos is missing some features for storing the delegated credential.
Solaris Kerberos has a number of problems:
(1) The gss_store_cred will only store in to the default cred,
but will look for the KRB5CCNAME environment variable. Setting
the environment from within an Apache authn module for use
by the module is tricky. I have not worked out all the details,
and it may only work with a MPM prefork type server.
(2) The Solaris SPNEGO mechanism does not support calling
gss_store_cred even though it returned a delegated cred from a
sub mechanism. I had to resort to using something similar to
__gss_get_mechanism_cred which is not exported from libgss.so,
to get the Kerberos delegated_cred out of the union_cred_id_t
delegated_cred form SPNEGO then calling gss_store_cred.
(3) Trying to avoid using gss_store_cred, and using gss_krb5_copy_ccache
which is what mod_auth_kerb does with other Kerberos implementations
also did not work. It produced a validation error.
gss major_status=0x030a0000 It appears the Solaris Kerberos delegated
credential is not a full credential. I also had to use dlopen and
dlsym to get at the entry for gss_krb5_copy_ccache.
The KDC is Windows AD 2003, and the OK_TO_DELEGATE bit is set on the
service account. I can get IE 7 on XP, Solaris 10 provided Mozilla 1.7,
and FireFox 2.0.0.14 on Ubuntu to send delegated credentials and get them
stored. FireFox 2.0.0.14 on Solaris 10 will authenticate but for some reason
does not delegate.
What I am hopping will come of this, is Sun will fix (1) and provide
a way to pass in the ccache or a cache name, and will fix (2) and have SPNEGO
call the sub mechanism's gss_store_cred, or at least expose
gss_get_mechanism_cred.
I have been an advocate for using the vendor's version of Kerberos when
available,
and Sun has been responsive in the past by exposing the Kerberos API in Solaris
10.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
