I think the Firefox pref overrides this, but if it's running on a Windows platform with the native Kerberos (gsslib) then do we need to check that the ok-as-delegate flag is set in the service ticket? I seem to remember that it didn't matter except for IE.
On Jul 27, 2007, at 12:14 AM, Mikkel Kruse Johnsen wrote: > Hi > > Settings check: > > network.negotiate-auth.allow-proxies = true > network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk > network.negotiate-auth.gsslib = > network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk > network.negotiate-auth.using-native-gsslib = true > > After the patch (attached) I get this. So it seems that status is > GSS_S_COMPLETE: > > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): > [client 130.226.36.170] kerb_authenticate_user entered with user > (NULL) and auth_type Kerberos > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): > [client 130.226.36.170] kerb_authenticate_user entered with user > (NULL) and auth_type Kerberos > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): > [client 130.226.36.170] Acquiring creds for HTTP/[EMAIL PROTECTED] > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): > [client 130.226.36.170] Verifying client data using KRB5 GSS-API > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): > [client 130.226.36.170] Verification returned code 0 > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): > [client 130.226.36.170] GSS-API token of length 22 bytes will be > sent back > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): > [client 130.226.36.170] set cached name [EMAIL PROTECTED] for connection > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): > [client 130.226.36.170] krb_save_credentials activated, > GSS_C_DELEG_FLAG available > [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot > store delegated credential (gss_krb5_copy_ccache: Invalid > credential was supplied (No error)) > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): > [client 130.226.36.170] kerb_authenticate_user entered with user > (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): > [client 130.226.36.170] kerb_authenticate_user entered with user > (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): > [client 130.226.36.170] kerb_authenticate_user entered with user > (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): > [client 130.226.36.170] Acquiring creds for HTTP/ > [EMAIL PROTECTED], referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): > [client 130.226.36.170] Verifying client data using KRB5 GSS-API, > referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): > [client 130.226.36.170] Verification returned code 0, referer: > http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): > [client 130.226.36.170] GSS-API token of length 22 bytes will be > sent back, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): > [client 130.226.36.170] set cached name [EMAIL PROTECTED] for > connection, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): > [client 130.226.36.170] krb_save_credentials activated, > GSS_C_DELEG_FLAG available, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot > store delegated credential (gss_krb5_copy_ccache: Invalid > credential was supplied (No error)), referer: http://od.cbs.dk/ > phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): > [client 130.226.36.170] kerb_authenticate_user entered with user > (NULL) and auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): > [client 130.226.36.170] Acquiring creds for HTTP/ > [EMAIL PROTECTED], referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): > [client 130.226.36.170] Verifying client data using KRB5 GSS-API, > referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): > [client 130.226.36.170] Verification returned code 0, referer: > http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): > [client 130.226.36.170] GSS-API token of length 22 bytes will be > sent back, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): > [client 130.226.36.170] set cached name [EMAIL PROTECTED] for > connection, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): > [client 130.226.36.170] krb_save_credentials activated, > GSS_C_DELEG_FLAG available, referer: http://od.cbs.dk/phpinfo.php > [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot > store delegated credential (gss_krb5_copy_ccache: Invalid > credential was supplied (No error)), referer: http://od.cbs.dk/ > phpinfo.php > > /Mikkel > > > On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote: >> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote: > Achim >> Grolms wrote: > > On Thursday 26 July 2007 20:40, Henry B. Hotz >> wrote: > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG > >> >>> would not be set in that case? > >>> > >>> Achim > >> > >> >> Agreed. That flag shouldn't be set AFAIK, though the value isn't > >> >> valid until negotiation is complete. > > > > That means before >> trying to store delegated credentials > > and before checking >> GSS_C_DELEG_FLAG > > mod_auth_kerb needs to check if >> gss_accept_sec_context () > > returns major_status = >> GSS_S_COMPLETE From my point of view this means that mod_auth_kerb >> needs a change in code. I needs to be of that style: the >> major_status of gss_accept_sec_context() needs to be checked >> before checking GSS_C_DELEG_FLAG. This can be done this way: if >> ( major_status_accept = GSS_S_COMPLETE ) { if (conf- >> >krb_save_credentials) { if (delegated_cred != >> GSS_C_NO_CREDENTIAL) { . . . } } } major_status_accept is the >> major_status returned by accept_sec_token Mikkel, can you give >> this a try? Achim Received-SPF: pass (0: SPF record at >> ispgateway.de designates 80.67.18.15 as permitted sender) !DSPAM: >> 46a9068820551136180008! > Mikkel Kruse Johnsen > Linet > Ørholmgade 6 st tv > 2200 København N > > Tlf: +45 2128 7793 > email: [EMAIL PROTECTED] > www: http://www.linet.dk > <mod_auth_kerb-5.3-deleg.patch> ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [EMAIL PROTECTED], or [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
