Hi All
Here is the dump from Windows using firefox and IE7
I was thinking that maybe it could be a linking problem in
mod_auth_kerb. Using both gssapi (cyrus-sasl) and kerberos5 (mit krb5).
Here is the buidling process:
[EMAIL PROTECTED] SPECS]$ rpmbuild -ba mod_auth_kerb.spec
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.59548
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd /home/mkj/rpm/BUILD
+ rm -rf mod_auth_kerb-5.3
+ /bin/gzip -dc /home/mkj/rpm/SOURCES/mod_auth_kerb-5.3.tar.gz
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd mod_auth_kerb-5.3
+ echo 'Patch #2 (mod_auth_kerb-5.0-cache.patch):'
Patch #2 (mod_auth_kerb-5.0-cache.patch):
+ patch -p1 -b --suffix .cache -s
+ echo 'Patch #4 (mod_auth_kerb-5.0-gcc4.patch):'
Patch #4 (mod_auth_kerb-5.0-gcc4.patch):
+ patch -p1 -b --suffix .gcc4 -s
+ echo 'Patch #5 (mod_auth_kerb-5.3-exports.patch):'
Patch #5 (mod_auth_kerb-5.3-exports.patch):
+ patch -p0 -b --suffix .exports -s
+ echo 'Patch #7 (mod_auth_kerb-5.1-krb15.patch):'
Patch #7 (mod_auth_kerb-5.1-krb15.patch):
+ patch -p1 -b --suffix .krb15 -s
+ echo 'Patch #8 (mod_auth_kerb-5.3-fixes.patch):'
Patch #8 (mod_auth_kerb-5.3-fixes.patch):
+ patch -p0 -b --suffix .fixes -s
+ echo 'Patch #9 (mod_auth_kerb-5.3-deleg.patch):'
Patch #9 (mod_auth_kerb-5.3-deleg.patch):
+ patch -p1 -s
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.59548
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+ CFLAGS='-O2 -g'
+ export CFLAGS
+ CXXFLAGS='-O2 -g'
+ export CXXFLAGS
+ FFLAGS='-O2 -g'
+ export FFLAGS
+ ./configure --host=x86_64-redhat-linux-gnu
--build=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/usr/var --sharedstatedir=/usr/com --mandir=/usr/man
--infodir=/usr/info --without-krb4 --with-krb5=/usr/kerberos
--with-apache=/usr
checking for x86_64-redhat-linux-gnu-gcc... no
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking whether make sets $(MAKE)... yes
checking for main in -lresolv... yes
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking for size_t... yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking for krb5_init_context in -lkrb5... yes
checking whether we are using Heimdal... no
checking whether the GSSAPI libraries support SPNEGO... yes
checking for apxs... /usr/sbin/apxs
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
+ make
/usr/sbin/apxs -c -I. -Ispnegokrb5 -I/usr/kerberos/include
-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -ldl -lresolv
-Wl,-export-symbols-regex -Wl,auth_kerb_module src/mod_auth_kerb.c
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic
-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd
-I/usr/include/apr-1 -I/usr/include/apr-1 -I. -Ispnegokrb5
-I/usr/kerberos/include -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c
&& touch src/mod_auth_kerb.slo
src/mod_auth_kerb.c: In function 'get_gss_creds':
src/mod_auth_kerb.c:1129: warning: passing argument 3 of
'gss_import_name' discards qualifiers from pointer target type
src/mod_auth_kerb.c: At top level:
src/mod_auth_kerb.c:1168: warning: 'cmp_gss_type' defined but not used
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o
src/mod_auth_kerb.la -export-symbols-regex auth_kerb_module
-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -ldl -lresolv
-rpath /usr/lib64/httpd/modules -module -avoid-version
src/mod_auth_kerb.lo
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.50426
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+ rm -rf /var/tmp/mod_auth_kerb-5.3-4-buildroot
+ mkdir
-p /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/lib64/httpd/modules
/var/tmp/mod_auth_kerb-5.3-4-buildroot/etc/httpd/conf.d
+ install -m 755
src/.libs/mod_auth_kerb.so
/var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/lib64/httpd/modules/mod_auth_kerb.so
+ install -m
644 /home/mkj/rpm/SOURCES/auth_kerb.conf
/var/tmp/mod_auth_kerb-5.3-4-buildroot/etc/httpd/conf.d/auth_kerb.conf
+ exit 0
Processing files: mod_auth_kerb-5.3-4
Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.50426
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+
DOCDIR=/var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ export DOCDIR
+ rm
-rf /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ /bin/mkdir
-p /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ cp -pr
README /var/tmp/mod_auth_kerb-5.3-4-buildroot/usr/doc/mod_auth_kerb-5.3
+ exit 0
Provides: config(mod_auth_kerb) = 5.3-4 mod_auth_kerb.so()(64bit)
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: config(mod_auth_kerb) = 5.3-4 httpd-mmn = 20051115
libc.so.6()(64bit) libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit)
libcom_err.so.2()(64bit) libdl.so.2()(64bit)
libgssapi_krb5.so.2()(64bit)
libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) libk5crypto.so.3()(64bit)
libkrb5.so.3()(64bit) libkrb5.so.3(krb5_3_MIT)(64bit)
libresolv.so.2()(64bit) rtld(GNU_HASH)
Checking for unpackaged
file(s): /usr/lib/rpm/check-files /var/tmp/mod_auth_kerb-5.3-4-buildroot
Wrote: /home/mkj/rpm/SRPMS/mod_auth_kerb-5.3-4.src.rpm
Wrote: /home/mkj/rpm/RPMS/x86_64/mod_auth_kerb-5.3-4.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.50426
+ umask 022
+ cd /home/mkj/rpm/BUILD
+ cd mod_auth_kerb-5.3
+ rm -rf /var/tmp/mod_auth_kerb-5.3-4-buildroot
+ exit 0
On Fri, 2007-07-27 at 09:14 +0200, Mikkel Kruse Johnsen wrote:
> Hi
>
> Settings check:
>
> network.negotiate-auth.allow-proxies = true
> network.negotiate-auth.delegation-uris = cbs.dk,hhk.dk
> network.negotiate-auth.gsslib =
> network.negotiate-auth.trusted-uris = cbs.dk,hhk.dk
> network.negotiate-auth.using-native-gsslib = true
>
> After the patch (attached) I get this. So it seems that status is
> GSS_S_COMPLETE:
>
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/[EMAIL PROTECTED]
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name [EMAIL PROTECTED] for connection
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot
> store delegated credential (gss_krb5_copy_ccache: Invalid credential
> was supplied (No error))
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/[EMAIL PROTECTED], referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name [EMAIL PROTECTED] for connection,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot
> store delegated credential (gss_krb5_copy_ccache: Invalid credential
> was supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1457): [client
> 130.226.36.170] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1148): [client
> 130.226.36.170] Acquiring creds for HTTP/[EMAIL PROTECTED], referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1269): [client
> 130.226.36.170] Verifying client data using KRB5 GSS-API, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1285): [client
> 130.226.36.170] Verification returned code 0, referer:
> http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1303): [client
> 130.226.36.170] GSS-API token of length 22 bytes will be sent back,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1351): [client
> 130.226.36.170] set cached name [EMAIL PROTECTED] for connection,
> referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [debug] src/mod_auth_kerb.c(1360): [client
> 130.226.36.170] krb_save_credentials activated, GSS_C_DELEG_FLAG
> available, referer: http://od.cbs.dk/phpinfo.php
> [Fri Jul 27 09:09:50 2007] [error] [client 130.226.36.170] Cannot
> store delegated credential (gss_krb5_copy_ccache: Invalid credential
> was supplied (No error)), referer: http://od.cbs.dk/phpinfo.php
>
> /Mikkel
>
>
> On Thu, 2007-07-26 at 22:38 +0200, Achim Grolms wrote:
>
> > On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
> > > Achim Grolms wrote:
> > > > On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
> > > >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
> > > >>> would not be set in that case?
> > > >>>
> > > >>> Achim
> > > >>
> > > >> Agreed. That flag shouldn't be set AFAIK, though the value isn't
> > > >> valid until negotiation is complete.
> > > >
> > > > That means before trying to store delegated credentials
> > > > and before checking GSS_C_DELEG_FLAG
> > > > mod_auth_kerb needs to check if gss_accept_sec_context ()
> > > > returns major_status = GSS_S_COMPLETE
> >
> > From my point of view this means that mod_auth_kerb
> > needs a change in code.
> > I needs to be of that style:
> >
> > the major_status of
> > gss_accept_sec_context()
> >
> > needs to be checked before checking GSS_C_DELEG_FLAG.
> >
> > This can be done this way:
> >
> > if ( major_status_accept = GSS_S_COMPLETE ) {
> > if (conf->krb_save_credentials) {
> > if (delegated_cred != GSS_C_NO_CREDENTIAL) {
> > .
> > .
> > .
> > }
> > }
> > }
> >
> >
> > major_status_accept is the major_status returned by
> > accept_sec_token
> >
> > Mikkel, can you give this a try?
> > Achim
> > Received-SPF: pass (0: SPF record at ispgateway.de designates 80.67.18.15
> > as permitted sender)
> >
> >
> >
>
> Mikkel Kruse Johnsen
> Linet
> Ørholmgade 6 st tv
> 2200 København N
>
> Tlf: +45 2128 7793
> email: [EMAIL PROTECTED]
> www: http://www.linet.dk
> !DSPAM:46a99b5037111804284693!
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
>
> !DSPAM:46a99b5037111804284693!
> _______________________________________________
> modauthkerb-help mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>
>
> !DSPAM:46a99b5037111804284693!
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: [EMAIL PROTECTED]
www: http://www.linet.dk
--- mod_auth_kerb-5.1/src/mod_auth_kerb.c.cache
+++ mod_auth_kerb-5.1/src/mod_auth_kerb.c
@@ -85,6 +85,8 @@
#define snprintf _snprintf
#endif
+#include <unistd.h>
+
#ifdef KRB5
#include <krb5.h>
#ifdef HEIMDAL
@@ -1238,6 +1240,8 @@
return memcmp(p, oid->elements, oid->length);
}
+#define NAMEKEY "mod_auth_kerb:client_name"
+
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
@@ -1390,6 +1394,15 @@
MK_AUTH_TYPE = MECH_NEGOTIATE;
MK_USER = apr_pstrdup(r->pool, output_token.value);
+#ifndef APXS1
+ {
+ apr_status_t rv;
+ rv = apr_pool_userdata_set(r->user, NAMEKEY, NULL, r->connection->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
+ "set cached name %s for connection", r->user);
+ }
+#endif
+
if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
@@ -1417,17 +1430,6 @@
}
#endif /* KRB5 */
-static int
-already_succeeded(request_rec *r)
-{
- if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL)
- return 0;
- if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) ||
- (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@')))
- return 1;
- return 0;
-}
-
static void
set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
int use_krb4, int use_krb5pwd, char *negotiate_ret_value)
@@ -1475,7 +1477,6 @@
const char *type = NULL;
int use_krb5 = 0, use_krb4 = 0;
int ret;
- static int last_return = HTTP_UNAUTHORIZED;
char *negotiate_ret_value = NULL;
/* get the type specified in .htaccess */
@@ -1504,6 +1505,23 @@
}
#endif
+#ifndef APXS1
+ if (use_krb5 && conf->krb_method_gssapi) {
+ void *data = NULL;
+ const char *name;
+
+ if (apr_pool_userdata_get(&data, NAMEKEY, r->connection->pool) == APR_SUCCESS
+ && data != NULL) {
+ name = data;
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "using cached name %s", name);
+ r->user = apr_pstrdup(r->pool, name);
+ r->ap_auth_type = "Negotiate";
+ return OK;
+ }
+ }
+#endif
+
/* get what the user sent us in the HTTP header */
auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
? "Proxy-Authorization"
@@ -1526,9 +1544,6 @@
(strcasecmp(auth_type, "Basic") == 0))
return DECLINED;
- if (already_succeeded(r))
- return last_return;
-
ret = HTTP_UNAUTHORIZED;
#ifdef KRB5
@@ -1552,7 +1567,6 @@
/* XXX log_debug: if ret==OK, log(user XY authenticated) */
- last_return = ret;
return ret;
}
--- mod_auth_kerb-5.0-rc4/spnegokrb5/spnego_asn1.h.gcc4
+++ mod_auth_kerb-5.0-rc4/spnegokrb5/spnego_asn1.h
@@ -7,6 +7,8 @@
#include <stddef.h>
#include <time.h>
+#include "parse_units.h"
+
#ifndef __asn1_common_definitions__
#define __asn1_common_definitions__
--- mod_auth_kerb-5.1/src/mod_auth_kerb.c.krb15
+++ mod_auth_kerb-5.1/src/mod_auth_kerb.c
@@ -86,6 +86,7 @@
#endif
#include <unistd.h>
+#include <stdlib.h>
#ifdef KRB5
#include <krb5.h>
@@ -269,33 +270,6 @@
}
#endif
-#if defined(KRB5) && !defined(HEIMDAL)
-/* Needed to work around problems with replay caches */
-#include "mit-internals.h"
-
-/* This is our replacement krb5_rc_store function */
-static krb5_error_code KRB5_LIB_FUNCTION
-mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
- krb5_donot_replay_internal *donot_replay)
-{
- return 0;
-}
-
-/* And this is the operations vector for our replay cache */
-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
- 0,
- "dfl",
- krb5_rc_dfl_init,
- krb5_rc_dfl_recover,
- krb5_rc_dfl_destroy,
- krb5_rc_dfl_close,
- mod_auth_kerb_rc_store,
- krb5_rc_dfl_expunge,
- krb5_rc_dfl_get_span,
- krb5_rc_dfl_get_name,
- krb5_rc_dfl_resolve
-};
-#endif
/***************************************************************************
@@ -1193,31 +1167,6 @@
"gss_acquire_cred() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
-
-#ifndef HEIMDAL
- /*
- * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
- * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
- * the replay cache.
- * This allows us to override the replay cache function vector with
- * our own one.
- * Note that this is a dirty hack to get things working and there may
- * well be unknown side-effects.
- */
- {
- krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
-
- /* First we try to verify we are linked with 1.3.x to prevent from
- crashing when linked with 1.4.x */
- if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
- if (gss_creds->rcache && gss_creds->rcache->ops &&
- gss_creds->rcache->ops->type &&
- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
- /* Override the rcache operations */
- gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
- }
- }
-#endif
return 0;
}
diff -r -u mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c mod_auth_kerb-5.3/src/mod_auth_kerb.c
--- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2007-07-25 11:38:20.000000000 +0200
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2007-07-27 15:00:04.000000000 +0200
@@ -1215,6 +1215,8 @@
spnego_oid.length = 6;
spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
+ OM_uint32 acc_ret_flags;
+
if (conf->krb_5_keytab) {
char *ktname;
/* we don't use the ap_* calls here, since the string passed to putenv()
@@ -1277,7 +1279,7 @@
&client_name,
NULL,
&output_token,
- NULL,
+ &acc_ret_flags,
NULL,
&delegated_cred);
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1351,8 +1353,30 @@
}
#endif
- if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
- store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ if (major_status == GSS_S_COMPLETE ) {
+ if (conf->krb_save_credentials) {
+ if (delegated_cred != GSS_C_NO_CREDENTIAL) {
+ if ( acc_ret_flags & GSS_C_DELEG_FLAG ) {
+ log_rerror( APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb_save_credentials activated, GSS_C_DELEG_FLAG available", "" );
+
+ store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials activated, no GSS_C_DELEG_FLAG", "" );
+ }
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials activated, no GSS_C_NO_CREDENTIAL", "" );
+ }
+ }
+ }
+ else {
+ log_rerror( APLOG_MARK, APLOG_ERR, 0, r,
+ "krb_save_credentials not activated, no GSS_S_COMPLETE", "" );
+ }
gss_release_buffer(&minor_status, &output_token);
--- Makefile.in 2007-07-09 13:10:54.000000000 +0200
+++ Makefile.in.exports 2007-07-09 13:10:01.000000000 +0200
@@ -7,15 +7,15 @@
SPNEGO_SRCS = @SPNEGO_SRCS@
CPPFLAGS = -I. -Ispnegokrb5 $(KRB5_CPPFLAGS) $(KRB4_CPPFLAGS) $(DEFS)
-LDFLAGS = $(KRB5_LDFLAGS) $(KRB4_LDFLAGS) $(LIB_resolv)
+LDFLAGS = $(KRB5_LDFLAGS) $(KRB4_LDFLAGS) $(LIB_resolv) -Wl,-export-symbols-regex -Wl,auth_kerb_module
CFLAGS =
# Use these assignements instead of the default ones if your're building on BSD
# systems. A 'if' statemet would be better, of course.
#APXS_CPPFLAGS != [ -n "${CPPFLAGS}" ] && echo ${CPPFLAGS} | sed -e 's/\([^ ]*\)/-Wc,\1/g'
#APXS_LDFLAGS != [ -n "${LDFLAGS}" ] && echo ${LDFLAGS} | sed -e 's/\([^ ]*\)/-Wl,\1/g'
-APXS_CPPFLAGS = ${shell [ -n "${CPPFLAGS}" ] && echo ${CPPFLAGS} | sed -e 's/\([^ ]*\)/-Wc,\1/g'}
-APXS_LDFLAGS = ${shell [ -n "${LDFLAGS}" ] && echo ${LDFLAGS} | sed -e 's/\([^ ]*\)/-Wl,\1/g'}
+APXS_CPPFLAGS = ${CPPFLAGS}
+APXS_LDFLAGS = ${LDFLAGS}
all: src/mod_auth_kerb.so
--- src/mod_auth_kerb.c 2007-07-09 13:22:17.000000000 +0200
+++ src/mod_auth_kerb.c.fixes 2007-07-09 13:22:27.000000000 +0200
@@ -1239,6 +1239,8 @@
return memcmp(p, oid->elements, oid->length);
}
+typedef typeof(gss_accept_sec_context) gss_asc_t;
+
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
@@ -1250,11 +1252,7 @@
int ret;
gss_name_t client_name = GSS_C_NO_NAME;
gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
- OM_uint32 (KRB5_LIB_FUNCTION *accept_sec_token)
- (OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t,
- const gss_buffer_t, const gss_channel_bindings_t,
- gss_name_t *, gss_OID *, gss_buffer_t, OM_uint32 *,
- OM_uint32 *, gss_cred_id_t *);
+ gss_asc_t *accept_sec_token;
gss_OID_desc spnego_oid;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
@@ -1557,28 +1555,6 @@
return ret;
}
-int
-have_rcache_type(const char *type)
-{
- krb5_error_code ret;
- krb5_context context;
- krb5_rcache id = NULL;
- int found;
-
- ret = krb5_init_context(&context);
- if (ret)
- return 0;
-
- ret = krb5_rc_resolve_full(context, &id, "none:");
- found = (ret == 0);
-
- if (ret == 0)
- krb5_rc_destroy(context, id);
- krb5_free_context(context);
-
- return found;
-}
-
/***************************************************************************
Module Setup/Configuration
***************************************************************************/
@@ -1589,7 +1565,7 @@
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
1.3.x are covered by the hack overiding the replay calls */
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+ if (getenv("KRB5RCACHETYPE") == NULL)
putenv(strdup("KRB5RCACHETYPE=none"));
#endif
}
@@ -1630,7 +1606,7 @@
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
1.3.x are covered by the hack overiding the replay calls */
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+ if (getenv("KRB5RCACHETYPE") == NULL)
putenv(strdup("KRB5RCACHETYPE=none"));
#endif
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
