Package: libapache2-mod-auth-kerb
Version: 5.3-4
Severity: normal
Tags: patch
Kerberos authorization (using Negotiate) succeeds, but delegation fails.
(KRB5CCNAME is not set in the CGI environment.) When using K5Passwd,
both authorization and delegation succeed.
Configuration when using Negotiate:
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DRAWFORM.COM
Krb5Keytab /etc/apache2/custom/keytab
KrbSaveCredentials On
KrbServiceName Any
Require valid-user
Configuration when using K5Passwd:
AuthType Kerberos
AuthName "Enter your network credentials"
KrbMethodNegotiate Off
KrbMethodK5Passwd On
KrbAuthRealms DRAWFORM.COM
Krb5Keytab /etc/apache2/custom/keytab
KrbSaveCredentials On
KrbServiceName HTTP/[EMAIL PROTECTED]
Require valid-user
The Kerberos realm is a Win2k3 AD. The keytab was generated with ktpass
on the DC (which was running 2k3 SP2) and securely copied to the web
server. Authorization succeeds, with both configurations. (I.e.,
Negotiate is at least authenticating successfully.)
When using Negotiate, the client is Firefox 2.0.0.14 on Windows 2000.
The network.negotiate-auth.{trusted-uris,delegation-uris} options are
both set to include this web server. Capturing the HTTP request, then
decrypting the Kerberos ticket (with the help of the known keytab) shows
that the browser *is* setting GSS_C_DELEG_FLAG in the authenticator in
the AP_REP that it sends, and *is* also sending a TGT.
Installing the various Apache and Kerberos debug packages, then running
Apache under gdb, reveals that gss_accept_sec_context is successfully
decrypting the ticket, and successfully setting gss_flags to 3 (which is
GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG, which are the flags sent by the
client). But after building a delegated credential, it throws it away
due to a check in krb5*/src/lib/gssapi/mechglue/g_accept_sec_context.c
(line 248 in the Debian-patched source tree):
/* Ensure we're returning correct creds format */
if ((ret_flags && GSS_C_DELEG_FLAG) &&
tmp_d_cred != GSS_C_NO_CREDENTIAL) {
Since mod_auth_kerb-5.3/src/mod_auth_kerb.c passes NULL for the
ret_flags parameter, ret_flags is false, and so that part of this check
fails. The *d_cred output value is only set if this check succeeds.
(Now, this check is probably also incorrect: I think the first part of
it should be "ret_flags && ((*ret_flags) & GSS_C_DELEG_FLAG)". But the
accept_sec_context function does need to check whether delegation was
allowed by the client, and it needs a valid output flags pointer in
order to do that. Plus the GSSAPI spec (RFC1509) says nothing about
whether ret_flags can be NULL, while it does say that several other
parameters (src_name, time_req) may be NULL. I therefore believe that
the intent of the RFC is to specify that ret_flags can't be NULL.)
I've included a patch to pass a flags pointer to accept_sec_context, so
the delegated_cred field gets filled in. The patch was generated from a
mod_auth_kerb tree that already had all enabled Debian patches applied
to it via dpatch.
(Upstream mod_auth_kerb CVS (according to Sourceforge's CVS->web
gateway) has generated a patch very similar to this in r134, but the
intent of that patch is to log whether the client passed a TGT or not.
Regardless of whether the client's decision is logged, a valid flags
pointer must be passed.)
*** mod_auth_kerb-provide-flags.patch
Pass a pointer to a flags in to gss_accept_sec_context. Throw away
the actual returned flags value, since we don't care.
If the flags pointer is NULL, then libkrb53 won't save the delegated
credential (which was provided by the client) into delegated_cred,
and GSSAPI delegation fails.
diff -ur a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
--- a/src/mod_auth_kerb.c 2008-04-25 13:06:12.000000000 -0400
+++ b/src/mod_auth_kerb.c 2008-05-07 20:18:59.000000000 -0400
@@ -1338,6 +1338,7 @@
gss_OID_desc spnego_oid;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
+ OM_uint32 tmp_flags;
*negotiate_ret_value = "\0";
@@ -1406,7 +1407,7 @@
&client_name,
NULL,
&output_token,
- NULL,
+ &tmp_flags,
NULL,
&delegated_cred);
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-auth-kerb depends on:
ii apache2.2-common 2.2.8-3 Next generation, scalable, extenda
ii krb5-config 1.18 Configuration files for Kerberos V
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcomerr2 1.40.8-2 common error description library
ii libkrb53 1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
libapache2-mod-auth-kerb recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
