gmane.comp.apache.mod-auth-kerb.general

Patch to port to Apache 2.4

Russ Allbery — 2013-06-03T02:13:42

In case this helps anyone else, here is a tested patch to mod-auth-kerb
(relative to the Debian package, so I'm not sure if it applies completely
cleanly to the current source) to make the module build against Apache
2.4.

There were two issues: first, the connection->request_ip struct member had
to be changed to the new useragent_ip member, and second, the internal
logging function needed adapting to the new logging parameter in the
current version of Apache.  I also switched to the new module declaration
syntax so that the messages from this module would be properly tagged, and
switched the package build system to dh_apache2 (which simplifies a number
of things).

More cleanup is definitely possible; this was an attempt to be minimally
intrusive.

The patch should continue to work with Apache 2.2, although I've not
personally tested.  I only tested with SPNEGO authentication, but I see no
reason to believe that Basic authentication wouldn't also work.

--- libapache-mod-auth-kerb-5.4.orig/src/mod_auth_kerb

Configuration behind Microsoft TMG

Martin Yves — 2013-04-15T09:34:33

  Hello,

I have setup Apache2 / mod_auth_kerb against an ActiveDirectory 2008R2
and everything works well when direct access is used.

Now I try to pass through TMG in mode "Kerberos / NTLM"
but Apache2 receives at first request after successful authentication in
TMG a NTLMSSP encoded challenge/credential in "Authorization: Negotiate"
header and mod_auth_kerb 5.4 fails with error 500 and message:

[Mon Apr 15 11:03:34 2013] [error] [client 192.168.3.15]
gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
provide more information (, Key table entry not found), referer:
http://tmg.domain.com/CookieAuth.dll?GetLogon?curl=Z2FscriptZ2Ftest.cgi&reason=0&formdir=3


Is there any option to tune in mod_auth_kerb or TMG ?

In my opinion, mod_auth_kerb should answer 401 Negotiate... in the hope
TMG will query again with a Kerberos TGS in SPNEGO envelop.
Or is there any option in TMG to simply disable NTLM and only accept
Kerberos ?

Thank you in advance for your help

Mod_auth_kerb: Warning: received token seems to beNTLM, possible issues?

Kurt Maet — 2013-03-27T14:14:32

I'm trying to set up mod_auth_kerb with `Debian/Apache` and a `Windows2008`
Active Directory.
This works:

    kinit -k -t /etc/krb5.keytab HTTP/myhost.domain.local
    I see a valid ticket in klist, with Service Principal
krbtgt/MYHOST.MYDOMAIN.LOCAL< at >MYDOMAIN.LOCAL

This is in my Apache error log:

    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1628): [client
10.50.109.64] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
    [Sun Mar 24 16:41:11 2013] [debug] mod_deflate.c(615): [client
10.50.109.64] Zlib: Compressed 528 to 355 : URL /private/auth.php
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1628): [client
10.50.109.64] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1240): [client
10.50.109.64] Acquiring creds for HTTP< at >myhost
    [Sun Mar 24 16:41:11 2013] [debug] src/mod_auth_kerb.c(1385): [client
10.50.109.64] Verifying client data using KRB5 GSS-API
    [Sun Mar 24 16:41:

Re: newsletter: Re: 500 error w/ mod_auth_kerb and mod_authnz_ldap

Saxon, Will — 2013-02-11T14:16:55

Hello Jo,

This configuration is substantially similar to our own. We don't have the following:


According to the documentation, the VerifyKDC and ServiceName settings are defaults. We are using the primary system keytab vs. a separate apache-specific keytab.

We don't have anything configured for DelegateBasic/AuthBasicProvider. Looking at this makes me wonder if you're using LDAP as a fallback to Kerberos, i.e. if krb fails you fall back to basic, which is handled by LDAP. Is this true? What happens if one of your users attempts to access the site but is not authorized?

Hugh Cole-Baker's response to this thread - using AuthzSendForbiddenOnFailure - looks like a solution for us, but we're in the same situation he is in that we are using Apache 2.2, while this option is only supported on 2.4+.

We've worked around this by redirecting 500 errors for this site to a custom page. It's still broken but at least it doesn't look like a server error. 

Thanks Jo and Hugh for the replies.

-Will




---------------

Re: newsletter: Re: 500 error w/ mod_auth_kerb and mod_authnz_ldap

2013-02-11T13:59:43

Hello Will,

This is what we do, check authentication by kerberos
and authorisation is done by ldap group membership

I think the trick is to use "KrbAuthoritative off" for kerberos

see here for details
http://modauthkerb.sourceforge.net/configure.html
"If set to off this directive allow authentication controls to be pass on to another modules. Use only if you really know what you are doing."

and "AuthzLDAPAuthoritative on" to let ldap decide who gets access.

                AuthType KerberosV5
                AuthName "Kerberos Login"
                KrbMethodNegotiate on
                KrbMethodK5Passwd  on
                KrbAuthoritative off
                KrbAuthRealms EXAMPLE.COM
                KrbVerifyKDC on
                KrbServiceName HTTP
                Krb5Keytab /etc/mywwwserver.keytab
                KrbSaveCredentials on
# this one is missing in current doc ?
                KrbDelegateBasic off
                KrbLocalUserMapping On

                AuthzLDAPAuthoritative

Re: 500 error w/ mod_auth_kerb and mod_authnz_ldap

Hugh Cole-Baker — 2013-02-09T19:21:16

LDAP
list:
userPrincipalName?sub?(|(objectClass=user)(objectClass=group))"

Having run into the same problem with Apache 2.2, I think I've found the cause.
The sequence of events seems to be:

1. Client sends a request for a page
2. Server sends back HTTP status 401 with a "WWW-Authenticate: Negotiate" header
3. Client decides to authenticate using SPNEGO / Kerberos, and re-sends the
  request with an "Authorization: Negotiate <base64 token>" header.
4. mod_auth_kerb parses the base64 token, and authenticates the user. Control
  within Apache then passes to the mod_authnz_ldap module for authorization.
5. mod_authnz_ldap decides to deny the user access in the authorization phase.
  By default, Apache 2.2 seems to send an HTTP status 401 response when
  authentication succeeds but authorization fails, like this case.
6. Server sends back HTTP status 401, with a
  "WWW-Authenticate: Negotiate <base64 token>" header with the base64 token
  in this case representing a successful GSSAPI context establishment.
7.

gss_acquire_cred() failed - unknown error

Cassiopeia — 2012-11-28T11:23:05

Allright guys - hello everbody

I'm encopuntering a problem since weeks - and it drives me crazy :(
So I hope that anybody of you could give me hint what the problem is.

The Goal is to access a Intranetsite trough Kerberos MIT SSO.
We do have 2 testsystems.

KDC is a Windows server 2008 R2
Webserver is a redhat 6.3 with all patches available.
Apache is 2.2.15


My problem is the following:
Implemented SSO on both machines in the same way.
Encountered on both machines the following error:

[Wed Nov 28 11:09:43 2012] [debug] src/mod_auth_kerb.c(1939): [client
1.2.3.4] kerb_authenticate_user entered with user (NULL) and auth_type
KerberosV5
[Wed Nov 28 11:09:43 2012] [debug] src/mod_auth_kerb.c(1278): [client
1.2.3.4] Acquiring creds for HTTP/hostname.domain.local
[Wed Nov 28 11:09:43 2012] [debug] src/mod_auth_kerb.c(1138): [client
1.2.3.4] GSS-API major_status:000d0000, minor_status:00000000
[Wed Nov 28 11:09:43 2012] [error] [client 1.2.3.4] gss_acquire_cred()
failed: Unspecified GSS failure.  Minor code ma

500 error w/ mod_auth_kerb and mod_authnz_ldap

Saxon, Will — 2012-11-27T22:50:12

Hello,

I'm trying to set up an LDAP group-controlled, Kerberos-authenticated web service, with the KRB5 and LDAP requests targeting Active Directory. The environment I'm working with is CentOS 6.3, mod_auth_kerb 5.4 and the authnz_ldap module shipping with Apache 2.2.15. 

The configuration I'm working with is pretty standard and similar to what I've seen in the archives on this list:

<Directory /var/www/git>
        Options +ExecCGI
        AddHandler cgi-script .cgi
        DirectoryIndex gitweb.cgi

        AuthType Kerberos
        KrbAuthoritative On
        KrbAuthRealms EXAMPLE.COM
        KrbMethodNegotiate On
        KrbMethodK5Passwd On

        AuthzLDAPAuthoritative On
        AuthLDAPBindDN "CN=LDAP,OU=Service Accounts,DC=example,DC=com"
        AuthLDAPBindPassword SuperDuperSecret
        AuthName "Please Login"
        AuthLDAPURL "ldap://example.com:389/DC=example,DC=com?userPrincipalName?sub?(|(objectClass=user)(objectClass=group))"
        require ldap-group CN=gitAdmins,OU=Groups,DC=exa

Compiling error - no Kerberos environment found

David Perry — 2012-10-22T10:47:28

Hi

I'm trying to build the module to use with Shibboleth single signon, on a SLES 10 SP4 server. Following the instructions I use the following command:
./configure --with-krb5=/usr/bin --without-krb4 --with-apache=/usr/sbin

And with all the compilers installed I get this error:
configure: error: No Kerberos enviroment found

The Kerberos client has been installed using the package manager - krb5, krb5-32bit, krb5-client, yast2-kerberos-client.

Am I missing anything?

Thanks.

David Perry
eLearning Technologist, eLearning Team (L34 - Library)
Hull College Group
Wilberforce Drive, Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial 01482 381930



* * * Think about the environment - Do you really need to print this email?


**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipie

Prevauth and KRB5CCNAME not set

KAPP Arnaud — 2012-09-27T22:22:34

Hello,

I'm new to using mod_auth_kerb and I need your help to solve my problem. 
I run it with apache2 on a debian wheezy box.
My problem is that KRB5CCNAME environment variable is not always set.
I'm using mod_auth_kerb with this configuration:

                    KrbServiceName Any
                    KrbAuthRealms BOAP.NET
                    KrbMethodNegotiate off
                    KrbMethodK5Passwd on
                    KrbSaveCredentials on
                    Krb5Keytab /etc/apache2.keytab

and I have apache rewriting url to a shell script :

#!/bin/sh
# Output HTML header
echo Content-type: text/plain
echo

# $REMOTE_USER should be set by httpd
     if [ -z "$REMOTE_USER" ]; then
     echo '$REMOTE_USER not set.'
     exit 1
fi

     if [ -z "$KRB5CCNAME" ]; then
     echo 'Kerberos credential cache name $KRB5CCNAME does not exist.'
     sleep 10;
     exit 1
fi

While REMOTE_USER is always set, the kerberos credential cache is not. 
It happens after a previous successful request.
Here is what a

Re: src/mod_auth_kerb.c(1628):kerb_authenticate_userentered with user (NULL) and auth_type Kerberos

Henry B. Hotz — 2012-09-24T18:42:08

I don't see any resemblance between your logs and Rasanth's?

On Sep 24, 2012, at 8:51 AM, Mauricio Tavares wrote:


------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz< at >jpl.nasa.gov, or hbhotz< at >oxy.edu


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: No SPNEGO available during compilation

Henry B. Hotz — 2012-09-24T16:48:24

On Sep 24, 2012, at 9:35 AM, Mauricio Tavares wrote:



For the GSSAPI_SUPPORTS_SPNEGO false case, the code is doing its own check if the GSS mech type is SPNEGO, since the OS's GSS code won't understand that case.  If it *is* SPNEGO, then it substitutes its own SPNEGO GSS mechanism code (otherwise it goes with the native library, which should support a direct/native krb5 mechanism).

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz< at >jpl.nasa.gov, or hbhotz< at >oxy.edu


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: No SPNEGO available during compilation

Mauricio Tavares — 2012-09-24T16:35:39

      So, I am still confused:

Sep 24 11:35:04 www-int apache2[14360]: [debug]
src/mod_auth_kerb.c(1407): [client 10.0.0.109] Verifying client data
using KRB5 GSS-API

would tell me mod-auth_kerb chose to do KRB5 GSS-API instead of SPNEGO
GSS-API. From what Henry said, that would mean the GSSAPI library does
not support SPNEGO and mod_auth_kerb would pick its own spengo code. I
guess that would be done here in mod_auth_kerb.c:

#ifndef GSSAPI_SUPPORTS_SPNEGO
#  include "spnegokrb5.h"
#endif

In that case, what does the #else statement in

#ifdef GSSAPI_SUPPORTS_SPNEGO
  accept_sec_token = gss_accept_sec_context;
#else
  accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ?
                        gss_accept_sec_context_spnego : gss_accept_sec_context;
#endif

is doing? I take it will only return gss_accept_sec_context_spnego  if
the cmp_gss_type == 0. And only way I will see what cmp_gss_type
returned is running gdb or something like that, right?

---------------------------------------------

Re: src/mod_auth_kerb.c(1628):kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Mauricio Tavares — 2012-09-24T15:51:13

I honestly do not know if that is an error or not, but would love to
find out. After all, not only I have seen the same behaviour in my
logs,

Sep 24 11:35:04 www-int apache2[14360]: [debug]
src/mod_auth_kerb.c(1579): [client 10.0.0.109] kerb_authenticate_user
entered with user (NULL) and auth_type Kerberos
Sep 24 11:35:04 www-int apache2[14360]: [debug]
src/mod_auth_kerb.c(1579): [client 10.0.0.109] kerb_authenticate_user
entered with user (NULL) and auth_type Kerberos
Sep 24 11:35:04 www-int apache2[14360]: [debug]
src/mod_auth_kerb.c(1261): [client 10.0.0.109] Acquiring creds for
HTTP< at >www-int.test.domain.com
Sep 24 11:35:04 www-int apache2[14360]: [debug]
src/mod_auth_kerb.c(1407): [client 10.0.0.109] Verifying client data
using KRB5 GSS-API
Sep 24 11:35:04 www-int apache2[14360]: [debug]
src/mod_auth_kerb.c(1423): [client 10.0.0.109] Verification returned
code 0
Sep 24 11:35:04 www-int apache2[14360]: [debug]
src/mod_auth_kerb.c(1441): [client 10.0.0.109] GSS-API token of length
22 bytes will be sent ba

src/mod_auth_kerb.c(1628):kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Rasanth — 2012-09-21T11:28:53

Hi,
I get the following error while trying to login to the apache server.

[Fri Sep 21 16:27:01 2012] [debug] src/mod_auth_kerb.c(1628): [client 
10.11.18.90] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Fri Sep 21 16:27:01 2012] [debug] mod_deflate.c(615): [client 10.11.18.90] 
Zlib: Compressed 478 to 323 : URL /

==> /var/log/apache2/access.log <==
10.11.18.90 - - [21/Sep/2012:16:27:01 +0530] "GET / HTTP/1.1" 401 695 "-" 
"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0.1"

==> /var/log/apache2/error.log <==
[Fri Sep 21 16:27:04 2012] [debug] src/mod_auth_kerb.c(1628): [client 
10.11.18.90] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Fri Sep 21 16:27:04 2012] [debug] src/mod_auth_kerb.c(1240): [client 
10.11.18.90] Acquiring creds for HTTP< at >example.com
[Fri Sep 21 16:27:04 2012] [debug] src/mod_auth_kerb.c(1101): [client 
10.11.18.90] GSS-API major_status:000d0000, minor_status:000186a4
[Fri Sep 21 16:27:04 2012] [error] [cl

Re: Cannot retrieve KRB5CCNAME if logged in with kerberos ticket

Mauricio Tavares — 2012-09-18T11:30:10

      Here is a rather late update: the problem with KRB5CCNAME
disappearing if I reloaded page within 15s is gone. But the issue with
me not being able to do a SPNEGO login (logging in with my kerberos
ticket as opposite of with my kerberos username/pw) still remains.

Of course, the most annoying part is I have 4 websites that have not
problems using kerberos tickets, but this one, which is just one
simple test page, ain't. Suggestions and comments are always
appreciated.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: No SPNEGO available during compilation

Mauricio Tavares — 2012-09-17T18:48:57

      So, if I got that message, mod-auth-kerb is using its own
spnego. How could I verify that it is in place? Right now I am trying
to authenticate and it is only working if I provide kerberos
username/passwd, not with the ticket. And I want to find out where it
is boink.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: No SPNEGO available during compilation

Henry B. Hotz — 2012-09-17T17:52:59

mod-auth-kerb supports SPNEGO.  If the native GSSAPI libraries don't, then mod-auth-kerb will use its own implementation.

(Sometimes the native libraries claim to support GSSAPI, but don't really.  You may need to force this check to "no" sometimes to get things to work.)

On Sep 17, 2012, at 7:10 AM, Mauricio Tavares wrote:


------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz< at >jpl.nasa.gov, or hbhotz< at >oxy.edu


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: No SPNEGO available during compilation

Mauricio Tavares — 2012-09-17T14:10:41

Lemme try it again:

I was compiling manually mod-auth-kerb in an ubuntu12.04 box. While
running config, I saw the following message:

checking whether the GSSAPI libraries support SPNEGO... no

have my browser authenticate using my kerberos ticket as opposite to
me having to enter my kerberos user/pw. Am I correct? If so, I must be
using the wrong library as I can login using the ubuntu mod-auth-kerb
package using my ticket.

Or am I confused?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

No SPNEGO available during compilation

Mauricio Tavares — 2012-09-17T14:05:19


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: Segmentation Fault on OS X … trying to figure out log_rerror()

Russ Allbery — 2012-09-12T21:08:45




Segfaults in strlen underneath vsnprintf normally mean that one passed in
a NULL pointer to vsnprintf, either for the format or for a %s argument.

Looking at the source code for verify_krb5_user, none of the log_rerror
calls there seem particularly suspicious, although if krb5_get_err_text
ever returns NULL, that would definitely cause this.