[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

http negotiate auth: credentials delegation problem

To: heimdal-discuss@sics.se
Subject: http negotiate auth: credentials delegation problem
From: Oleg Sharoiko <os@rsu.ru>
Date: Sun, 24 Feb 2008 00:40:39 +0300
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: Computer Center of Rostov state university
Reply-To: heimdal-discuss@sics.se, Oleg Sharoiko <os@rsu.ru>

Hello!

I have a strange problem with http negotiate authentication, which I
cannot solve on my own and I would greatly appreciate any help.

My setup:
kdc: freebsd + heimdal v. 1.0.1
web server: freebsd + apache 2.2.6 + mod_auth_kerb 5.3 + heimdal 1.0.1
client 1: freebsd + heimdal 1.0.1 + firefox 2.0.0.12
client 2: winxp (not a member of AD domain) + mit kfw 3.1 + firefox
2.0.0.6

.htaccess on webserver:
---
AuthName "Test"
AuthType Kerberos

KrbVerifyKDC on
KrbSaveCredentials on
Krb5Keytab /usr/local/etc/apache22/krb5_http_webserv.r61.net.keytab

AuthLDAPUrl
ldaps://ident.r61.net/ou=Users,ou=R61.NET,ou=Domains,dc=r61,dc=net?krb5PrincipalName
AuthLDAPBindDN
uid=pamproxy,ou=Users,ou=LDAPAccess,ou=Domains,dc=r61,dc=net
AuthLDAPBindPassword jiltojki
AuthzLDAPAuthoritative on
require ldap-attribute allowedService=core-adm

require valid-user
---

On both clients firefox settings network.negotiate-auth.delegation-uris
and network.negotiate-auth.trusted-uris are set to the name of the
server.

This setup used to work some time ago: I could successfully log into
web-server using negotiate authentication and my credentials were
successfully delegated to the web-server. I can't remember exactly, but
it seems that we had heimdal 0.7 at that time on both clients and
servers.

Currently I still can log into web-server with negotiate authentication
from both clients. But with freebsd client (client 1) I see no more
credentials forwarding: authentication succeeds, but there is no
credentials cache on server side (and no errors in logs). At the same
time windows client does forward credentials just as expected. 

I've checked all the configs and everything seems to be correct. I did
some code digging on the server side and as I can see mod_auth_kerb
indeed receives no credentials from GSSAPI. I've also enabled log in
firefox and it reports "using REQ_DELEGATE" which, as far as I
understand, means that firefox allows delegation.

Unfortunately I'm not familiar with heimdal code, so could someone tell
me how can I see if heimdal on the client performs credentials
delegation or not? Or maybe (I don't even expect this) somebody will
even tell me how can I solve my problem...

--
Oleg Sharoiko

Prev by Date: Odd krb5_free_cred_contents problem (Heimdal 1.0.2, Solaris 9)
Next by Date: Re: Odd krb5_free_cred_contents problem (Heimdal 1.0.2, Solaris 9)
Prev by thread: Re: Odd krb5_free_cred_contents problem (Heimdal 1.0.2, Solaris 9)
Next by thread: If you can't beat CEOs join them
Index(es):
- Date
- Thread