[Freeipa-devel] kerberos ticket forwarding with mod_auth_kerb
Rob Crittenden
rcritten at redhat.com
Fri Jul 13 21:26:35 UTC 2007
Simo Sorce wrote:
> On Fri, 2007-07-13 at 16:19 -0400, Rob Crittenden wrote:
>> I have mod_auth_kerb configured to save them:
>>
>> <LocationMatch "/cgi-bin/*">
>> AuthType Kerberos
>> AuthName "Kerberos Login"
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd off
>> KrbServiceName HTTP
>> KrbAuthRealms GREYOAK.COM
>> Krb5KeyTab /etc/httpd/conf/ipa.keytab
>> KrbSaveCredentials on
>> Require valid-user
>> ErrorDocument 401 /errors/unauthorized.html
>> </LocationMatch>
>
> Shouldn't it be Krb5SaveCredentials (note the missing 5 in your conf) ?
> Have you tried also to set Krb5Forwardable on ?
>
> Simo.
>
I found a patch
http://permalink.gmane.org/gmane.comp.apache.mod-auth-kerb.general/980
that seems to work with curl:
% curl -u : --negotiate http://ipa.greyoak.com/cgi-bin/klist
REMOTE_USER is rcrit at GREYOAK.COM
Ticket cache: FILE:/tmp/krb5cc_apache_pOtmOk
Default principal: rcrit at GREYOAK.COM
Valid starting Expires Service principal
07/13/07 17:21:48 07/14/07 15:56:44 krbtgt/GREYOAK.COM at GREYOAK.COM
In Firefox with this patch the cache file is set but klist doesn't
report any tickets.
So maybe it is a combination of problems.
I'll check with the upstream folks.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070713/f2954f3c/attachment.bin>
More information about the Freeipa-devel
mailing list