Re: [modauthkerb] Compiling for Solaris
Brought to you by:
kouril
From: Douglas E. E. <dee...@an...> - 2009-11-06 20:24:12
|
Igor Galić wrote: > ----- "Douglas E. Engert" <dee...@an...> wrote: > > > [snip] >> For what it is worth, attached is a diff file from last year that >> is not complete, but has some code to handle the rcache issue >> and to store delegated creds. It was never completed, but >> might give you some incite. > > > Thanks you for the patch, Douglas. > > I've "ported" it to 5.4. In order to make it compile on Solaris, > you'll have to run autoreconf before your script. > > > I have now reduced the problem to a known one, or so I suppose: > > > [Fri Nov 06 18:23:27 2009] [error] [client 10.130.32.1] gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, No principal in keytab matches desired name) > So is this from the client side, or the server side? The GSS client(normally) uses a ticket cache. The GSS server normally uses a keytab file. > > Sun says about the issue http://docs.sun.com/app/docs/doc/816-4557/trouble-27?a=view > to run kinit before. I did that, the result of which is: > I don't think that is the problem, as the server should not be using a ticket cache, but see last comments below. > root@atvp1uascm001:~# kinit srv_svnbind@ES.LOCAL > Password for srv_svnbind@ES.LOCAL: > root@atvp1uascm001:~# echo $? > 0 > root@atvp1uascm001:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: srv_svnbind@BAW.LOCAL What is BAW.LOCAL? Why is this not ES.LOCAL what is the srv_snvbind@REALM principal used for? > > Valid starting Expires Service principal > 11/06/09 18:26:39 11/07/09 04:27:36 krbtgt/ES.LOCAL@ES.LOCAL > renew until 11/13/09 18:26:39 > root@atvp1uascm001:~# > > > The result is, of course, the same. > httpd.conf looks as follows: > > <Location "/svn/"> > DAV svn > SVNParentPath /var/bldsrv/svn/repos > SVNIndexXSLT "/style/svnindex.xsl" > > SVNPathAuthz on > SVNAutoversioning on > SVNListParentPath on > > AuthType Kerberos > AuthName "Subversion Ldap/Kerberos Login" > KrbMethodNegotiate On > KrbMethodK5Passwd Off > KrbAuthRealms ES.LOCAL > Krb5Keytab /etc/krb5/krb5.keytab This is telling the server to use this keytab. This is normally the one used by root for host principals. if the web server is running under a different UID does it have access to the file? Did you had a HTTP/<FQDN>@<REALM> principal entry in the keytab and KDC? > > AuthzSVNAccessFile /var/bldsrv/svn/authz/pub.svn.authz > Require valid-user > </Location> > > > Am I missing anything obvious here? > Are you trying to have a web client authenticate to the web server, then have the web server as srv_svnbind@REALM authenticate to an svn server? > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |