Re: [modauthkerb] Compiling for Solaris

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Igor Galić wrote:
> ----- "Douglas E. Engert" <dee...@an...> wrote:
> 
> 
> [snip] 
>> For what it is worth, attached is a diff file from last year that
>> is not complete, but has some code to handle the rcache issue
>> and to store delegated creds. It was never completed, but
>> might give you some incite.
> 
> 
> Thanks you for the patch, Douglas.
> 
> I've "ported" it to 5.4. In order to make it compile on Solaris,
> you'll have to run autoreconf before your script.
> 
> 
> I have now reduced the problem to a known one, or so I suppose:
> 
> 
> [Fri Nov 06 18:23:27 2009] [error] [client 10.130.32.1] gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, No principal in keytab matches desired name)
> 

So is this from the client side, or the server side?

The GSS client(normally) uses a ticket cache. The GSS server normally uses a keytab file.

> 
> Sun says about the issue http://docs.sun.com/app/docs/doc/816-4557/trouble-27?a=view
> to run kinit before. I did that, the result of which is:
> 

I don't think that is the problem, as the server should not be using a ticket cache,
but see last comments below.

> root@atvp1uascm001:~# kinit srv_svnbind@ES.LOCAL
> Password for srv_svnbind@ES.LOCAL:
> root@atvp1uascm001:~# echo $?
> 0
> root@atvp1uascm001:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: srv_svnbind@BAW.LOCAL

What is BAW.LOCAL? Why is this not ES.LOCAL
what is the srv_snvbind@REALM principal used for?

> 
> Valid starting                Expires                Service principal
> 11/06/09 18:26:39  11/07/09 04:27:36  krbtgt/ES.LOCAL@ES.LOCAL
>         renew until 11/13/09 18:26:39
> root@atvp1uascm001:~#
> 
> 
> The result is, of course, the same.
> httpd.conf looks as follows:
> 
>         <Location  "/svn/">
>                 DAV svn
>                 SVNParentPath /var/bldsrv/svn/repos
>                 SVNIndexXSLT "/style/svnindex.xsl"
> 
>                 SVNPathAuthz on
>                 SVNAutoversioning on
>                 SVNListParentPath on
> 
>                 AuthType Kerberos
>                 AuthName "Subversion Ldap/Kerberos Login"
>                 KrbMethodNegotiate On
>                 KrbMethodK5Passwd Off
>                 KrbAuthRealms ES.LOCAL
>                 Krb5Keytab /etc/krb5/krb5.keytab

This  is telling the server to use this keytab. This is normally the one
used by root for host principals. if the web server is running under
a different UID does it have access to the file?

Did you had a HTTP/<FQDN>@<REALM> principal entry in the keytab and KDC?

> 
>                 AuthzSVNAccessFile /var/bldsrv/svn/authz/pub.svn.authz
>                 Require valid-user
>         </Location>
> 
> 
> Am I missing anything obvious here?
> 

Are you trying to have a web client authenticate to the web server, then
have the web server as srv_svnbind@REALM authenticate to an svn server?

> 

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444