Re: [modauthkerb] How to use a received forwardable ticket
Brought to you by:
kouril
From: Andy C. <pha...@gm...> - 2010-08-10 00:59:02
|
On 2010-08-09 at 17:28, Russ Allbery ( rr...@st... ) said: > Andy Cobaugh <pha...@gm...> writes: > >> Not quite. mod_auth_kerb, at least the last time I checked (5.4), wasn't >> calling gss_krb5_ccache_name(). If your application (most of php's >> GSS-enabled functions like the imap and ldap functions I know do) uses >> gss_acquire_cred() to create the GSSAPI credential, then it never >> actually looks at KRB5CCNAME. > > Kerberos GSSAPI libraries (at least both MIT and Heimdal, and I'm fairly > sure Solaris as well) use KRB5CCNAME to find credentials. > gss_krb5_ccache_name() overrides the environment variable and is useful in > cases where you can't easily pass environment variables, but if it's not > used, the environment variable is used by default. > > I'm very curious to hear more about the circumstances that seemed to > indicate this isn't true. Tried to use mod_auth_kerb + SPNEGO to allow Horde/IMP (using PHP's c-client API, ie imap_*) to use GSSAPI to talk to our IMAP servers, since I couldn't get cosign to grab a copy of the kerberos ticket if SPNEGO was used to auth to cosign itself for later delegation to any filters that require it, so I ended up doing some fancy redirects to a version of Horde protected with just mod_auth_kerb. Only thing that made that work was adding in the call to gss_krb5_ccache_name. Other functions like ldap_* seemed to want the same thing. At this point we use cosign everywhere for applications that want kerberos tickets, and cosign does properly call gss_krb5_ccache_name (I think that's how I figured out what mod_auth_kerb was missing). However, if you're writing a CGI that just calls out the userland commands, having KRB5CCNAME set in your environment is enough, but for languages like PHP, and probably others, that link against things like libldap and libc-client, adding in gss_krb5_ccache_name was the only way I could make this work. Perhaps I'm just remembering all of this wrong, it was almost 2 years ago. --andy |