Re: [modauthkerb] How to use a received forwardable ticket
Brought to you by:
kouril
From: Russ A. <rr...@st...> - 2010-08-10 01:06:03
|
Andy Cobaugh <pha...@gm...> writes: > Only thing that made that work was adding in the call to > gss_krb5_ccache_name. Other functions like ldap_* seemed to want the > same thing. At this point we use cosign everywhere for applications that > want kerberos tickets, and cosign does properly call > gss_krb5_ccache_name (I think that's how I figured out what > mod_auth_kerb was missing). > However, if you're writing a CGI that just calls out the userland > commands, having KRB5CCNAME set in your environment is enough, but for > languages like PHP, and probably others, that link against things like > libldap and libc-client, adding in gss_krb5_ccache_name was the only way > I could make this work. Okay, this makes more sense. The difference is not real GSSAPI applications versus some other type, but rather that I bet mod_php is not exporting the KRB5CCNAME environment variable at the correct time, or LDAP connections are being cached, or something else is causing the GSSAPI context to be established during a time when KRB5CCNAME isn't set. -- Russ Allbery (rr...@st...) <http://www.eyrie.org/~eagle/> |