Thanks for providing this new Apache module for SPNEGO authentication. I have done a test with it eventually got it work.
However, I did come across a problem. The mechanism type OID used by old W2k machines is different and not compatible with the module. I have updated mod_spnego.c to allow either OID (the correct and the buggy one). First the code checks the correct OID, if this fails it has a go with the buggy one. If this also fails, then it returns an error as before. If it succeeds then it remembers this and continues.
I have attached a patch to 0.0.3 for this change. Please feel free to apply it to the code.
ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_INFO, r, "mod_spnego: parseSpnegoInitialToken succeeded");
--- 360,380 ----
&inputKerberosToken,
&inputKerberosTokenLength))
{
! /* The correct mechanism OID does not work, let's just check
! * the broken MS one in case this is an old W2K client.
! */
! if (!parseSpnegoInitialToken (inputSpnegoToken,
! inputSpnegoTokenLength,
! &msKrb5GssApiLegacy,
! &inputKerberosToken,
! &inputKerberosTokenLength))
! {
! ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_ERR, r, "mod_spnego: parseSpnegoInitialToken failed");
! return HTTP_INTERNAL_SERVER_ERROR;
! }
!
! ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_INFO, r, "mod_spnego: found broken OID for negotiated protocol, probably an old W2k machine");
! brokenOID = TRUE;
}
Thanks for providing this new Apache module for SPNEGO authentication. I have done a test with it eventually got it work.
However, I did come across a problem. The mechanism type OID used by old W2k machines is different and not compatible with the module. I have updated mod_spnego.c to allow either OID (the correct and the buggy one). First the code checks the correct OID, if this fails it has a go with the buggy one. If this also fails, then it returns an error as before. If it succeeds then it remembers this and continues.
I have attached a patch to 0.0.3 for this change. Please feel free to apply it to the code.
Thanks,
Frank Taylor
Propero Ltd
## Snip ##################################
diff -cr mod_spnego/mod_spnego.c mod_spnego-updated/mod_spnego.c
*** mod_spnego/mod_spnego.c Fri Dec 5 15:39:52 2003
--- mod_spnego-updated/mod_spnego.c Fri Jan 9 11:22:01 2004
***************
*** 350,355 ****
--- 350,356 ----
unsigned char * outputKerberosToken = NULL;
size_t outputKerberosTokenLength = 0;
int rc;
+ int brokenOID = FALSE;
ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_INFO, r, "mod_spnego: entering handleSpnegoToken");
***************
*** 359,366 ****
&inputKerberosToken,
&inputKerberosTokenLength))
{
! ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_ERR, r, "mod_spnego: parseSpnegoInitialToken failed");
! return HTTP_INTERNAL_SERVER_ERROR;
}
ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_INFO, r, "mod_spnego: parseSpnegoInitialToken succeeded");
--- 360,380 ----
&inputKerberosToken,
&inputKerberosTokenLength))
{
! /* The correct mechanism OID does not work, let's just check
! * the broken MS one in case this is an old W2K client.
! */
! if (!parseSpnegoInitialToken (inputSpnegoToken,
! inputSpnegoTokenLength,
! &msKrb5GssApiLegacy,
! &inputKerberosToken,
! &inputKerberosTokenLength))
! {
! ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_ERR, r, "mod_spnego: parseSpnegoInitialToken failed");
! return HTTP_INTERNAL_SERVER_ERROR;
! }
!
! ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_INFO, r, "mod_spnego: found broken OID for negotiated protocol, probably an old W2k machine");
! brokenOID = TRUE;
}
ap_log_rerror (APLOG_MARK, PORTABLE_APLOG_INFO, r, "mod_spnego: parseSpnegoInitialToken succeeded");
***************
*** 379,385 ****
negResult = 0;
if (!makeSpnegoTargetToken (&negResult,
! &krb5GssApi,
outputKerberosToken,
outputKerberosTokenLength,
NULL,
--- 393,399 ----
negResult = 0;
if (!makeSpnegoTargetToken (&negResult,
! (brokenOID ? &msKrb5GssApiLegacy : &krb5GssApi),
outputKerberosToken,
outputKerberosTokenLength,
NULL,
## Snip ##################################
Sorry, the whitespace was stripped out of the patch during posting. Here it is uuencoded.
Frank Taylor
frank.taylor _at_ propero _dot_ net
## Snip ##################################
begin 664 mod_spnego-0.0.3-broken-oid.diff
M9&EF9B`M8W(@;6]D7W-P;F5G;R]M;V1?<W!N96=O+F,@;6]D7W-P;F5G;RUU
M<&1A=&5D+VUO9%]S<&YE9V\N8PHJ*BH@;6]D7W-P;F5G;R]M;V1?<W!N96=O
M+F,)1G)I($1E8R`@-2`Q-3HS.3HU,B`R,#`S"BTM+2!M;V1?<W!N96=O+75P
M9&%T960O;6]D7W-P;F5G;RYC"49R:2!*86X@(#D@,3$Z,C(Z,#$@,C`P-`HJ
M*BHJ*BHJ*BHJ*BHJ*BH**BHJ(#,U,"PS-34@*BHJ*@HM+2T@,S4P+#,U-B`M
M+2TM"B`@("`@('5N<VEG;F5D(&-H87(@*B!O=71P=71+97)B97)O<U1O:V5N
M("`@("`@(#T@3E5,3#L*("`@("`@<VEZ95]T("`@("`@("`@(&]U='!U=$ME
M<F)E<F]S5&]K96Y,96YG=&@@/2`P.PH@("`@("!I;G0@("`@("`@("`@("`@
M<F,["BL@("`@(&EN="`@("`@("`@("`@("!B<F]K96Y/240@/2!&04Q313L*
M("`*("`@("`@87!?;&]G7W)E<G)O<B`H05!,3T=?34%22RP@4$]25$%"3$5?
M05!,3T=?24Y&3RP@<BP@(FUO9%]S<&YE9V\Z(&5N=&5R:6YG(&AA;F1L95-P
M;F5G;U1O:V5N(BD["B`@"BHJ*BHJ*BHJ*BHJ*BHJ*@HJ*BH@,S4Y+#,V-B`J
M*BHJ"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("9I;G!U
M=$ME<F)E<F]S5&]K96XL"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("9I;G!U=$ME<F)E<F]S5&]K96Y,96YG=&@I*0H@("`@("!["B$@
M("`@("`@("!A<%]L;V=?<F5R<F]R("A!4$Q/1U]-05)++"!03U)404),15]!
M4$Q/1U]%4E(L('(L(")M;V1?<W!N96=O.B!P87)S95-P;F5G;TEN:71I86Q4
M;VME;B!F86EL960B*3L*(2`@("`@("`@(')E='5R;B!(5%107TE.5$523D%,
M7U-%4E9%4E]%4E)/4CL*("`@("`@?0H@(`H@("`@("!A<%]L;V=?<F5R<F]R
M("A!4$Q/1U]-05)++"!03U)404),15]!4$Q/1U])3D9/+"!R+"`B;6]D7W-P
M;F5G;SH@<&%R<V53<&YE9V]);FET:6%L5&]K96X@<W5C8V5E9&5D(BD["BTM
M+2`S-C`L,S@P("TM+2T*("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@)FEN<'5T2V5R8F5R;W-4;VME;BP*("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@)FEN<'5T2V5R8F5R;W-4;VME;DQE;F=T:"DI
M"B`@("`@('L*(2`)+RH@5&AE(&-O<G)E8W0@;65C:&%N:7-M($])1"!D;V5S
M(&YO="!W;W)K+"!L970G<R!J=7-T(&-H96-K"B$@"2`J('1H92!B<F]K96X@
M35,@;VYE(&EN(&-A<V4@=&AI<R!I<R!A;B!O;&0@5S)+(&-L:65N="X*(2`)
M("HO"B$@"6EF("@A<&%R<V53<&YE9V]);FET:6%L5&]K96X@*&EN<'5T4W!N
M96=O5&]K96XL"B$@"0D)"2`@("`@(&EN<'5T4W!N96=O5&]K96Y,96YG=&@L
M"B$@"0D)"2`@("`@("9M<TMR8C5'<W-!<&E,96=A8WDL(`HA(`D)"0D@("`@
M("`F:6YP=71+97)B97)O<U1O:V5N+`HA(`D)"0D@("`@("`F:6YP=71+97)B
M97)O<U1O:V5N3&5N9W1H*2D*(2`)>PHA(`D@("`@87!?;&]G7W)E<G)O<B`H
M05!,3T=?34%22RP@4$]25$%"3$5?05!,3T=?15)2+"!R+"`B;6]D7W-P;F5G
M;SH@<&%R<V53<&YE9V]);FET:6%L5&]K96X@9F%I;&5D(BD["B$@"2`@("!R
M971U<FX@2%144%])3E1%4DY!3%]315)615)?15)23U(["B$@"7T*(2`*(2`)
M87!?;&]G7W)E<G)O<B`H05!,3T=?34%22RP@4$]25$%"3$5?05!,3T=?24Y&
M3RP@<BP@(FUO9%]S<&YE9V\Z(&9O=6YD(&)R;VME;B!/240@9F]R(&YE9V]T
M:6%T960@<')O=&]C;VPL('!R;V)A8FQY(&%N(&]L9"!7,FL@;6%C:&EN92(I
M.PHA(`EB<F]K96Y/240@/2!44E5%.PH@("`@("!]"B`@"B`@("`@(&%P7VQO
M9U]R97)R;W(@*$%03$]'7TU!4DLL(%!/4E1!0DQ%7T%03$]'7TE.1D\L('(L
M(")M;V1?<W!N96=O.B!P87)S95-P;F5G;TEN:71I86Q4;VME;B!S=6-C965D
M960B*3L**BHJ*BHJ*BHJ*BHJ*BHJ"BHJ*B`S-SDL,S@U("HJ*BH*("`@("`@
M;F5G4F5S=6QT(#T@,#L*("`*("`@("`@:68@*"%M86ME4W!N96=O5&%R9V5T
M5&]K96X@*"9N96=297-U;'0L"B$@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`F:W)B-4=S<T%P:2P*("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@(&]U='!U=$ME<F)E<F]S5&]K96XL"B`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("!O=71P=71+97)B97)O<U1O:V5N3&5N9W1H
M+`H@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@3E5,3"P*+2TM
M(#,Y,RPS.3D@+2TM+0H@("`@("!N96=297-U;'0@/2`P.PH@(`H@("`@("!I
M9B`H(6UA:V53<&YE9V]487)G9714;VME;B`H)FYE9U)E<W5L="P*(2`)"0D)
M*&)R;VME;D])1"`_("9M<TMR8C5'<W-!<&E,96=A8WD@.B`F:W)B-4=S<T%P
M:2DL"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!O=71P=71+
M97)B97)O<U1O:V5N+`H@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@;W5T<'5T2V5R8F5R;W-4;VME;DQE;F=T:"P*("`@("`@("`@("`@("`@
9("`@("`@("`@("`@("`@("`@($Y53$PL"@``
`
end
## Snip ##################################
I'll check and apply it.
Thank you
Markus
Frank,
Can you mail a copy of your mod_spnego.c to me at balluffif@hotmail.com? Thanks.
Frank