[32824] in Kerberos
Re: AW: AW: Different behaviour of mod_auth_kerb depending on
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Oct 19 19:18:16 2010
From: Russ Allbery <rra@stanford.edu>
To: Beier Michael <M.Beier@EnBW.com>
In-Reply-To: <1CA7D5514D24754B93C9DF23AAFA064509AAB1A17A@S3Q2173.enbw.net>
(Beier Michael's message of "Tue, 19 Oct 2010 22:49:51 +0200")
Date: Tue, 19 Oct 2010 16:18:10 -0700
Message-ID: <87k4ld3h71.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: "'kerberos@mit.edu'" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Beier Michael <M.Beier@EnBW.com> writes:
> I'll try to explain the differene I see:
> We've got an account with UserPricipalName
> HTTP/servername.enbw.net@ENBW.NET containing two SPNs:
> HTTP/servername.enbw.net
> HTTP/virtualhost.enbw.net
> From that account we generate one keytab, which is used by mod_auth_kerb.
> Webserver 1 uses mod_auth_kerb build against Heimdal:
> - firefox sends the ticket for the service "HTTP/servername.enbw.net".
> - IE sends the ticket for the service "HTTP/virtualhost.enbw.net".
> Both browsers can successfully access http://virtualhost.enbw.net.
> Webserver 2 uses mod_auth-kerb build against MIT:
> - firefox sends the ticket for the service "HTTP/servername.enbw.net"
> and can access http://virtualhost.enbw.net.
> - IE sends the ticket for the service "HTTP/virtualhost.enbw.net" and is
> rejected by mod_auth_kerb with the errormessage
> "gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information (, Key table entry not found)".
Oh! You already have principal aliases, but your Heimdal build supports
principal aliasing and your MIT build doesn't. You could presumably also
fix this by upgrading your version of MIT Kerberos (unless that support is
buggy; I don't know if it is).
> Yesterday I would have expected IE to be able to access the website too
> on webserver 2. Today - after you explanations - I would rather expect
> heimdal to check, if the requests service is in the keytab and IE to get
> no access on webserver 1.
> But in fact there is a difference ..
Heimdal is doing that check, but it's apparently smart enough to ask your
KDC and resolve the alias first, so it finds the right principal.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
