[38620] in Kerberos
Problem disabling replay cache
daemon@ATHENA.MIT.EDU (Jakub Czuchnowski)
Thu Oct 17 06:43:10 2019
MIME-Version: 1.0
From: Jakub Czuchnowski <jakub.czuchnowski@gmail.com>
Date: Thu, 17 Oct 2019 12:42:41 +0200
Message-ID: <CAPf4uygU+A1r50pbsUBXuGe7GUTzt8Sk=_Ke5vhZWGc+qxgixw@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm setting up a service (web application) that is using Kerberos to
authenticate users. I want to disable the replay cache for it but for some
reason I can't.
The web app is served from the Nginx server built with
'spnego-http-auth-nginx-module' (
https://github.com/stnoonan/spnego-http-auth-nginx-module ) for handling
Kerberos authentication. To be precise, I'm building a docker image with
these:
- Debian 10.1
- Nginx 1.17.4
- libkrb5-dev 1.17-3
Because of libkrb5-dev, I assume I'm using MIT Kerberos. According to the
documentation it should suffice to set the environment
variable KRB5RCACHETYPE=none, but it doesn't work. printenv shows that it
is set, but the replay cache file is still created as /var/tmp/http_33.
Thhe first request is fine, but the logs show that subsequent requests with
the same ticket are causing gss_accept_sec_context() to fail with "Request
is a replay".
Now, I'm not sure if the problem is in MIT Kerberos, the Nginx module, or
my lack of understanding, so I'm looking for any clues and clarifications.
Thanks,
Jakub Czuchnowski
Scalac
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
