[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

0.7rc2 with mod_auth_kerb 5 rc6

To: heimdal-discuss@sics.se
Subject: 0.7rc2 with mod_auth_kerb 5 rc6
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 2 Jun 2005 13:56:17 -0700
Sender: owner-heimdal-discuss@sics.se

The spnego code in mod_auth_kerb seems to conflict with the related  
code in the new Heimdal.  As Love suggested, it turns out to be trivial  
to work around:  just eliminate the spnego code that came with  
mod_auth_kerb.  ;-)

First, forget all the configure machinery.  It just gets in the way  
here (IMNSHO).

Second, copy config.h.in to config.h and edit appropriately.  (It's  
obvious, I think.)

Third, apply the patch at the end of this email.

Forth, run apxs directly on the src/mod_auth_kerb.c file.  I used the  
something similar to the following on Solaris 9:

/apache/path/bin/apxs -c -I. -I/usr/kth/include -DHAVE_KRB5_CC_GEN_NEW  
-DHEIMDAL -Wc,-g -Wl,-R/usr/kth/lib:/apache/path/lib  
-L/usr/kth/lib:/apache/path/lib -lgssapi -lkrb5 -lasn1 -lcom_err  
-lcrypto -lroken -lresolv -lnsl -lsocket -lresolv src/mod_auth_kerb.c

I don't see any reason why you can't do -c -i -a instead of just -c  
above.  In theory you should do `/usr/kth/bin/krb5-config --libs` in  
place of all those options after the -c (except it doesn't include  
-lgssapi).

It appears to work fine.

------------------
--- mod_auth_kerb.c.orig	Wed Jun  1 13:33:49 2005
+++ mod_auth_kerb.c	Wed Jun  1 13:41:33 2005
@@ -73,7 +73,6 @@
  #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  #  define krb5_get_err_text(context,code) error_message(code)
  #endif
-#include "spnegokrb5.h"
  #endif /* KRB5 */

  #ifdef KRB4
@@ -1098,15 +1097,11 @@
    gss_name_t client_name = GSS_C_NO_NAME;
    gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
    OM_uint32 (*accept_sec_token)();
-  gss_OID_desc spnego_oid;
    gss_ctx_id_t context = GSS_C_NO_CONTEXT;
    gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;

    *negotiate_ret_value = "\0";

-  spnego_oid.length = 6;
-  spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
-
    if (conf->krb_5_keytab) {
       char *ktname;
       /* we don't use the ap_* calls here, since the string passed to  
putenv()
@@ -1145,14 +1140,10 @@
    }
    input_token.length = ap_base64decode(input_token.value, auth_param);

-  accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ?
-     			gss_accept_sec_context_spnego : gss_accept_sec_context;
+  accept_sec_token = gss_accept_sec_context;

    /* pridat: Read client Negotiate data of length XXX, prefix YYY */
-  log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data  
using %s",
-	     (accept_sec_token == gss_accept_sec_context)
-	       ? "KRB5 GSS-API"
-	       : "SPNEGO GSS-API");
+  log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data  
using GSS-API");

    major_status = accept_sec_token(&minor_status,
  				  &context,
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: 0.7rc2 with mod_auth_kerb 5 rc6
  - From: Daniel Kouril <kouril@ics.muni.cz>

Prev by Date: Re: please help with MS AD -> UNIX trust
Next by Date: Re: please help with MS AD -> UNIX trust
Prev by thread: Re: please help with MS AD -> UNIX trust
Next by thread: Re: 0.7rc2 with mod_auth_kerb 5 rc6
Index(es):
- Date
- Thread