Summary: | GSSAPI/SPNego "Single Sign On" stops working with Mit-krb5 1.4.x & Mod_auth_kerb | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Shirish Jain <gentoo> |
Component: | Current packages | Assignee: | Apache Team - Bugzilla Reports <apache-bugs> |
Status: | RESOLVED NEEDINFO | ||
Severity: | major | CC: | mmokrejs, oulman, seemant |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Shirish Jain
2005-09-23 21:45:09 UTC
Folks, shouldnt this bug be assigned to Applications/maintainers for mit-krb5 as it has not much to do with Apache? also, anyone with any suggestions? I agree with comment #2, this looks like an issue with mit-krb5, not with apache. back again with some steps to fix this problem. This is a more so gentoo specific problem as we are source based and we need to calculate the exact padding required. e.g. I got 3 different values on 3 diff environments i have. Following steps (i m sure I probably forgot something) a) equery which mit-krb5 ... /usr/portage/app-crypt/mit-krb5/mit-krb5-1.4.3.ebuild b) ebuild /usr/portage/app-crypt/mit-krb5/mit-krb5-1.4.3.ebuild clean c) ebuild /usr/portage/app-crypt/mit-krb5/mit-krb5-1.4.3.ebuild unpack d) ebuild /usr/portage/app-crypt/mit-krb5/mit-krb5-1.4.3.ebuild compile e) cd /var/tmp/portage/mit-krb5-1.4.3/work/krb5-1.4.3/src/ f) nano k5test.c > ----- k5test.c > #include "k5-int.h" > #include <stdio.h> > > int main (void) { > printf("Sizeof(k5_mutex_t) is %d\n",sizeof(k5_mutex_t)); > return 0; > } > ----- g) cc -Iinclude -Iinclude/krb5 k5test.c -o k5test.o h) ./k5test.o ... Sizeof(k5_mutex_t) is xx (xx could be say 88 on a 2-way AMD64) wow ... so now we know the padding required. lets move on to the hard yards 1) echo "net-www/mod_auth_kerb ~x86" >> /etc/portage/package.keywords 2) equery which mod_auth_kerb ... /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-5.0_rc7.ebuild (below instructions work for rc6 too, however, i havent tested it. YMMV) 3) ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-5.0_rc7.ebuild setup 4) ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-5.0_rc7.ebuild unpack 5) ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-5.0_rc7.ebuild compile 6) cd /var/tmp/portage/mod_auth_kerb-5.0_rc7/work/mod_auth_kerb-5.0rc7 7) vi src/mit_internals.h typedef struct _krb5_gss_cred_id_rec { /* name/type of credential */ + char pad[xx]; gss_cred_usage_t usage; (xx is the number that was output from step h above) 8) rm /var/tmp/portage/mod_auth_kerb-5.0_rc7/.compile 9) ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-5.0_rc7.ebuild compile 10) ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-5.0_rc7.ebuild install 11) ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-5.0_rc7.ebuild qmerge well thats about it ... configure ur Apache configuration files as normal. You can now use >>> KrbMethodK5Passwd off >>> KrbMethodNegotiate on and above will work without those "Request is a Replay" errors. please feel free to suggest corrections. Will be good if these can be included as part of the ebuild ... I belive this is only required if using mit-krb5. Has anyone taken a look at this? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340360 I applied the patch against 5.0_rc7 and it seems to work with 1.4.3-r1 There is also a new version that fixes the replay cache issue with mit-krb5-1.4.3 http://sourceforge.net/project/showfiles.php?group_id=51775&package_id=45786&release_id=443935 Honestly, I'm not sure what kerberos can do about this. It seems all the patches and fixes are for the apache module (which I don't maintain). Martin, Seemant, anyone of you got any idea why this might be happening ? mod_auth_kerb-5.3 is in cvs for 5 months now... please reopen if it's still an issue |