headers
Alexander Vyushkov | 17 Feb 2012 17:18
Picon

mod_auth_kerb doesn't set KRB5CCNAME variable

Hello

I'm trying to configure mod_auth_kerb to save Kerberos tickets for my
CGI scripts. The problem is that it creates ticket file
/tmp/krb5cc_apache_XXXXX after successful authentification but doesn't
set KRB5CCNAME variable. Can you please advice what can be wrong?

I'm using RedHat EL5 x86_64 (AMD), Apache 2.2.3. mod_auth_kerb v5.4
compile from source code using command ./configure --with-krb4=no

.htaccess file is

AuthType KerberosV5
AuthName "Kerberos Login"
KrbAuthRealms ___.___.EDU
KrbVerifyKDC off
KrbMethodNegotiate off
KrbMethodK5Passwd on
KrbSaveCredentials on
require valid-user

Simple CGI-script that I use for the test:

#!/bin/bash

echo "Content-type: text/plain"
echo ""

echo "KRB5CCNAME: $KRB5CCNAME"
ls -la /tmp/krb5cc_apache*
(Continue reading)

Permalink | Reply |
headers
Mauricio Tavares | 17 Feb 2012 17:53
Picon

Re: mod_auth_kerb doesn't set KRB5CCNAME variable

On Fri, Feb 17, 2012 at 11:18 AM, Alexander Vyushkov
<alex.vyushkov <at> gmail.com> wrote:
> Hello
>
> I'm trying to configure mod_auth_kerb to save Kerberos tickets for my
> CGI scripts. The problem is that it creates ticket file
> /tmp/krb5cc_apache_XXXXX after successful authentification but doesn't
> set KRB5CCNAME variable. Can you please advice what can be wrong?
>
>
> I'm using RedHat EL5 x86_64 (AMD), Apache 2.2.3. mod_auth_kerb v5.4
> compile from source code using command ./configure --with-krb4=no
>
> .htaccess file is
>
> AuthType KerberosV5
> AuthName "Kerberos Login"
> KrbAuthRealms ___.___.EDU
> KrbVerifyKDC off
> KrbMethodNegotiate off
> KrbMethodK5Passwd on
> KrbSaveCredentials on
> require valid-user
>
> Simple CGI-script that I use for the test:
>
> #!/bin/bash
>
> echo "Content-type: text/plain"
> echo ""
(Continue reading)

Permalink | Reply |
headers
Alexander Vyushkov | 17 Feb 2012 20:33
Picon

Re: mod_auth_kerb doesn't set KRB5CCNAME variable

Dear Maurico,

Thank you for your reply.
I don't fully understand how  to feed a KRB5CCNAME to apache when it
starts up. Should I use mod_env or something like that?
Moreover, since mod_auth_kerb generates new filename for each request
and should inject KRB5CCNAME variable into apache's child process (CGI
script), I'm not quite sure that it can help.

Best Regards,
Alexander

On Fri, Feb 17, 2012 at 11:53 AM, Mauricio Tavares <raubvogel <at> gmail.com> wrote:
> On Fri, Feb 17, 2012 at 11:18 AM, Alexander Vyushkov
> <alex.vyushkov <at> gmail.com> wrote:
>> Hello
>>
>> I'm trying to configure mod_auth_kerb to save Kerberos tickets for my
>> CGI scripts. The problem is that it creates ticket file
>> /tmp/krb5cc_apache_XXXXX after successful authentification but doesn't
>> set KRB5CCNAME variable. Can you please advice what can be wrong?
>>
>>
>> I'm using RedHat EL5 x86_64 (AMD), Apache 2.2.3. mod_auth_kerb v5.4
>> compile from source code using command ./configure --with-krb4=no
>>
>> .htaccess file is
>>
>> AuthType KerberosV5
>> AuthName "Kerberos Login"
(Continue reading)

Permalink | Reply |
headers
Douglas E. Engert | 17 Feb 2012 20:48
Favicon

Re: mod_auth_kerb doesn't set KRB5CCNAME variable


On 2/17/2012 1:33 PM, Alexander Vyushkov wrote:
> Dear Maurico,
>
> Thank you for your reply.
> I don't fully understand how  to feed a KRB5CCNAME to apache when it
> starts up. Should I use mod_env or something like that?
> Moreover, since mod_auth_kerb generates new filename for each request
> and should inject KRB5CCNAME variable into apache's child process (CGI
> script), I'm not quite sure that it can help.

I have not done anything with mod_auth_kerb lately, but
mod_auth_kerb.c should be adding the KRB5CCNAME to be set in the subprocess_env:
so the script should be seeing KRB5CCNAME.

mod_auth_kerb.c in create_krb5_ccache()
does:
   ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir)
then later:
   apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);

Read up in the mod_env module.

>
> Best Regards,
> Alexander
>
> On Fri, Feb 17, 2012 at 11:53 AM, Mauricio Tavares<raubvogel <at> gmail.com>  wrote:
>> On Fri, Feb 17, 2012 at 11:18 AM, Alexander Vyushkov
>> <alex.vyushkov <at> gmail.com>  wrote:
(Continue reading)

Permalink | Reply |
headers
Henry B. Hotz | 17 Feb 2012 21:13
Picon
Picon
Favicon

Re: mod_auth_kerb doesn't set KRB5CCNAME variable

Maybe we need a check that mod_env is loaded/available?  This issue seems to crop up regularly.

On Feb 17, 2012, at 11:48 AM, Douglas E. Engert wrote:

> On 2/17/2012 1:33 PM, Alexander Vyushkov wrote:
>> Dear Maurico,
>> 
>> Thank you for your reply.
>> I don't fully understand how  to feed a KRB5CCNAME to apache when it
>> starts up. Should I use mod_env or something like that?
>> Moreover, since mod_auth_kerb generates new filename for each request
>> and should inject KRB5CCNAME variable into apache's child process (CGI
>> script), I'm not quite sure that it can help.
> 
> I have not done anything with mod_auth_kerb lately, but
> mod_auth_kerb.c should be adding the KRB5CCNAME to be set in the subprocess_env:
> so the script should be seeing KRB5CCNAME.
> 
> mod_auth_kerb.c in create_krb5_ccache()
> does:
>   ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir)
> then later:
>   apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
> 
> Read up in the mod_env module.
> 
>> 
>> Best Regards,
>> Alexander
>>
(Continue reading)

Permalink | Reply |
headers
Alexander Vyushkov | 18 Feb 2012 04:21
Picon

Re: mod_auth_kerb doesn't set KRB5CCNAME variable

Dear Henry,

Mod_env is loaded according to httpd.conf:
LoadModule env_module modules/mod_env.so

Is some specific setup required to use it together with mod_auth_kerb?

Best Regards,
Alexander

On Fri, Feb 17, 2012 at 3:13 PM, Henry B. Hotz <hotz <at> jpl.nasa.gov> wrote:
> Maybe we need a check that mod_env is loaded/available?  This issue seems to crop up regularly.
>
> On Feb 17, 2012, at 11:48 AM, Douglas E. Engert wrote:
>
>> On 2/17/2012 1:33 PM, Alexander Vyushkov wrote:
>>> Dear Maurico,
>>>
>>> Thank you for your reply.
>>> I don't fully understand how  to feed a KRB5CCNAME to apache when it
>>> starts up. Should I use mod_env or something like that?
>>> Moreover, since mod_auth_kerb generates new filename for each request
>>> and should inject KRB5CCNAME variable into apache's child process (CGI
>>> script), I'm not quite sure that it can help.
>>
>> I have not done anything with mod_auth_kerb lately, but
>> mod_auth_kerb.c should be adding the KRB5CCNAME to be set in the subprocess_env:
>> so the script should be seeing KRB5CCNAME.
>>
>> mod_auth_kerb.c in create_krb5_ccache()
(Continue reading)

Permalink | Reply |
headers
Mauricio Tavares | 28 Aug 2012 00:00
Picon

Re: mod_auth_kerb doesn't set KRB5CCNAME variable

On Fri, Feb 17, 2012 at 10:21 PM, Alexander Vyushkov
<alex.vyushkov <at> gmail.com> wrote:
> Dear Henry,
>
> Mod_env is loaded according to httpd.conf:
> LoadModule env_module modules/mod_env.so
>
> Is some specific setup required to use it together with mod_auth_kerb?
>
> Best Regards,
> Alexander
>
      Resurrecting this thread, I too am having problems getting
KRB5CCNAME  from within a php program. I wonder if Mod_env is somehow
not passing it to php...

>
> On Fri, Feb 17, 2012 at 3:13 PM, Henry B. Hotz <hotz <at> jpl.nasa.gov> wrote:
>> Maybe we need a check that mod_env is loaded/available?  This issue seems to crop up regularly.
>>
>> On Feb 17, 2012, at 11:48 AM, Douglas E. Engert wrote:
>>
>>> On 2/17/2012 1:33 PM, Alexander Vyushkov wrote:
>>>> Dear Maurico,
>>>>
>>>> Thank you for your reply.
>>>> I don't fully understand how  to feed a KRB5CCNAME to apache when it
>>>> starts up. Should I use mod_env or something like that?
>>>> Moreover, since mod_auth_kerb generates new filename for each request
>>>> and should inject KRB5CCNAME variable into apache's child process (CGI
(Continue reading)

Permalink | Reply |

Gmane