Accepting security contexts, and how to get good debugging information?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Accepting security contexts, and how to get good debugging information?

Dylan Klomparens
Hello,

I am writing a module for Apache HTTPD. The prototype module code is on
GitHub:

https://github.com/dylan-klomparens/mod_kerberos/blob/master/mod_kerberos.c

Its purpose is to authenticate a user with a Kerberos service ticket.
gss_accept_sec_context returns an error and I'm not sure why. After many
web searches and additional debugging, I've been unable to find additional
information about the nature of the error. Hopefully someone on this
listserv might be able to shed some light on the problem? The error message
reads:

Unspecified GSS failure. Minor code may provide more information

No minor error code information is returned upon checking it with
gss_display_status.

I have a test setup to compare with, running mod_auth_kerb. Using that
testbed, Kerberized access to the test web page works properly. This leaves
me relatively certain that my keytab is valid and my browser is sending
credentials properly.

How can I correct the inputs to gss_accept_sec_context to properly verify
the user's service ticket? Is there a way to obtain more detailed error
information from GSSAPI?

-- Dylan Klomparens
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Accepting security contexts, and how to get good debugging information?

Robbie Harwood
Dylan Klomparens <[hidden email]> writes:

> I am writing a module for Apache HTTPD. The prototype module code is on
> GitHub:
>
> https://github.com/dylan-klomparens/mod_kerberos/blob/master/mod_kerberos.c

If this is for anything other than your own learning, you may wish to
use the (already packaged in all distros) mod_auth_gssapi instead:
https://github.com/modauthgssapi/mod_auth_gssapi

> I have a test setup to compare with, running mod_auth_kerb. Using that
> testbed, Kerberized access to the test web page works properly. This
> leaves me relatively certain that my keytab is valid and my browser is
> sending credentials properly.

I'd check that you're decoding the tokens properly and passing them in
to accept_sec_context in the expected way.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (834 bytes) Download Attachment