Recent changes to support-requests

#31 Fail during compiling mod apache

2023-04-05T12:18:54.089000Z

Problem is that macro APLOG_MARK in apache < 2.3.9 expands to two values: file and line.
But in newer versions it expands to three values: file, line and module index.

To solve this problem change signature of mod_auth_kerb.c:log_rerror() to:

log_rerror(const char file, int line, int module_index, int level, int status,
const request_rec r, const char *fmt, ...) // module_index added

And change call of ap_log_rerror() to:

ap_log_rerror(file, line, module_index, level | APLOG_NOERRNO, status, r, "%s", errstr); // module_index added

#31 Fail during compiling mod apache

2019-01-21T15:48:25.769000Z

Hello,

I guess the package isn't maintained anymore. I've the same problems compiling mod_auth_kerb inside a Alpine Docker image. The Alpine projects seem to maintain the package by their own and you can find the patches here: https://git.alpinelinux.org/aports/tree/main/apache-mod-auth-kerb?id=ae380974c20d60217bedada8747089dbc1409609

Maybe you can find the same files for Debian/Ubuntu too.

Fail during compiling mod apache

2018-04-26T05:56:28.852000Z

This is a first time i try to build kerberos and mod_auth_krb from the source.

Using RH Linux platform 5.4 (the only unused server we had).
The server already had apache 2.2 / rpm krb5. 1.6.
Now I had apache 2.4.12 setup from source. The binaries located in /usr/local/apache2.4.12.
I also built and succesfully compiled latest krb5 1.16 located /usr/local .
By following the INSTALL guide, i used below steps to setup mod_auth_kerb-5.4

[root@demo mod_auth_kerb-5.4] ./configure --without-krb4 --with-krb5=/usr/local --with-apache=/usr/local/apache2.4.12
Configure look fine no errors
[root@demo mod_auth_kerb-5.4]# make
./apxs.sh "-I. -Ispnegokrb5 -I/usr/local/include " "-L/usr/local/lib -Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/local/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" "" "/usr/local/apache2.4.12/bin/apxs" "-c" "src/mod_auth_kerb.c"
/usr/local/apache2.4.12/build/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -pthread -I/usr/local/apache2.4.12/include -I/usr/local/apache2.4.12/include -I/usr/local/apache2.4.12/include -I/usr/bin/include -I. -Ispnegokrb5 -I/usr/local/include -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo
src/mod_auth_kerb.c: In function 'log_rerror':
src/mod_auth_kerb.c:363: error: request for member 'log' in something not a structure or union
:
:
src/mod_auth_kerb.c: In function 'have_rcache_type':
src/mod_auth_kerb.c:1737: warning: implicit declaration of function 'krb5_rc_resolve_full'
src/mod_auth_kerb.c:1741: warning: implicit declaration of function 'krb5_rc_destroy'
apxs:Error: Command failed with rc=65536
.
make: *** [src/mod_auth_kerb.so] Error 1

By referring to config.log , the error start at this line:-

configure:2841: checking how to run the C preprocessor
configure:2881: gcc -E conftest.c
configure:2888: $? = 0
configure:2919: gcc -E conftest.c
conftest.c:8:28: error: ac_nonexistent.h: No such file or directory
configure:2926: $? = 1
configure: failed program was:
| / confdefs.h. /
| #define PACKAGE_NAME "mod_auth_kerb"
| #define PACKAGE_TARNAME "mod_auth_kerb"
| #define PACKAGE_VERSION "5.4"
| #define PACKAGE_STRING "mod_auth_kerb 5.4"
| #define PACKAGE_BUGREPORT "modauthkerb-developers@lists.sourceforge.net"
| / end confdefs.h. /
| #include <ac_nonexistent.h>
configure:2959: result: gcc -E
configure:2988: gcc -E conftest.c
configure:2995: $? = 0
configure:3026: gcc -E conftest.c
conftest.c:8:28: error: ac_nonexistent.h: No such file or directory
configure:3033: $? = 1
configure: failed program was:
Need an expert advise if something that I had wrongly did.

Question about handling of Kerberos Tickets.

2018-01-10T20:10:58.246000Z

Good Afternoon,

I've configured Apache 2.4 as a reverse proxy and configured it for Kerberos authentication using mod_auth_kerberos, and I just have a couple of questions.

When a user logs into the reverse proxy, does the Apache server get the TGT, or does the client?
Does a session ticket get forwarded to the backend webservers when http/https requests are forwardrd?

Thanks.

Kerberos service name configuration

2017-03-10T18:13:32.432000Z

Hi,

I have a question about the configuration of Kerberos authentication in the following scenario. I have a valid SPN saved to a keytab with the following command :

ktpass.exe /princ HTTP/myhost.mydomain@MYDOMAIN /mapuser MYUSER@MYDOMAIN /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass * /out mykeytab.keytab

The keytab is copied to a Linux server and the following configuration is used:

<VirtualHost *:80="">
ServerName myhost.mydomain
...
<Location/>
AuthName "My auth name"
AuthType Kerberos
Krb5Keytab /etc/mykeytab.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials on
Require valid-user
</Location>
</VirtualHost>

Note: the default REALM from the /etc/krb5.conf file is MYDOMAIN. I tried to force it in the Apache HTTPD config file, but nothing changed.

The keytab seems to contain a valid SPN:

klist -k -t -e -K FILE:/etc/mykeytab.keytab
Keytab name: FILE:/etc/mykeytab.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
7 12/31/69 19:00:00 HTTP/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96) (...)

With this configuration, I get a HTTP 500 error from Apache HTTPD with the following log lines:

src/mod_auth_kerb.c(1954): [...] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://myhost.mydomain/
src/mod_auth_kerb.c(1295): [...] Acquiring creds for HTTP@myhost.domain, referer: http://myhost.mydomain/
src/mod_auth_kerb.c(1155): [...] GSS-API major_status:000d0000, minor_status:000186a4, referer: http://myhost.mydomain/

But, if I add the following line to the configuration:

KrbServiceName HTTP/myhost.mydomain

Everything is working fine for that part:

src/mod_auth_kerb.c(1295): [...] Acquiring creds for HTTP/myhost.mydomain, referer: http://myhost.mydomain/
src/mod_auth_kerb.c(1708): [...] Verifying client data using KRB5 GSS-API , referer: http://myhost.mydomain/
src/mod_auth_kerb.c(1724): [...] Client didn't delegate us their credential, referer: http://myhost.mydomain/

Now, looking at the source code, I see this in get_gss_creds (this is a cleaned version of the code):

char buf[1024];
int have_server_princ;

have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;

So, if the service name is supplied in the configuration, the boolean have_server_princ is true. Then it is used to create the ticket value:

if (have_server_princ) {
strncpy(buf, conf->krb_service_name, sizeof(buf));
} else {
snprintf(buf, sizeof(buf), "%s@%s",
(conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
ap_get_server_name(r));
}

This match what I see in the log where the ticket is HTTP@myhost.mydomain. Then:

major_status = gss_import_name(&minor_status, &token,
(have_server_princ) ? (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME : (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&server_name);

Now, this doesn't match the ticket type I exported in my keytab file. From the doc:

GSS_C_NT_HOSTBASED_SERVICE: The value should be a string of the form service or service@hostname. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms.

GSS_KRB5_NT_PRINCIPAL_NAME: The value should be a principal name string. This name type only works with the krb5 mechanism, and is defined in the <gssapi_krb5.h> header.

The rest of the calls up to gss_acquire_cred are working:

major_status = gss_display_name(&minor_status, server_name, &token, NULL);
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", token.value);
major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_ACCEPT, server_creds, NULL, NULL);

This is on Red Hat 6.7 with Apache HTTPD 2.4 and mod_auth_kerb v5.4

constrained delegation

2017-01-23T14:23:35.334000Z

We need constrained delegation on our apache server. Is it implemented in this module?
If yes, where can I find documentation?
thanks a lot =)

#27 Compile error on Mac OS X 10.11.6

2016-10-04T18:18:36.169000Z

Michael

Thank you so much for you help.

#27 Compile error on Mac OS X 10.11.6

2016-09-28T18:36:06.271000Z

Certainly.

On the sourceforge page for the Kerberos Module for Apache, click Support, click Patches, and look for "support for Apache 2.4."

It was either that, or this mailing list post:

https://sourceforge.net/p/modauthkerb/mailman/message/30926358/

Either way, you'll get to where you need to be to get it to compile.

Enjoy.

#27 Compile error on Mac OS X 10.11.6

2016-09-28T16:21:29.004000Z

Hello Michael.

Could you post information about the patch for Apache 2.4 that you found and it fixed your compile error on Mac OS?

Thank you in advanced

#27 Compile error on Mac OS X 10.11.6

2016-09-14T01:37:12.323000Z

Nevermind. I found the patch for Apache 2.4 and it fixed it. Please close this ticket.