libapache2-mod-auth-kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection

Asked by Raubvogel

This is a bug that was reported in https://bugzilla.redhat.com/show_bug.cgi?id=687975; does it also affect ubuntu? Reason I ask is that I seem to be able to reproduce it in 12.04.

Steps:
1. Need php5-ldap libapache2-mod-auth-kerb libsasl2-modules-ldap
2. Configure apache host to do kerberos, including having a keytab for apache.
3. Setup the apache virtual host site to use mod_auth_kerb:

    <Location "/">
        Options FollowSymLinks
        AuthType Kerberos
        KrbAuthRealms DOMAIN.COM
        KrbServiceName HTTP
        Krb5Keytab /etc/apache2/krb5.keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        # The saveCredentials entry is important for php to get KRB5CCNAME
        KrbSaveCredentials on
        Require valid-user
    </Location>

4. create test.php (yes I am using php) file:

<html>
<head>
        <title>PHP Test</title>
</head>
<body>
        <h1>PHP Kerberos Test</h1>
<?php
        // LDAP parameters
        echo "user = {$_SERVER['PHP_AUTH_USER']}<br/>";
        echo "REMOTE_USER={$_SERVER['REMOTE_USER']}<br/>";
        echo "KRB5CCNAME={$_SERVER['KRB5CCNAME']}<br/>";

        exit();
?>
  </body>
</html>

5. Connect to page. First time you log in you should see something like:

PHP Kerberos Test

user=raubvogel
<email address hidden>
KRB5CCNAME=FILE:/tmp/krb5cc_apache_0156Pt

6. Immediately reload page. You will now see

PHP Kerberos Test

user=raubvogel
<email address hidden>
KRB5CCNAME=

7. Wait 15 seconds and try again:

PHP Kerberos Test

user=raubvogel
<email address hidden>
KRB5CCNAME=FILE:/tmp/krb5cc_apache_Q3sMmK

Did I missconfigure anything?

Revision history for this message
actionparsnip (andrew-woodhead666) said :
#1

I suggest you report a bug, link the redhat bug too, it may help

Can you help with this problem?

Provide an answer of your own, or ask Raubvogel for more information if necessary.

To post a message you must log in.