[Bug 1042856] [NEW] libapache2-mod-auth-kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection

Raubvogel 1042856 at bugs.launchpad.net
Tue Aug 28 17:12:13 UTC 2012 

Public bug reported:

This is a bug that was reported in
https://bugzilla.redhat.com/show_bug.cgi?id=687975; does it also affect
ubuntu? Reason I ask is that I seem to be able to reproduce it in 12.04.

Steps:
1. Need php5-ldap libapache2-mod-auth-kerb libsasl2-modules-ldap
2. Configure apache host to do kerberos, including having a keytab for apache.
3. Setup the apache virtual host site to use mod_auth_kerb:

    <Location "/">
        Options FollowSymLinks
        AuthType Kerberos
        KrbAuthRealms DOMAIN.COM
        KrbServiceName HTTP
        Krb5Keytab /etc/apache2/krb5.keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        # The saveCredentials entry is important for php to get KRB5CCNAME
        KrbSaveCredentials on
        Require valid-user
    </Location>

4. create test.php (yes I am using php) file:

<html>
<head>
        <title>PHP Test</title>
</head>
<body> 
        <h1>PHP Kerberos Test</h1>
<?php  
        // LDAP parameters 
        echo "user = {$_SERVER['PHP_AUTH_USER']}<br/>";
        echo "REMOTE_USER={$_SERVER['REMOTE_USER']}<br/>";
        echo "KRB5CCNAME={$_SERVER['KRB5CCNAME']}<br/>";

        exit();
?>
  </body>
</html>

5. Connect to page. First time you log in you should see something like:

PHP Kerberos Test

user=raubvogel
REMOTE_USER=raubvogel at DOMAIN.COM
KRB5CCNAME=FILE:/tmp/krb5cc_apache_0156Pt

6. Immediately reload page. You will now see

PHP Kerberos Test

user=raubvogel
REMOTE_USER=raubvogel at DOMAIN.COM
KRB5CCNAME=

7. Wait 15 seconds and try again:

PHP Kerberos Test

user=raubvogel
REMOTE_USER=raubvogel at DOMAIN.COM
KRB5CCNAME=FILE:/tmp/krb5cc_apache_Q3sMmK

Did I missconfigure anything?

** Affects: libapache-mod-auth-kerb (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libapache-mod-auth-kerb in Ubuntu.
https://bugs.launchpad.net/bugs/1042856

Title:
  libapache2-mod-auth-kerb using krb5passwd and keepalive and credential
  delegation loses delegation after first request on connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache-mod-auth-kerb/+bug/1042856/+subscriptions

More information about the Ubuntu-server-bugs mailing list