CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: cosign and kerberos

  • To: "cosign-discuss" <cosign-discuss@xxxxxxxxx>
  • Subject: RE: cosign and kerberos
  • From: "Goldrick, Jim" <jgoldrick@xxxxxxxxxxxxxxxxx>
  • Date: Fri, 30 Sep 2005 08:22:51 -0500
  • Thread-index: AcVKh5Fo3SMFe95YTrmh573TTOwp/x5umovAADdKv3AAKNam8A==
  • Thread-topic:

Ok, after researching some more, I have come to the conclusion that cross-realm authentication in itself won't do the trick.  I read the earler thread "cosign with multiple kerberos realms".  I am wondering if modifying the cgi as such might not work;

1.  Add COSIGNKRB5REALMS to config.h
2.  modify login.c to get the COSINGKRB5REALMS, my thinking is a comma-delimited list.  Also modify it that if there is a list, process in cosign_login_krb by setting the default realm n number of times.  A question is can I just process the if block in cosign_login_krb5 multiple times without having to do anything else?

 if (( kerror = krb5_get_init_creds_password( kcontext, &kcreds,
            kprinc, passwd, NULL, NULL, 0, NULL /*keytab */, &kopts ))) {

3.  If this works possibly check the COSIGNKRB5REALMS for inclusion in krb5_get_host_realm?

any and all comments would be welcome.

thanks much,


-----Original Message-----
From: Goldrick, Jim [mailto:jgoldrick@xxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 28, 2005 10:42 AM
To: cosign-discuss
Subject: cosign and kerberos

Hi all,

Ok, we have cosign running and authenticating to Active Directory, which does not require a kerberos server to authenticate to (other than the AD).  Now, I need to authenticate to another KDC that has different users than in AD.  So, i have some questions.

Can I use 2 kdc's in my default realm that don't share the same users or can I setup a cross-realm mapping for 2 kdc's?  Any examples would be welcome.

I have a KDC setup on our test machine and can kinit from our cosign machine with myself/admin.  However, I cannot kinit cosign.  I get a invalid password.  Here is how I added cosign from the cosign machine.
addprinc cosign/FQDN_cosign_server
add password and verify
ktadd -k /etc/keytab.cosign

As I said, though, I get an invalid password error whenever I try to kinit it from the cosign server.  Am I not setting it properly?  I've deleted the cosign and re-added, but no use. Also, do I need to add the /etc/krb5.keytab file to the cosign configuration/Apache configuration?  Or will it default there?  How about the keytab.cosign?

What do the apache configs for kerberos do?  I've somewhat confused.

	CosignTicketPrefix	[ the path to the Kerberos ticket store ]
	CosignGetKerberosTickets	[ on | off ]
	    module asks for tgt from cosignd

	CosignKerberos524		[ on | off ]	
	    whether you want K5 tgt converted to K4 tgt

	CosignKerberosSetupGSS		[ on | off ]
	    setup the enviornment so that other apache modules
	    that need GSSAPI/Kerberos work. e.g. IMP running under mod_php
	CosignGetProxyCookies	[ on | off ]
	    module asks for proxy cookies from cosignd

Thanks much,


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010