 |
cosign-discuss at umich.edu
|
|
general discussion of cosign development and deployment
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: cosign and kerberos
- To: "cosign-discuss" <cosign-discuss@xxxxxxxxx>
- Subject: RE: cosign and kerberos
- From: "Goldrick, Jim" <jgoldrick@xxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Sep 2005 08:22:51 -0500
- Thread-index: AcVKh5Fo3SMFe95YTrmh573TTOwp/x5umovAADdKv3AAKNam8A==
- Thread-topic: logout.pl
Ok, after researching some more, I have come to the conclusion that cross-realm authentication in itself won't do the trick. I read the earler thread "cosign with multiple kerberos realms". I am wondering if modifying the cgi as such might not work;
1. Add COSIGNKRB5REALMS to config.h
2. modify login.c to get the COSINGKRB5REALMS, my thinking is a comma-delimited list. Also modify it that if there is a list, process in cosign_login_krb by setting the default realm n number of times. A question is can I just process the if block in cosign_login_krb5 multiple times without having to do anything else?
if (( kerror = krb5_get_init_creds_password( kcontext, &kcreds,
kprinc, passwd, NULL, NULL, 0, NULL /*keytab */, &kopts ))) {
3. If this works possibly check the COSIGNKRB5REALMS for inclusion in krb5_get_host_realm?
any and all comments would be welcome.
thanks much,
jim
-----Original Message-----
From: Goldrick, Jim [mailto:jgoldrick@xxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 28, 2005 10:42 AM
To: cosign-discuss
Subject: cosign and kerberos
Hi all,
Ok, we have cosign running and authenticating to Active Directory, which does not require a kerberos server to authenticate to (other than the AD). Now, I need to authenticate to another KDC that has different users than in AD. So, i have some questions.
Can I use 2 kdc's in my default realm that don't share the same users or can I setup a cross-realm mapping for 2 kdc's? Any examples would be welcome.
I have a KDC setup on our test machine and can kinit from our cosign machine with myself/admin. However, I cannot kinit cosign. I get a invalid password. Here is how I added cosign from the cosign machine.
kadmin
addprinc cosign/FQDN_cosign_server
add password and verify
ktadd -k /etc/keytab.cosign
As I said, though, I get an invalid password error whenever I try to kinit it from the cosign server. Am I not setting it properly? I've deleted the cosign and re-added, but no use. Also, do I need to add the /etc/krb5.keytab file to the cosign configuration/Apache configuration? Or will it default there? How about the keytab.cosign?
What do the apache configs for kerberos do? I've somewhat confused.
CosignTicketPrefix [ the path to the Kerberos ticket store ]
CosignGetKerberosTickets [ on | off ]
module asks for tgt from cosignd
CosignKerberos524 [ on | off ]
whether you want K5 tgt converted to K4 tgt
CosignKerberosSetupGSS [ on | off ]
setup the enviornment so that other apache modules
that need GSSAPI/Kerberos work. e.g. IMP running under mod_php
CosignGetProxyCookies [ on | off ]
module asks for proxy cookies from cosignd
Thanks much,
jim
| 
