mod_vas_auth, Apache2, svn and AD groups

August 9, 2012, 9:52 am

≫ Next: Stuck with kerberos authentication to Sharepoint

≪ Previous: Regd: Constrained delegation not working with a standalon JAVA code.

Hi,

I've setup mod_vas_auth to authenticate users and control access to Subversion repositories.

It succeeds when the AuthzSVNAccessFile file contains username (from the AD).
Does anyone knows if I can use the groups defined in the AD for control access?
(without duplicating them in the [groups] section of the AuthzSVNAccessFile )
Direct association of a AD group as a "SVN" group would be OK.
I mean:

[groups]
admin = userAD1 userAD2
one_group = this_group_comes_from_AD
another_group = that_group_comes_from_AD_too
[/]
* = r
@admin = rw
[/component1]
@one_group = rw
@another_group = r
* =

is OK.

In case of: Apache 2.2.17, mod_auth_vas 3.6.7, subversion 1.7.5

Thanks in advance.
Laurent

↧

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm

≫ Next: Kerberos SSO with 1 way Trust

≪ Previous: mod_vas_auth, Apache2, svn and AD groups

I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

↧

Kerberos SSO with 1 way Trust

October 25, 2012, 4:17 am

≫ Next: Segmentation fault when mod_auth_vas finds no matches

≪ Previous: Stuck with kerberos authentication to Sharepoint

I had configured a Kerberos SSO with 1way trust between two domain... But on logging in i am getting the following exception...

[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: resetting state...
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: principal = 'HTTP/mdk1waytrustd3.wtmdk1waydom3.com'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: realm = 'WTMDK1WAYDOM3.COM'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Found name servers using JNDI
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd2.wtmdk1waydom2.com (10.31.70.183)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd1.wtmdk1waydom1.com (10.31.69.52)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: MDK1WAYTRUSTD3.WTMDK1WAYDOM3.COM (10.31.70.184)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd4.wtmdk1waydom4.com (10.31.71.34)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpinba8.corp.emc.com (10.30.48.37)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpgefr3.corp.emc.com (152.62.196.10)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: The old JCSI Kerberos code for the Windows LSA is now disabled by default;
if you really want it (rather than the new WinSSPI code) you must set
-Djcsi.kerberos.lsa.enable=true
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Creating LSA credential cache
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Could not locate default cache: com.dstc.security.kerberos.KerberosException: Could not create credential store com.dstc.security.kerberos.KerberosException: Native in-memory credential cache not supported on this platform (Windows Server 2008 R2)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: login succeeded
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: loaded InputStream based keytab at time 1351158964992 m/secs, 5 entries
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding principal to subject
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding credentials to subject

Can some one can help me in resolving this???

Regards,
Sumith

↧

Segmentation fault when mod_auth_vas finds no matches

June 1, 2012, 6:51 am

≫ Next: javax.security.auth.login.LoginException: Could not obtain TGT

≪ Previous: Kerberos SSO with 1 way Trust

Hello,

We are using mod_auth_vas.so 3.6.7 with Oracle HTTP Server which is effectively Apache 2.0. Recently, we have noticed that an Apache process is terminated with a segmentation fault in case of mod_auth_vas trying to match the requestor's name to the list of allowed user names and but not finding it there. The client's browser receives 401 in this case. Could you please help with it?

Please find an excerpt from the error log

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1581: [mod_auth_vas] authenticated user: 'Dmitry_Donetskov@EMEA.DELL.COM'

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1037: [mod_auth_vas] auth_vas_auth_checker: user=Dmitry_Donetskov@EMEA.DELL.COM authtype=VAS

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1055: [mod_auth_vas] requires->nelts = 3

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:541: [mod_auth_vas] match_user: name=ServiceSFDCWPSIT@emea.dell.com RUSER=Dmitry_Donetskov@EMEA.DELL.COM

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:490: [mod_auth_vas] set_user_obj

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:574: [mod_auth_vas] match_user: user does not match

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=ServiceSFDCWPSIT,OU=Service Accounts,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.8709+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "ServiceSFDCWPSIT@emea.dell.com" -> FAIL

...........

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=Alexey_Lysak,OU=Users,OU=Non Dell,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "Alexey_Lysak@emea.dell.com" -> FAIL

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:39.4014+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_ssl.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_ssl.c:633: Connection to child 0 established (server ausvmqtcdevap19.us.dell.com:8044)

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:720: inside shmcb_retrieve_session

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:732: id[0]=4, masked index=4

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1197: entering shmcb_lookup_session_id

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:983: entering shmcb_expire_division

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1207: loop=0, count=1, curr_pos=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1211: idx->s_id2=47, id[1]=47, offset=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1228: at index 0, found possible session match

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1247: a match!

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:748: leaving shmcb_retrieve_session

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:435: shmcb_retrieve had a hit

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_engine_kernel.c:2304: Inter-Process Session Cache: request=GET status=FOUND id=042F8428065947E3DA8D7A7B77690889 (session reuse)

[2012-06-01T14:14:39.6975+01:00] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 14727] [tid: 47292192636960] [user: oracle] [VirtualHost: main] mpm_common.c:475: child pid 27200 exit signal Segmentation fault (11), possible coredump in /u01/app/oracle/fusion/mw_1/Oracle_WT1/instances/instance1/config/OHS/ohs1

Message was edited by: dmitry_donetskov_265

↧

javax.security.auth.login.LoginException: Could not obtain TGT

November 29, 2010, 8:41 pm

≫ Next: VAS-Authentication without HTTP/ -Service-Account?

≪ Previous: Segmentation fault when mod_auth_vas finds no matches

Hi,

Not sure if this is the correct place to post this question, but we are getting this error when trying to authenticate a user. This seems to happen only sporadically.

May I know what are the possible causes of this error? Is it due to load / concurrency ?

We are using Weblogic 8.1.

Thanks so much for your help!

cheers
Karen

(providers.KerberosQSJProvider 81 ) javax.security.auth.login.LoginException: Could not obtain TGT (providers.KerberosQSJProvider 83 ) Could not obtain TGT javax.security.auth.login.LoginException: Could not obtain TGT at com.dstc.security.kerberos.jaas.KerberosLoginModule.getTGT(KerberosLoginModule.java:1472) at com.dstc.security.kerberos.jaas.KerberosLoginModule.login(KerberosLoginModule.java:414) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

↧

VAS-Authentication without HTTP/ -Service-Account?

January 17, 2011, 12:46 am

≫ Next: vasd won't stop

≪ Previous: javax.security.auth.login.LoginException: Could not obtain TGT

Hi everybody!

I am trying to bring up VAS authentication for one of our webservers. The machine has been joined to our AD previously and unix user authentication is working fine.

Unfortunately our rights in AD are pretty restricted, I am not able to create anything else but machine-accounts in AD, so the setup-script fails to create the HTTP/-thing.

Is there any way to use the machine account to authenticate users without having to create a HTTP/-service-account?

↧

vasd won't stop

May 18, 2011, 4:06 pm

≫ Next: S4U2Self/S4U2Proxy WebService call with MIT Kerberos

≪ Previous: VAS-Authentication without HTTP/ -Service-Account?

On a couple AIX 5.3 servers (running DB2), the vasd daemons cannot be stopped by using "/etc/rc.d/init.d/vasd stop". Instead, I have to "kill" the processes in order for them to stop.

vasd reports "disconnected". Users are unable to login when vasd is in this state. The logs show login attempts such as:

May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>

However, i know user1's password is not expired since the user can successfully login to server04 (also AIX and configured identically). Here is some more info from an affected server:

1) Prompt:
$ ssh server05

DISCONNECTED MODE: enter password:
Current password foruser1@mydomain.com:
New password:

2) vastool status
# vastool status

VAS is currently joined to:                      mydomain.com
Join command found in:                           /etc/opt/quest/vas/lastjoin
Verifying timesync with domain controller:       YES
Time delta: 0 seconds
Are valid VAS licenses installed?                YES
Checking to see if VAS daemon is running:        YES
Checking for valid computer account (SAMNAME)
SERVER05$@MYDOMAIN.COM                    YES
Checking for valid computer account (SPN)
host/server05.mydomain.com@MYDOMAIN.COYES
Checking to see if VAS is in connected state:    NO
Verifying VAS is configured for name service:    NO
Verifying VAS is configured for auth service:    YES
Verifying VAS configuration file is correct:     YES
Verifying sanity of users allow file:            YES
Verifying sanity of users deny file:             YES
Verifying sanity of group-override file:         YES
Verifying sanity of user-override file:          YES

3) ipc file exists
# ls /var/opt/quest/vas/vasd/.vasd_ipc_sock
/var/opt/quest/vas/vasd/.vasd_ipc_sock

4) host auth works
# /opt/quest/bin/vastool -u host/ auth -S host/
SERVER05$@MYDOMAIN.COMwas successfully authenticated toSERVER05$@MYDOMAIN.COM.

Anyone seen this before or have any ideas what might be triggering this condition?

Thanks.

↧

S4U2Self/S4U2Proxy WebService call with MIT Kerberos

December 13, 2011, 6:13 am

≫ Next: cross-forest authentication - failed to get ldap/ service ticket

≪ Previous: vasd won't stop

↧

cross-forest authentication - failed to get ldap/ service ticket

December 7, 2009, 6:26 am

≫ Next: org.ietf.jgss.GSSException, Channel binding mismatch

≪ Previous: S4U2Self/S4U2Proxy WebService call with MIT Kerberos

Hi all,

I'm struggling with a weird problem, I hope you can help ...

We have two forests, which are trusted both ways:
A.DOM (4x DC's dc1/dc2/dc3/dc4.a.dom)
B.NET (4x DC's dc1/dc2/dc3/dc4.b.net)
UNIX User: xyz@a.dom
Linux Box: server.c.net (joined B.NET)

The user "xyz@a.dom" tries to login to a linux box "server.c.net", but fails ...

In /var/log/messages I found entries like these (vasd debug-level 3):
------------------------------------------------------------------
Dec 7 10:29:32 server.c.net vasd[22501]: _ldap_init_and_bind: Failed to get ldap/ service ticket. VAS_ERR_KRB5: Failed to obtain credentials. Client: SERVER$@B.NET, Service: ldap/dc2.a.dom@B.NET, Server: dc4.b.net Caused by: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377): Server not found in Kerberos database Reason: Server (ldap/dc2.a.dom@B.NET) unknown
------------------------------------------------------------------
... and repeated for each A.DOM domain controller.

Of course this can't work. Why is vasd looking for ldap/dc2.a.dom@B.NET instead of ldap/dc2.a.dom@A.DOM. Did I miss anything in my vas.conf?

Here my vas.conf:
------------------------------------------------------------------
[libdefaults]
default_realm = B.NET
ticket_lifetime = 36000
default_keytab_name = /etc/opt/quest/vas/host.keytab
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
forwardable = true
[domain_realm]
server.c.net = B.NET
[vasd]
debug-level = 3
workstation-mode = true
workstation-mode-group-do-member = true
alt-auth-realms = b.net,a.dom
cross-forest-domains = b.net,a.dom
[libvas]
use-server-referrals = true
use-tcp-only = true
enable-gssapi-acceptor-authz = true
[nss_vas]
lowercase-names = true
check-host-access = true
[vas_auth]
checkaccess-use-implicit = true
------------------------------------------------------------------

Any ideas what the problem could be?

Thanks a lot in advance!!!
Miguel

↧

org.ietf.jgss.GSSException, Channel binding mismatch

June 17, 2011, 3:02 am

≫ Next: Create pre-auth computer object with vastool

≪ Previous: cross-forest authentication - failed to get ldap/ service ticket

I am getting this Exception when I am trying to do SPNEGO on IE8 over HTTPS. It works fine for CHROME of FIREFOX.

com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 1, minor code: 0
    major string: Channel binding mismatch
    minor string: None
    at com.wedgetail.idm.sso.AbstractAuthenticator.processSpnego(AbstractAuthenticator.java:1221)
    at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:205)
    at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)
    at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)
    at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)
    at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)

When I set this registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0x02 , SPNEGO starts working but the problem is that this key cannot be set for all the machines in the environment. I am using Vintella 3.3. Is there any other workaround to get the SPNEGO going.
Message was edited by: aamir

Message was edited by: aamir

↧

Create pre-auth computer object with vastool

December 17, 2009, 4:34 am

≫ Next: Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

≪ Previous: org.ietf.jgss.GSSException, Channel binding mismatch

Hi,

I need to be able to create computer objects with vastool instead of being forced to log in to a windows server, run a vbs, and then drag'n'drop the object to the correct OU (OU varies alot).

It seems like vastool create should be able to help me out, but I can't get it to produce objects that can be joined to without password.

I've created a AD user (unixbuild) that has permissions to create computer objects, and to create the object I run this command:

#> vastool -u unixbuild create -o -c "OU=JavaServerPlatform,OU=SolarisServer,OU=Production,DC=deploylab,DC=bj" computer testzone
Password for unixbuild@DEPLOYLAB.BJ:
Computer testzone created
#>

If I check in AD I can see the new object in the correct OU, but when I then try to join it using:

root@testzone:~# vastool -u host/ -w testzone join -f -n testzone.deploylab.bj deploylab.bj

I get:

Checking whether computer is already joined to a domain ... no
ERROR: Could not authenticate as host/. Invalid username or password.
VAS_ERR_KRB5: Failed to obtain credentials. Client: TESTZONE$@DEPLOYLAB.BJ, Service: krbtgt/DEPLOYLAB.BJ@DEPLOYLAB.BJ, Server: bj-labdc-01.deploylab.bj
Caused by:
KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed
ERROR: Could not join to the domain

So this seems like the "default" computer object password has not been set correctly, is there an option to the vastool create command I need to use, or do I need to specify my own "default" password (also needed to be put in the join script)?

Please help me in my quest for not needing to "use" a windows server when deploying and using my Solaris servers!

BR // Andreas Bjorshammar

Message was edited by: anbj_562

↧

Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

October 12, 2012, 5:22 am

≫ Next: Crash when authenticating

≪ Previous: Create pre-auth computer object with vastool

Greetings all.

I am trying to compile MAV 3.6.7 on AIX 6.1/XLC/IBMIHS 7.0.0.23.  I tried using the precompiled 3.6.4 module, but Apache doesn't like that. Here is the output from the configure script:

checking vas_gss.h usability... no
checking vas_gss.h presence... yes
configure: WARNING: vas_gss.h: present but cannot be compiled
configure: WARNING: vas_gss.h:     check for missing prerequisite headers?
configure: WARNING: vas_gss.h: see the Autoconf documentation
configure: WARNING: vas_gss.h:     section "Present But Cannot Be Compiled"
configure: WARNING: vas_gss.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for vas_gss.h... no
checking gssapi.h usability... no
checking gssapi.h presence... yes
configure: WARNING: gssapi.h: present but cannot be compiled
configure: WARNING: gssapi.h:     check for missing prerequisite headers?
configure: WARNING: gssapi.h: see the Autoconf documentation
configure: WARNING: gssapi.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi.h... no
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... yes
configure: WARNING: gssapi_krb5.h: present but cannot be compiled
configure: WARNING: gssapi_krb5.h:     check for missing prerequisite headers?
configure: WARNING: gssapi_krb5.h: see the Autoconf documentation
configure: WARNING: gssapi_krb5.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi_krb5.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi_krb5.h... no

The configure script finishes, without error, but the compile fails with this:

/usr/include/unistd.h:924: error: expected ')' before '[' token
/usr/include/unistd.h:925: error: expected declaration specifiers or '...' before 'rid_t'
get.c: In function 'err_gss':
get.c:626: error: expected declaration specifiers before 'OM_uint32'
get.c:629: error: 'OM_uint32' undeclared (first use in this function)
get.c:629: error: (Each undeclared identifier is reported only once
get.c:629: error: for each function it appears in.)
get.c:629: error: expected ';' before 'ctx'
get.c:630: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:630: error: expected ';' before 'buf'
get.c:631: error: expected ';' before 'emajor'
get.c:635: error: 'emajor' undeclared (first use in this function)
get.c:635: error: 'eminor' undeclared (first use in this function)
get.c:635: error: 'GSS_C_GSS_CODE' undeclared (first use in this function)
get.c:636: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:636: error: 'ctx' undeclared (first use in this function)
get.c:636: error: 'buf' undeclared (first use in this function)
get.c:643: error: 'GSS_C_MECH_CODE' undeclared (first use in this function)
get.c: In function 'get_nego':
get.c:670: error: 'gss_name_t' undeclared (first use in this function)
get.c:670: error: expected ';' before 'target_name'
get.c:671: error: 'OM_uint32' undeclared (first use in this function)
get.c:671: error: expected ';' before 'major'
get.c:672: error: 'gss_ctx_id_t' undeclared (first use in this function)
get.c:672: error: expected ';' before 'gssctx'
get.c:716: error: 'gssctx' undeclared (first use in this function)
get.c:716: error: 'GSS_C_NO_CONTEXT' undeclared (first use in this function)
get.c:745: error: expected ';' before 'ret'
get.c:764: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:764: error: expected ';' before 'inbuf'
get.c:767: error: 'namebuf' undeclared (first use in this function)
get.c:769: error: 'major' undeclared (first use in this function)
get.c:769: error: 'minor' undeclared (first use in this function)
get.c:770: error: 'GSS_KRB5_NT_PRINCIPAL_NAME' undeclared (first use in this function)
get.c:770: error: 'target_name' undeclared (first use in this function)
get.c:779: error: 'inbuf' undeclared (first use in this function)
get.c:783: error: 'outbuf' undeclared (first use in this function)
get.c:786: error: 'GSS_C_NO_CREDENTIAL' undeclared (first use in this function)
get.c:789: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:791: error: 'GSS_C_INDEFINITE' undeclared (first use in this function)
get.c:792: error: 'GSS_C_NO_CHANNEL_BINDINGS' undeclared (first use in this function)
get.c:813: error: expected ';' before 'inbuf'
get.c:819: error: 'ret' undeclared (first use in this function)
get.c:823: error: 'VAS_GSS_SPNEGO_ENCODING_BASE64' undeclared (first use in this function)
get.c:824: error: 'GSS_C_NO_BUFFER' undeclared (first use in this function)
make[4]: *** [get.o] Error 1
make[4]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/mnt/mod_auth_vas-3.6.7'
make: *** [all] Error 2

I am using QAS 3.5.2.89.

My last round of compiling MAV was on AIX 5.3/XLC/IBMIHS 6.x, when I had to put a patch in for timeout problems.

Message was edited by: phscott

↧

Crash when authenticating

November 15, 2012, 1:37 pm

≫ Next: Using Cached Kerberos Ticket to Authenticate SMB Share

≪ Previous: Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

I'm seeing the following crash during authentication:

glibc detected *** /usr/java/jdk1.6.0_25/bin/java: free(): invalid pointer: 0x0000000041e33450 ***
======= Backtrace: =========
/lib64/libc.so.60x3b66275916
/opt/quest/lib64/libvas.so.4(vas_string_zerofree+0x4b)0x7ffd9cc615f0
/lib64/security/pam_vas3.so(pam_vas_do_conversation+0x210)0x7ffd9ce01c7d
/lib64/security/pam_vas3.so(pam_vas_am_prompt_for_cred+0x2ff)0x7ffd9cdfc85b
/lib64/security/pam_vas3.so(pam_sm_authenticate+0xb30)0x7ffd9cdf772a
/lib64/libpam.so.00x3b69202cee
/lib64/libpam.so.0(pam_authenticate+0x40)0x3b69202600

Any ideas as to what may be causing it? The pam config looks like:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_vas3.so create_homedir get_nonvas_pass store_creds
auth requisite pam_vas3.so echo_return
auth sufficient pam_unix.so nullok try_first_pass use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password sufficient pam_vas3.so
password requisite pam_vas3.so echo_return
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

↧

Using Cached Kerberos Ticket to Authenticate SMB Share

June 19, 2013, 7:57 am

≫ Next: REMOTE_USER value

≪ Previous: Crash when authenticating

I am using Quest Authentication Services to integrate my Linux systems with our lab domain. I want to use the cached kerberos tickets to authenticate without providing a password when mounting an exported SMB share using the command 'mount -t cifs <device> <dir> -o sec=krb5'. My understanding is that when request-key is called by the kernel cifs.upcall is used to locate the cached kerberos ticket. The problem I am having is that when I directly call cifs.upcall with the uid of the user it does not return anything and it has an exit code of 1. If I look at /var/log/messages I see the following log message related to the call.

Jun 19 09:55:03 merlin cifs.upcall: keyctl_describe_alloc failed: Required key not available

Per the cifs.upcall man page I added the following two lines to request-key.conf

create cifs.spnego * * /usr/local/sbin/cifs.upcall %k

create dns_resolver * * /usr/local/sbin/cifs.upcall %k

↧

REMOTE_USER value

June 28, 2007, 7:13 am

≫ Next: Wrong ticket encryption for W2K clients only causes VSJ to fail

≪ Previous: Using Cached Kerberos Ticket to Authenticate SMB Share

We are trying to integrate mod_auth_vas into Blackboard for user authentication.

Blackboard is a J2EE based virtual learning environment. Actually, it's a mixture of Java and Perl.

It running on Apache Tomcat and using jk connector to handle user request via Apache HTTP server (both Tomcat and Apache httpd are bundled with Blackboard).

The mod_auth_vas is installed on Blackboard bundled Apachehttpd, and after putting the server host name into IE's trusted zone.The module can recognise windows login id/password and authenticateuser against AD.

But the problem is we still have to let Blackboard pick upuser credential and pass it within its own services. Blackboardprovides a web delegation authentication module to do this. Accordingto the Tomcat error message, Blackboard is complaining about theinvalid REMOTE_USER.

The exception stack trace showing below suggests that Blackboard cannot get its expected REMOTE_USER from within the Blackboard/Tomcat/Aapche httpd (with mod_auth_vas) environment.

2007-06-28 02:47:51 - LoginBrokerServlet.service() - java.lang.RuntimeException: Invalid REMOTE_USER value.

However, the point is the Blackboard don't allow us tosee/modify the source code of their base system, so the 'stripping thedomain part' kind of things cannot be done in this way.

I was wondering whether you've got some ideas about how to get mod_auth_vas working in this situation and what REMOTE_USER value is exactly passed out from mod_auth_vas.

Thanks.

Dongyi

↧

Wrong ticket encryption for W2K clients only causes VSJ to fail

August 5, 2007, 10:54 am

≫ Next: MAV and cross-forest authentication problems

≪ Previous: REMOTE_USER value

Hi,

I am facing the following problem.

The Windows service account used for Vintela SSO is set up using "Use DES encryption for this account". The keytab is created with ktpass ... -crypto DES-CBC-MD5 encryption.

Everything is working when I login to the web application from a Windows 2003 server machine. On the Windows 2003 server machine part of the klist tickets command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as expected):

   Server: HTTP/server.eu.xxx.com@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 8/3/2007 21:38:37
      Renew Time: 8/10/2007 11:38:37

But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:

   Server: HTTP/server@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
      End Time: 8/3/2007 21:42:55
      Renew Time: 8/10/2007 11:42:55

The wrong obtained ticket causes SSO to fail.

Tomcat output is:

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] )

So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) does not match the entry in the keytab (type 3=DES-CBC-MD5).

Why does the Windows 2000 machine get a different encrypted ticket? Also, there is a difference in the SPN returned in the output of the klist tickets above.

Any help would be greatly appreciated.

Thanks,

Ron

↧

MAV and cross-forest authentication problems

November 2, 2009, 9:40 pm

≫ Next: NTLM SMB issue - Could not get valid NTLM challenge from ........

≪ Previous: Wrong ticket encryption for W2K clients only causes VSJ to fail

Our setup is as follows:

====
2 Windows 2003 functional-level forests, FOO.COM and BAR.COM, that mutually (two-way) trust each other.
FOO.COM <-- forest trust --> BAR.COM

Furthermore, there's a domain A.FOO.COM that belongs to the FOO.COM forest. There's another domain B.BAR.COM belonging to the BAR.COM forest. There's a one-way outgoing external trust from A.FOO.COM to B.BAR.COM.
A.FOO.COM -- external trust --> B.BAR.COM
====

The behavior we're seeing is when a user from B.BAR.COM attempts to access a website on A.FOO.COM, the user gets a basic auth challenge for their id/password. The user would enter the credentials they have from B.BAR.COM and they would get successfully authenticated. This seems to indicate the proper trust relationships are in place.

What we're trying to understand is why SPNEGO/Kerberos is not taking place. Can MAV (or rather VAS) handle AD referrals? Do we need to raise the trust level between our domains?

Any thoughts appreciated. Thanks.

P.S. The underlying VAS version we're using is: 3.3.1.101

↧

NTLM SMB issue - Could not get valid NTLM challenge from ........

July 27, 2012, 10:36 am

≫ Next: Using VAS Apache Module on Multiple Apache instances

≪ Previous: MAV and cross-forest authentication problems

I'm trying to debug an issue with NTLM failback, I have the filter configured correctly as per any other deployments.

I'm able to authenticate users correctly using Kerberos, but I have noticed in the logs an issue with NTLM.

This was discovered because of a Java Applet which is posting back to the server, the applet is not using kerberos but NTLM to authenticate the user.

The application server is Tomcat 5, using Quest VSJ "VSJ Standard Edition 3_3 Patch 3548"

From what can be seen within the server logs is that QuestSSO performs a DNS lookup and attempts to connect to all of the GCs which are returned.

Example:
- Starting Coyote HTTP/1.1 on http-80
- JK: ajp13 listening on /0.0.0.0:8009
- Jk running ID=0 time=0/47 config=null
- Host server1.domain.ltd/1.1.1.1:389 appears to be down
- Could not get valid NTLM challenge from server1.domain.ltd/1.1.1.1
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server2.domain.ltd/1.1.1.2:389 appears to be down
- Could not get valid NTLM challenge from server2.domain.ltd/1.1.1.2
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server3.domain.ltd/1.1.1.3:389 appears to be down
...
... etc

I have enabled the debug level and log4j configuration, but this is not showing any errors.

I have used PortQry.exe to scan the AD servers and they are accessible.

What can I do to move forward? Any ideas ?

↧

Using VAS Apache Module on Multiple Apache instances

May 31, 2013, 8:10 am

≫ Next: VAS+RHEL5+NFS

≪ Previous: NTLM SMB issue - Could not get valid NTLM challenge from ........

Hi all,

- I have a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

Have anyone seen this kind of behavior?

Thanks in advance,

Obed N Munoz

↧

VAS+RHEL5+NFS

February 20, 2009, 9:11 am

≫ Next: VAS & Printing to Windows Printers - How!?

≪ Previous: Using VAS Apache Module on Multiple Apache instances

Hey all -

As the subject suggests, I'm trying to use VAS+RHEL5+NFS, and I'm running into an issues with rpcsvcgssd on the NFS server. It fails to start with the following error:

Starting RPC svcgssd: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name
Unable to obtain credentials for 'nfs'
unable to obtain root (machine) credentials
do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?

Thanks in advance

cmschube

↧