cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Negotiate: crash

From: Anatoli Tubman <anatolit_at_checkpoint.com>
Date: Sun, 24 Feb 2008 19:01:56 +0200

> Date: Thu, 21 Feb 2008 15:53:48 +0100 (CET)
> From: Daniel Stenberg <daniel_at_haxx.se>
> Subject: Re: Negotiate: crash
> To: libcurl development <curl-library_at_cool.haxx.se>
> Message-ID: <Pine.LNX.4.64.0802211551050.30452_at_yvahk3.pbagnpgbe.fr>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> On Thu, 21 Feb 2008, Anatoli Tubman wrote:
>
>>> Unfortunately I don't think any of the main developers have any means of
>>> testing Negotiate. I know I can't at least.
>> Well, I could help you set up Apache with mod_auth_kerb and a KDC on a linux
>> box. It's simple, really. That's the kind of set-up I have.
>
> Sure, if you can post a few steps on how it can be done it certainly won't
> hurt!
>
>>> Can you show us what you did as a patch?
>> Sure. See attached file. I patched 7.16.4 because we use that version in our
>> system. If you want I can do the same for a more recent version too.
>
> Please do, as I think the patch looks good but it doesn't apply on my local
> dev version.
>

I have done a slightly different fix. Namely, I have called the cleanup
routine at the end of the connection, instead of at the end of the
request. This is probably the right thing to do, except it doesn't work
when a proxy is involved. proxies. I.e. it sends the same negotiation
token with all requests, even to unrelated servers, as long as we are on
the same connection. I don't know how to fix that.

As for setting up a Kerberos environment, that's approximately what I've
have done:

1. Installed kubuntu 7.10 (yes, everything is on my desktop; I suppose
   Debian would be a better tet box)
2. Installed apache2
3. Installed kerberos (krb5-admin-server krb5-config krb5-kdc krb5-user)
4. Installed libapache2-mod-auth-kerb
5. Configured kerberos (basically, if your domain is haxx.se, change
   referenes to "domain" in /etc/krb5.conf to haxx.se and change
   references to "realm" in /etc/krb5.conf to HAXX.SE)
6. Added apache service to the list of services with kadmin.local (I
   have added two principals, host/mybox.mydomain.com and
   HTTP/mybox.mydomain.com)
7. Added some users with kadmin.local
8. Added apache service to /etc/krb5/krb5.keytab with ktutil
9. Configured mod-auth-kerb per instructions at
   http://modauthkerb.sourceforge.net/configure.html

Best Regards
anatoli

  • text/plain attachment: patch
Received on 2008-02-24