[mod_python] Mod_python and kerberos authentication (mod_auth_kerb)

Cassiano, Marco mcassiano at manord.com
Mon Jan 14 05:10:10 EST 2008 

Graham,

thank you for your answer.
I've made a very simple test script named domain_login.py. Here it is :

def check_user(req):
        return 'ok'

and I call it with the URL  http://apache.foo.com/login/domain_login.py/check_user

So, to answer your question, the request is a GET.
It is strange that if I put in the URL a wrong (non-existent) name, for example :

 http://apache.foo.com/login/domain_login.py/wrong_call

I got the same Bad Request error. So the problem seems to occur before the execution of the script.
In the apache error log I only see that the kerberos authentication was ok and then nothing else...


[Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1172): [client 192.168.1.25] Acquiring creds for HTTP/sviluppo.manord.com at MANORD.COM
[Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1316): [client 192.168.1.25] Verifying client data using SPNEGO GSS-API
[Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1332): [client 192.168.1.25] Verification returned code 0
[Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1350): [client 192.168.1.25] GSS-API token of length 151 bytes will be sent back

In the apache access.log I see two entries


192.168.1.25 - - [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 401 401 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
192.168.1.25 - myuser at FOO.COM [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 404 231 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"


In the second line the windows domain user is correctly reported so it seems the kerberos authentication worked...


If I remove the kerberos authentication, the script works ok.
If I remove the mod_python handler from the directory and I ask for a plain html page the kerberos authentication works...

We also tried with mod_python.servlet (PythonHandler mod_python.servlet)
and the kerberos authentication works perfectly. The script is executed and we can retrieve the username in req.user.

So it seems a problem related to the publisher....



Thank you



Marco Cassiano 
  
Manifatture del Nord srl unipersonale
Gruppo MaxMara 

via Mazzacurati 6
42100 Reggio Emilia RE
ITALY 

Tel. +39 0522 358215 
Fax +39 0522 268715 
email : mcassiano at manord.com 
www.pennyblack.com 



The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained.

 

The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties.



-----Original Message-----
From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com] 
Sent: Friday, January 11, 2008 10:24 PM
To: Cassiano, Marco
Cc: mod_python at modpython.org
Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb)

When using mod_python.publisher, you would get a Bad Request error if
the request wasn't either a GET or POST. What is the type of HTTP
request?

Graham

On 12/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
>
>
> Hi all,
>
> I've just configured our apache server (Linux RedHat) for kerberos
> authentication to allow our windows domain users to access it without having
> to reauthenticate.
> Everything works fine for a plain html directory, so I'm pretty sure that
> the kerberos configuration for the apache server is working.
> When I try to specify Kerberos authentication together with mod_python it's
> not working. I got the message :
>
>
>
> Bad Request
>
> Your browser sent a request that this server could not understand.
>
>
>
> My httpd configuration is :
>
>
> Alias /login/ "/var/www/kerb/login/"
>
>
> <Directory "/var/www/kerb/login">
> ##  AuthName "Kerberos Login"
>   AuthType Kerberos
>   KrbAuthRealm FOO.COM
>   KrbServiceName HTTP/apache.foo.com at FOO.COM
>   Krb5Keytab /etc/httpd/conf/apache.tab
>   KrbMethodNegotiate on
>   KrbMethodK5Passwd off
> #  KrbSaveCredentials off
> #  KrbVerifyKDC off
>   Require valid-user
>
>   Order Deny,Allow
>   Deny from all
>   Allow from foo.com
>   Allow from 127.0.0.1
>
>   SetHandler mod_python
>   PythonHandler mod_python.publisher | .py
>   PythonDebug on
>   PythonOption ApplicationPath '/'
>
> </Directory>
>
>
> Thanks in advance for your advice
>
>
> Marco Cassiano
>
> Manifatture del Nord srl
>
> Italy
>
>
>
>
> ---------------------------------------------------------------------------------------------
>
> Il contenuto della presente comunicazione è riservato e destinato
> esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da
> persona diversa dal destinatario sono proibite la diffusione, la
> distribuzione e la copia. Nel caso riceveste la presente per errore, Vi
> preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro
> computer, senza utilizzare i dati contenuti.
>
>
>
> La presente comunicazione (comprensiva dei documenti allegati) non avrà
> valore di proposta contrattuale e/o accettazione di proposte provenienti dal
> destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
> nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi
> può validamente obbligarci. Non deriverà alcuna responsabilità
> precontrattuale a ns. carico, se la presente non sia seguita da contratto
> sottoscritto dalle parti.
>
> ---------------------------------------------------------------------------------------------
>
> The contents of the present communication is strictly confidential and
> reserved solely to the referred addressees. In the event was received by
> person different from the addressee, it is forbidden the diffusion,
> distribution and copy. In the event you have received it mistakenly we ask
> you to inform us and to destroy and/or to delete it by your computer,
> without using the data herein contained.
>
>
>
> The present message (eventual annexes inclusive) shall not be considered any
> contractual proposal and/or acceptance of offer coming from the addressee,
> nor waiver neither recognizance of rights, debts and/or credits, and it
> shall not be binding, when it is not executed a subsequent agreement by
> person who could lawfully represent us. No pre-contractual liability shall
> derive to us, when the present communication is not followed by any binding
> agreement between the parties.
>
> ---------------------------------------------------------------------------------------------
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>
>

More information about the Mod_python mailing list