[mod_python] Mod_python and kerberos authentication (mod_auth_kerb)

Graham Dumpleton graham.dumpleton at gmail.com
Mon Jan 14 16:27:49 EST 2008


No access to mod_python code right now to do any checking so only
thing I can suggest is to set handler to be mod_python.testhandler and
have a look at what it returns and see if you can see anything strange
about the request details that make it through. You might scrub what
it shows of any sensitive data and post it.

Graham

On 14/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
> Graham,
>
> thank you for your answer.
> I've made a very simple test script named domain_login.py. Here it is :
>
> def check_user(req):
>         return 'ok'
>
> and I call it with the URL  http://apache.foo.com/login/domain_login.py/check_user
>
> So, to answer your question, the request is a GET.
> It is strange that if I put in the URL a wrong (non-existent) name, for example :
>
>  http://apache.foo.com/login/domain_login.py/wrong_call
>
> I got the same Bad Request error. So the problem seems to occur before the execution of the script.
> In the apache error log I only see that the kerberos authentication was ok and then nothing else...
>
>
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1172): [client 192.168.1.25] Acquiring creds for HTTP/sviluppo.manord.com at MANORD.COM
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1316): [client 192.168.1.25] Verifying client data using SPNEGO GSS-API
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1332): [client 192.168.1.25] Verification returned code 0
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1350): [client 192.168.1.25] GSS-API token of length 151 bytes will be sent back
>
> In the apache access.log I see two entries
>
>
> 192.168.1.25 - - [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 401 401 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
> 192.168.1.25 - myuser at FOO.COM [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 404 231 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
>
>
> In the second line the windows domain user is correctly reported so it seems the kerberos authentication worked...
>
>
> If I remove the kerberos authentication, the script works ok.
> If I remove the mod_python handler from the directory and I ask for a plain html page the kerberos authentication works...
>
> We also tried with mod_python.servlet (PythonHandler mod_python.servlet)
> and the kerberos authentication works perfectly. The script is executed and we can retrieve the username in req.user.
>
> So it seems a problem related to the publisher....
>
>
>
> Thank you
>
>
>
> Marco Cassiano
>
> Manifatture del Nord srl unipersonale
> Gruppo MaxMara
>
> via Mazzacurati 6
> 42100 Reggio Emilia RE
> ITALY
>
> Tel. +39 0522 358215
> Fax +39 0522 268715
> email : mcassiano at manord.com
> www.pennyblack.com
>
>
>
> The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained.
>
>
>
> The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties.
>
>
>
> -----Original Message-----
> From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com]
> Sent: Friday, January 11, 2008 10:24 PM
> To: Cassiano, Marco
> Cc: mod_python at modpython.org
> Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb)
>
> When using mod_python.publisher, you would get a Bad Request error if
> the request wasn't either a GET or POST. What is the type of HTTP
> request?
>
> Graham
>
> On 12/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
> >
> >
> > Hi all,
> >
> > I've just configured our apache server (Linux RedHat) for kerberos
> > authentication to allow our windows domain users to access it without having
> > to reauthenticate.
> > Everything works fine for a plain html directory, so I'm pretty sure that
> > the kerberos configuration for the apache server is working.
> > When I try to specify Kerberos authentication together with mod_python it's
> > not working. I got the message :
> >
> >
> >
> > Bad Request
> >
> > Your browser sent a request that this server could not understand.
> >
> >
> >
> > My httpd configuration is :
> >
> >
> > Alias /login/ "/var/www/kerb/login/"
> >
> >
> > <Directory "/var/www/kerb/login">
> > ##  AuthName "Kerberos Login"
> >   AuthType Kerberos
> >   KrbAuthRealm FOO.COM
> >   KrbServiceName HTTP/apache.foo.com at FOO.COM
> >   Krb5Keytab /etc/httpd/conf/apache.tab
> >   KrbMethodNegotiate on
> >   KrbMethodK5Passwd off
> > #  KrbSaveCredentials off
> > #  KrbVerifyKDC off
> >   Require valid-user
> >
> >   Order Deny,Allow
> >   Deny from all
> >   Allow from foo.com
> >   Allow from 127.0.0.1
> >
> >   SetHandler mod_python
> >   PythonHandler mod_python.publisher | .py
> >   PythonDebug on
> >   PythonOption ApplicationPath '/'
> >
> > </Directory>
> >
> >
> > Thanks in advance for your advice
> >
> >
> > Marco Cassiano
> >
> > Manifatture del Nord srl
> >
> > Italy
> >
> >
> >
> >
> > ---------------------------------------------------------------------------------------------
> >
> > Il contenuto della presente comunicazione è riservato e destinato
> > esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da
> > persona diversa dal destinatario sono proibite la diffusione, la
> > distribuzione e la copia. Nel caso riceveste la presente per errore, Vi
> > preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro
> > computer, senza utilizzare i dati contenuti.
> >
> >
> >
> > La presente comunicazione (comprensiva dei documenti allegati) non avrà
> > valore di proposta contrattuale e/o accettazione di proposte provenienti dal
> > destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
> > nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi
> > può validamente obbligarci. Non deriverà alcuna responsabilità
> > precontrattuale a ns. carico, se la presente non sia seguita da contratto
> > sottoscritto dalle parti.
> >
> > ---------------------------------------------------------------------------------------------
> >
> > The contents of the present communication is strictly confidential and
> > reserved solely to the referred addressees. In the event was received by
> > person different from the addressee, it is forbidden the diffusion,
> > distribution and copy. In the event you have received it mistakenly we ask
> > you to inform us and to destroy and/or to delete it by your computer,
> > without using the data herein contained.
> >
> >
> >
> > The present message (eventual annexes inclusive) shall not be considered any
> > contractual proposal and/or acceptance of offer coming from the addressee,
> > nor waiver neither recognizance of rights, debts and/or credits, and it
> > shall not be binding, when it is not executed a subsequent agreement by
> > person who could lawfully represent us. No pre-contractual liability shall
> > derive to us, when the present communication is not followed by any binding
> > agreement between the parties.
> >
> > ---------------------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Mod_python mailing list
> > Mod_python at modpython.org
> > http://mailman.modpython.org/mailman/listinfo/mod_python
> >
> >
>



More information about the Mod_python mailing list