|
Cassiano, Marco
mcassiano at manord.com
Tue Jan 15 09:50:49 EST 2008
Graham, here is the information from mod_python.testhandler. The kerberos authentication worked fine with testhandler. I can't see anything strange in the output.... Thank marco ----------------------------------------------------------------------------- General information Apache version Apache Apache threaded MPM No (single thread MPM) Apache forked MPM Yes, maximum 256 processes Apache server root /etc/httpd/ Apache document root /var/www/html/site Apache error log /var/log/www/error.log (view last 100 lines) Python sys.version 2.4.2 (#1, Jan 30 2006, 15:30:03) [GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-53)] Python sys.path /var/www/cgi/testkerb/ /usr/local/lib/python2.4/site-packages/setuptools-0.6c5-py2.4.egg /usr/local/lib/python24.zip /usr/local/lib/python2.4 /usr/local/lib/python2.4/plat-linux2 /usr/local/lib/python2.4/lib-tk /usr/local/lib/python2.4/lib-dynload /usr/local/lib/python2.4/site-packages /usr/local/lib/python2.4/site-packages/PIL /usr/local/lib/python2.4/site-packages/barcode /usr/local/lib/python2.4/site-packages/MySQLdb /usr/local/lib/python2.4/site-packages/_xmlplus /usr/local/lib/python2.4/site-packages/reportlab Python interpreter name apache.foo.com mod_python.publisher available Yes mod_python.psp available Yes Request input headers Key Value Host apache.foo.com User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Accept text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language en-us,en;q=0.5 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive Authorization Negotiate Y....4 Request environment Key Value SCRIPT_URL /test/domain_login1.py/check_user SCRIPT_URI http://apache.foo.com/test/domain_login1.py/check_user GATEWAY_INTERFACE CGI/1.1 SERVER_PROTOCOL HTTP/1.1 REQUEST_METHOD GET QUERY_STRING REQUEST_URI /test/domain_login1.py/check_user SCRIPT_NAME /test/domain_login1.py PATH_INFO /check_user PATH_TRANSLATED /var/www/check_user HTTP_HOST apache.foo.com HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 HTTP_ACCEPT text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5 HTTP_ACCEPT_ENCODING gzip,deflate HTTP_ACCEPT_CHARSET ISO-8859-1,utf-8;q=0.7,*;q=0.7 HTTP_KEEP_ALIVE 300 HTTP_CONNECTION keep-alive PATH /usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin SERVER_SIGNATURE SERVER_SOFTWARE Apache SERVER_NAME apache.foo.com SERVER_ADDR 192.168.1.150 SERVER_PORT 80 REMOTE_ADDR 192.168.1.1 DOCUMENT_ROOT /var/www/html/site SERVER_ADMIN admin at foo.com SCRIPT_FILENAME /var/www/cgi/testkerb/domain_login1.py REMOTE_PORT 1681 REMOTE_USER admin@@FOO.COM AUTH_TYPE Negotiate Request configuration Key Value PythonAutoReload 1 PythonDebug 1 Request options Key Value ApplicationPath / SessionDbm /var/www/html/sid/session.dbm session_directory /var/www/html/sid/session Request notes Key Value python_init_ran 1 mod_rewrite_rewritten 0 Server configuration Key Value PythonAutoReload 1 PythonDebug 1 PythonPath sys.path+['/var/www/cgi/common','/var/www/cgi/devel'] Server options Key Value Server configuration tree ServerTokens Prod PidFile run/httpd.pid Timeout 120 KeepAlive On MaxKeepAliveRequests 3 KeepAliveTimeout 15 StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 50 Listen 0.0.0.0:80 SetHandler default-handler Alias /test/ "/var/www/cgi/testkerb/" AuthType Kerberos KrbAuthRealm FOO.COM KrbServiceName HTTP/apache.foo.com at FOO.COM Krb5Keytab /etc/httpd//conf/sviluppotab KrbMethodNegotiate on KrbMethodK5Passwd off Require valid-user Order Deny,Allow Deny from all Allow from 192.168.1 Allow from 127.0.0.1 SetHandler mod_python PythonHandler mod_python.testhandler | .py PythonAutoReload on PythonDebug on PythonOption ApplicationPath '/' PythonOption SessionDbm '/var/www/html/authdata/sid/session.dbm' PythonOption session_directory '/var/www/html/authdata/sid/session' RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] ExtendedStatus On User apache Group apache ServerAdmin admin at foo.com ServerName apache.foo.com UseCanonicalName Off DocumentRoot "/var/www/html/site" Options None AllowOverride None Order Deny,Allow UserDir disable root DirectoryIndex index.html index.html.var AccessFileName .htaccess Order allow,deny Deny from all TypesConfig /etc/mime.types DefaultType text/plain HostnameLookups Off ErrorLog /var/log/www/error.log LogLevel debug LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent CustomLog /var/log/www/access.log combined ServerSignature Off IndexOptions FancyIndexing VersionSort NameWidth=* AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ DefaultIcon /icons/unknown.gif ReadmeName README.html HeaderName HEADER.html IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t AddLanguage en .en AddLanguage it .it LanguagePriority en it AddDefaultCharset ISO-8859-1 AddCharset ISO-8859-1 .iso8859-1 .latin1 AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen AddCharset ISO-8859-3 .iso8859-3 .latin3 AddCharset ISO-8859-4 .iso8859-4 .latin4 AddCharset UTF-8 .utf8 AddCharset utf-8 .utf8 AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddHandler imap-file map AddHandler type-map var AddType text/html .shtml AddOutputFilter INCLUDES .shtml Alias /error/ "/var/www/error/" AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully Marco Cassiano Manifatture del Nord srl unipersonale Gruppo MaxMara via Mazzacurati 6 42100 Reggio Emilia RE ITALY Tel. +39 0522 358215 Fax +39 0522 268715 email : mcassiano at manord.com www.pennyblack.com --------------------------------------------------------------------------------------------- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. --------------------------------------------------------------------------------------------- The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties. --------------------------------------------------------------------------------------------- -----Original Message----- From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com] Sent: Monday, January 14, 2008 10:28 PM To: Cassiano, Marco Cc: mod_python at modpython.org Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb) No access to mod_python code right now to do any checking so only thing I can suggest is to set handler to be mod_python.testhandler and have a look at what it returns and see if you can see anything strange about the request details that make it through. You might scrub what it shows of any sensitive data and post it. Graham On 14/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote: > Graham, > > thank you for your answer. > I've made a very simple test script named domain_login.py. Here it is : > > def check_user(req): > return 'ok' > > and I call it with the URL http://apache.foo.com/login/domain_login.py/check_user > > So, to answer your question, the request is a GET. > It is strange that if I put in the URL a wrong (non-existent) name, for example : > > http://apache.foo.com/login/domain_login.py/wrong_call > > I got the same Bad Request error. So the problem seems to occur before the execution of the script. > In the apache error log I only see that the kerberos authentication was ok and then nothing else... > > > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1172): [client 192.168.1.25] Acquiring creds for HTTP/sviluppo.manord.com at MANORD.COM > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1316): [client 192.168.1.25] Verifying client data using SPNEGO GSS-API > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1332): [client 192.168.1.25] Verification returned code 0 > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1350): [client 192.168.1.25] GSS-API token of length 151 bytes will be sent back > > In the apache access.log I see two entries > > > 192.168.1.25 - - [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 401 401 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" > 192.168.1.25 - myuser at FOO.COM [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 404 231 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" > > > In the second line the windows domain user is correctly reported so it seems the kerberos authentication worked... > > > If I remove the kerberos authentication, the script works ok. > If I remove the mod_python handler from the directory and I ask for a plain html page the kerberos authentication works... > > We also tried with mod_python.servlet (PythonHandler mod_python.servlet) > and the kerberos authentication works perfectly. The script is executed and we can retrieve the username in req.user. > > So it seems a problem related to the publisher.... > > > > Thank you > > > > Marco Cassiano > > Manifatture del Nord srl unipersonale > Gruppo MaxMara > > via Mazzacurati 6 > 42100 Reggio Emilia RE > ITALY > > Tel. +39 0522 358215 > Fax +39 0522 268715 > email : mcassiano at manord.com > www.pennyblack.com > > > > The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained. > > > > The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties. > > > > -----Original Message----- > From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com] > Sent: Friday, January 11, 2008 10:24 PM > To: Cassiano, Marco > Cc: mod_python at modpython.org > Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb) > > When using mod_python.publisher, you would get a Bad Request error if > the request wasn't either a GET or POST. What is the type of HTTP > request? > > Graham > > On 12/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote: > > > > > > Hi all, > > > > I've just configured our apache server (Linux RedHat) for kerberos > > authentication to allow our windows domain users to access it without having > > to reauthenticate. > > Everything works fine for a plain html directory, so I'm pretty sure that > > the kerberos configuration for the apache server is working. > > When I try to specify Kerberos authentication together with mod_python it's > > not working. I got the message : > > > > > > > > Bad Request > > > > Your browser sent a request that this server could not understand. > > > > > > > > My httpd configuration is : > > > > > > Alias /login/ "/var/www/kerb/login/" > > > > > > <Directory "/var/www/kerb/login"> > > ## AuthName "Kerberos Login" > > AuthType Kerberos > > KrbAuthRealm FOO.COM > > KrbServiceName HTTP/apache.foo.com at FOO.COM > > Krb5Keytab /etc/httpd/conf/apache.tab > > KrbMethodNegotiate on > > KrbMethodK5Passwd off > > # KrbSaveCredentials off > > # KrbVerifyKDC off > > Require valid-user > > > > Order Deny,Allow > > Deny from all > > Allow from foo.com > > Allow from 127.0.0.1 > > > > SetHandler mod_python > > PythonHandler mod_python.publisher | .py > > PythonDebug on > > PythonOption ApplicationPath '/' > > > > </Directory> > > > > > > Thanks in advance for your advice > > > > > > Marco Cassiano > > > > Manifatture del Nord srl > > > > Italy > > > > > > > > > > --------------------------------------------------------------------------------------------- > > > > Il contenuto della presente comunicazione è riservato e destinato > > esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da > > persona diversa dal destinatario sono proibite la diffusione, la > > distribuzione e la copia. Nel caso riceveste la presente per errore, Vi > > preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro > > computer, senza utilizzare i dati contenuti. > > > > > > > > La presente comunicazione (comprensiva dei documenti allegati) non avrà > > valore di proposta contrattuale e/o accettazione di proposte provenienti dal > > destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, > > nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi > > può validamente obbligarci. Non deriverà alcuna responsabilità > > precontrattuale a ns. carico, se la presente non sia seguita da contratto > > sottoscritto dalle parti. > > > > --------------------------------------------------------------------------------------------- > > > > The contents of the present communication is strictly confidential and > > reserved solely to the referred addressees. In the event was received by > > person different from the addressee, it is forbidden the diffusion, > > distribution and copy. In the event you have received it mistakenly we ask > > you to inform us and to destroy and/or to delete it by your computer, > > without using the data herein contained. > > > > > > > > The present message (eventual annexes inclusive) shall not be considered any > > contractual proposal and/or acceptance of offer coming from the addressee, > > nor waiver neither recognizance of rights, debts and/or credits, and it > > shall not be binding, when it is not executed a subsequent agreement by > > person who could lawfully represent us. No pre-contractual liability shall > > derive to us, when the present communication is not followed by any binding > > agreement between the parties. > > > > --------------------------------------------------------------------------------------------- > > > > _______________________________________________ > > Mod_python mailing list > > Mod_python at modpython.org > > http://mailman.modpython.org/mailman/listinfo/mod_python > > > > >
|