[mod_python] Mod_python and kerberos authentication (mod_auth_kerb)

Cassiano, Marco mcassiano at manord.com
Tue Jan 15 09:50:49 EST 2008


Graham,

here is the information from mod_python.testhandler.
The kerberos authentication worked fine with testhandler.
I can't see anything strange in the output....
Thank

marco


-----------------------------------------------------------------------------



General information
Apache version	Apache
Apache threaded MPM	No (single thread MPM)
Apache forked MPM	Yes, maximum 256 processes
Apache server root	/etc/httpd/
Apache document root	/var/www/html/site
Apache error log	/var/log/www/error.log (view last 100 lines)
Python sys.version	2.4.2 (#1, Jan 30 2006, 15:30:03) [GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-53)]
Python sys.path	

/var/www/cgi/testkerb/
/usr/local/lib/python2.4/site-packages/setuptools-0.6c5-py2.4.egg
/usr/local/lib/python24.zip
/usr/local/lib/python2.4
/usr/local/lib/python2.4/plat-linux2
/usr/local/lib/python2.4/lib-tk
/usr/local/lib/python2.4/lib-dynload
/usr/local/lib/python2.4/site-packages
/usr/local/lib/python2.4/site-packages/PIL
/usr/local/lib/python2.4/site-packages/barcode
/usr/local/lib/python2.4/site-packages/MySQLdb
/usr/local/lib/python2.4/site-packages/_xmlplus
/usr/local/lib/python2.4/site-packages/reportlab

Python interpreter name	apache.foo.com
mod_python.publisher available	Yes
mod_python.psp available	Yes
Request input headers
Key	Value
Host	apache.foo.com
User-Agent	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept	text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language	en-us,en;q=0.5
Accept-Encoding	gzip,deflate
Accept-Charset	ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive	300
Connection	keep-alive
Authorization	Negotiate Y....4
Request environment
Key	Value
SCRIPT_URL	/test/domain_login1.py/check_user
SCRIPT_URI	http://apache.foo.com/test/domain_login1.py/check_user
GATEWAY_INTERFACE	CGI/1.1
SERVER_PROTOCOL	HTTP/1.1
REQUEST_METHOD	GET
QUERY_STRING	
REQUEST_URI	/test/domain_login1.py/check_user
SCRIPT_NAME	/test/domain_login1.py
PATH_INFO	/check_user
PATH_TRANSLATED	/var/www/check_user
HTTP_HOST	apache.foo.com
HTTP_USER_AGENT	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
HTTP_ACCEPT	text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_LANGUAGE	en-us,en;q=0.5
HTTP_ACCEPT_ENCODING	gzip,deflate
HTTP_ACCEPT_CHARSET	ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_KEEP_ALIVE	300
HTTP_CONNECTION	keep-alive
PATH	/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
SERVER_SIGNATURE	
SERVER_SOFTWARE	Apache
SERVER_NAME	apache.foo.com
SERVER_ADDR	192.168.1.150
SERVER_PORT	80
REMOTE_ADDR	192.168.1.1
DOCUMENT_ROOT	/var/www/html/site
SERVER_ADMIN	admin at foo.com
SCRIPT_FILENAME	/var/www/cgi/testkerb/domain_login1.py
REMOTE_PORT	1681
REMOTE_USER	[email protected]@FOO.COM
AUTH_TYPE	Negotiate
Request configuration
Key	Value
PythonAutoReload	1
PythonDebug	1
Request options
Key	Value
ApplicationPath	/
SessionDbm	/var/www/html/sid/session.dbm
session_directory	/var/www/html/sid/session
Request notes
Key	Value
python_init_ran	1
mod_rewrite_rewritten	0
Server configuration
Key	Value
PythonAutoReload	1
PythonDebug	1
PythonPath	sys.path+['/var/www/cgi/common','/var/www/cgi/devel']
Server options
Key	Value
Server configuration tree

ServerTokens Prod
PidFile run/httpd.pid
Timeout 120
KeepAlive On
MaxKeepAliveRequests 3
KeepAliveTimeout 15
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 50
Listen 0.0.0.0:80

    
        SetHandler default-handler
Alias /test/ "/var/www/cgi/testkerb/"

    AuthType Kerberos
    KrbAuthRealm FOO.COM
    KrbServiceName HTTP/apache.foo.com at FOO.COM
    Krb5Keytab /etc/httpd//conf/sviluppotab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Require valid-user
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1
    Allow from 127.0.0.1
    SetHandler mod_python
    PythonHandler mod_python.testhandler | .py
    PythonAutoReload on
    PythonDebug on
    PythonOption ApplicationPath '/'
    PythonOption SessionDbm '/var/www/html/authdata/sid/session.dbm'
    PythonOption session_directory '/var/www/html/authdata/sid/session'

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
ExtendedStatus On
User apache
Group apache
ServerAdmin admin at foo.com
ServerName apache.foo.com
UseCanonicalName Off
DocumentRoot "/var/www/html/site"

    Options None
    AllowOverride None
    Order Deny,Allow

UserDir disable root
DirectoryIndex index.html index.html.var
AccessFileName .htaccess

    Order allow,deny
    Deny from all
TypesConfig /etc/mime.types
DefaultType text/plain
HostnameLookups Off
ErrorLog /var/log/www/error.log
LogLevel debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/www/access.log combined
ServerSignature Off
IndexOptions FancyIndexing VersionSort NameWidth=*
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AddLanguage en .en
AddLanguage it .it
LanguagePriority en it
AddDefaultCharset ISO-8859-1
AddCharset ISO-8859-1  .iso8859-1  .latin1
AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
AddCharset ISO-8859-3  .iso8859-3  .latin3
AddCharset ISO-8859-4  .iso8859-4  .latin4
AddCharset UTF-8       .utf8
AddCharset utf-8       .utf8
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler imap-file map
AddHandler type-map var
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Alias /error/ "/var/www/error/"

    AllowOverride None
    Options IncludesNoExec
    AddOutputFilter Includes html
    AddHandler type-map var
    Order allow,deny
    Allow from all
    LanguagePriority en es de fr
    ForceLanguagePriority Prefer Fallback
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully


Marco Cassiano 
  
Manifatture del Nord srl unipersonale
Gruppo MaxMara 

via Mazzacurati 6
42100 Reggio Emilia RE
ITALY 

Tel. +39 0522 358215 
Fax +39 0522 268715 
email : mcassiano at manord.com 
www.pennyblack.com 

 

---------------------------------------------------------------------------------------------

Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti.

 

La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti.

---------------------------------------------------------------------------------------------

The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained.

 

The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties.

---------------------------------------------------------------------------------------------


-----Original Message-----
From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com] 
Sent: Monday, January 14, 2008 10:28 PM
To: Cassiano, Marco
Cc: mod_python at modpython.org
Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb)

No access to mod_python code right now to do any checking so only
thing I can suggest is to set handler to be mod_python.testhandler and
have a look at what it returns and see if you can see anything strange
about the request details that make it through. You might scrub what
it shows of any sensitive data and post it.

Graham

On 14/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
> Graham,
>
> thank you for your answer.
> I've made a very simple test script named domain_login.py. Here it is :
>
> def check_user(req):
>         return 'ok'
>
> and I call it with the URL  http://apache.foo.com/login/domain_login.py/check_user
>
> So, to answer your question, the request is a GET.
> It is strange that if I put in the URL a wrong (non-existent) name, for example :
>
>  http://apache.foo.com/login/domain_login.py/wrong_call
>
> I got the same Bad Request error. So the problem seems to occur before the execution of the script.
> In the apache error log I only see that the kerberos authentication was ok and then nothing else...
>
>
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1172): [client 192.168.1.25] Acquiring creds for HTTP/sviluppo.manord.com at MANORD.COM
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1316): [client 192.168.1.25] Verifying client data using SPNEGO GSS-API
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1332): [client 192.168.1.25] Verification returned code 0
> [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1350): [client 192.168.1.25] GSS-API token of length 151 bytes will be sent back
>
> In the apache access.log I see two entries
>
>
> 192.168.1.25 - - [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 401 401 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
> 192.168.1.25 - myuser at FOO.COM [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 404 231 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
>
>
> In the second line the windows domain user is correctly reported so it seems the kerberos authentication worked...
>
>
> If I remove the kerberos authentication, the script works ok.
> If I remove the mod_python handler from the directory and I ask for a plain html page the kerberos authentication works...
>
> We also tried with mod_python.servlet (PythonHandler mod_python.servlet)
> and the kerberos authentication works perfectly. The script is executed and we can retrieve the username in req.user.
>
> So it seems a problem related to the publisher....
>
>
>
> Thank you
>
>
>
> Marco Cassiano
>
> Manifatture del Nord srl unipersonale
> Gruppo MaxMara
>
> via Mazzacurati 6
> 42100 Reggio Emilia RE
> ITALY
>
> Tel. +39 0522 358215
> Fax +39 0522 268715
> email : mcassiano at manord.com
> www.pennyblack.com
>
>
>
> The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained.
>
>
>
> The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties.
>
>
>
> -----Original Message-----
> From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com]
> Sent: Friday, January 11, 2008 10:24 PM
> To: Cassiano, Marco
> Cc: mod_python at modpython.org
> Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb)
>
> When using mod_python.publisher, you would get a Bad Request error if
> the request wasn't either a GET or POST. What is the type of HTTP
> request?
>
> Graham
>
> On 12/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
> >
> >
> > Hi all,
> >
> > I've just configured our apache server (Linux RedHat) for kerberos
> > authentication to allow our windows domain users to access it without having
> > to reauthenticate.
> > Everything works fine for a plain html directory, so I'm pretty sure that
> > the kerberos configuration for the apache server is working.
> > When I try to specify Kerberos authentication together with mod_python it's
> > not working. I got the message :
> >
> >
> >
> > Bad Request
> >
> > Your browser sent a request that this server could not understand.
> >
> >
> >
> > My httpd configuration is :
> >
> >
> > Alias /login/ "/var/www/kerb/login/"
> >
> >
> > <Directory "/var/www/kerb/login">
> > ##  AuthName "Kerberos Login"
> >   AuthType Kerberos
> >   KrbAuthRealm FOO.COM
> >   KrbServiceName HTTP/apache.foo.com at FOO.COM
> >   Krb5Keytab /etc/httpd/conf/apache.tab
> >   KrbMethodNegotiate on
> >   KrbMethodK5Passwd off
> > #  KrbSaveCredentials off
> > #  KrbVerifyKDC off
> >   Require valid-user
> >
> >   Order Deny,Allow
> >   Deny from all
> >   Allow from foo.com
> >   Allow from 127.0.0.1
> >
> >   SetHandler mod_python
> >   PythonHandler mod_python.publisher | .py
> >   PythonDebug on
> >   PythonOption ApplicationPath '/'
> >
> > </Directory>
> >
> >
> > Thanks in advance for your advice
> >
> >
> > Marco Cassiano
> >
> > Manifatture del Nord srl
> >
> > Italy
> >
> >
> >
> >
> > ---------------------------------------------------------------------------------------------
> >
> > Il contenuto della presente comunicazione è riservato e destinato
> > esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da
> > persona diversa dal destinatario sono proibite la diffusione, la
> > distribuzione e la copia. Nel caso riceveste la presente per errore, Vi
> > preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro
> > computer, senza utilizzare i dati contenuti.
> >
> >
> >
> > La presente comunicazione (comprensiva dei documenti allegati) non avrà
> > valore di proposta contrattuale e/o accettazione di proposte provenienti dal
> > destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
> > nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi
> > può validamente obbligarci. Non deriverà alcuna responsabilità
> > precontrattuale a ns. carico, se la presente non sia seguita da contratto
> > sottoscritto dalle parti.
> >
> > ---------------------------------------------------------------------------------------------
> >
> > The contents of the present communication is strictly confidential and
> > reserved solely to the referred addressees. In the event was received by
> > person different from the addressee, it is forbidden the diffusion,
> > distribution and copy. In the event you have received it mistakenly we ask
> > you to inform us and to destroy and/or to delete it by your computer,
> > without using the data herein contained.
> >
> >
> >
> > The present message (eventual annexes inclusive) shall not be considered any
> > contractual proposal and/or acceptance of offer coming from the addressee,
> > nor waiver neither recognizance of rights, debts and/or credits, and it
> > shall not be binding, when it is not executed a subsequent agreement by
> > person who could lawfully represent us. No pre-contractual liability shall
> > derive to us, when the present communication is not followed by any binding
> > agreement between the parties.
> >
> > ---------------------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Mod_python mailing list
> > Mod_python at modpython.org
> > http://mailman.modpython.org/mailman/listinfo/mod_python
> >
> >
>



More information about the Mod_python mailing list