[mod_python] Mod_python and kerberos authentication (mod_auth_kerb)

Graham Dumpleton graham.dumpleton at gmail.com
Wed Jan 16 01:03:56 EST 2008 

I remember now.

See:

  http://issues.apache.org/jira/browse/MODPYTHON-47

Use same workaround as described in their for using Digest auth with publisher.

Graham

On 16/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
> Graham,
>
> here is the information from mod_python.testhandler.
> The kerberos authentication worked fine with testhandler.
> I can't see anything strange in the output....
> Thank
>
> marco
>
>
> -----------------------------------------------------------------------------
>
>
>
> General information
> Apache version  Apache
> Apache threaded MPM     No (single thread MPM)
> Apache forked MPM       Yes, maximum 256 processes
> Apache server root      /etc/httpd/
> Apache document root    /var/www/html/site
> Apache error log        /var/log/www/error.log (view last 100 lines)
> Python sys.version      2.4.2 (#1, Jan 30 2006, 15:30:03) [GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-53)]
> Python sys.path
>
> /var/www/cgi/testkerb/
> /usr/local/lib/python2.4/site-packages/setuptools-0.6c5-py2.4.egg
> /usr/local/lib/python24.zip
> /usr/local/lib/python2.4
> /usr/local/lib/python2.4/plat-linux2
> /usr/local/lib/python2.4/lib-tk
> /usr/local/lib/python2.4/lib-dynload
> /usr/local/lib/python2.4/site-packages
> /usr/local/lib/python2.4/site-packages/PIL
> /usr/local/lib/python2.4/site-packages/barcode
> /usr/local/lib/python2.4/site-packages/MySQLdb
> /usr/local/lib/python2.4/site-packages/_xmlplus
> /usr/local/lib/python2.4/site-packages/reportlab
>
> Python interpreter name apache.foo.com
> mod_python.publisher available  Yes
> mod_python.psp available        Yes
> Request input headers
> Key     Value
> Host    apache.foo.com
> User-Agent      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
> Accept  text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language en-us,en;q=0.5
> Accept-Encoding gzip,deflate
> Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive      300
> Connection      keep-alive
> Authorization   Negotiate Y....4
> Request environment
> Key     Value
> SCRIPT_URL      /test/domain_login1.py/check_user
> SCRIPT_URI      http://apache.foo.com/test/domain_login1.py/check_user
> GATEWAY_INTERFACE       CGI/1.1
> SERVER_PROTOCOL HTTP/1.1
> REQUEST_METHOD  GET
> QUERY_STRING
> REQUEST_URI     /test/domain_login1.py/check_user
> SCRIPT_NAME     /test/domain_login1.py
> PATH_INFO       /check_user
> PATH_TRANSLATED /var/www/check_user
> HTTP_HOST       apache.foo.com
> HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
> HTTP_ACCEPT     text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> HTTP_ACCEPT_LANGUAGE    en-us,en;q=0.5
> HTTP_ACCEPT_ENCODING    gzip,deflate
> HTTP_ACCEPT_CHARSET     ISO-8859-1,utf-8;q=0.7,*;q=0.7
> HTTP_KEEP_ALIVE 300
> HTTP_CONNECTION keep-alive
> PATH    /usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
> SERVER_SIGNATURE
> SERVER_SOFTWARE Apache
> SERVER_NAME     apache.foo.com
> SERVER_ADDR     192.168.1.150
> SERVER_PORT     80
> REMOTE_ADDR     192.168.1.1
> DOCUMENT_ROOT   /var/www/html/site
> SERVER_ADMIN    admin at foo.com
> SCRIPT_FILENAME /var/www/cgi/testkerb/domain_login1.py
> REMOTE_PORT     1681
> REMOTE_USER     admin@@FOO.COM
> AUTH_TYPE       Negotiate
> Request configuration
> Key     Value
> PythonAutoReload        1
> PythonDebug     1
> Request options
> Key     Value
> ApplicationPath /
> SessionDbm      /var/www/html/sid/session.dbm
> session_directory       /var/www/html/sid/session
> Request notes
> Key     Value
> python_init_ran 1
> mod_rewrite_rewritten   0
> Server configuration
> Key     Value
> PythonAutoReload        1
> PythonDebug     1
> PythonPath      sys.path+['/var/www/cgi/common','/var/www/cgi/devel']
> Server options
> Key     Value
> Server configuration tree
>
> ServerTokens Prod
> PidFile run/httpd.pid
> Timeout 120
> KeepAlive On
> MaxKeepAliveRequests 3
> KeepAliveTimeout 15
> StartServers 8
> MinSpareServers 5
> MaxSpareServers 20
> ServerLimit 256
> MaxClients 256
> MaxRequestsPerChild 50
> Listen 0.0.0.0:80
>
>
>         SetHandler default-handler
> Alias /test/ "/var/www/cgi/testkerb/"
>
>     AuthType Kerberos
>     KrbAuthRealm FOO.COM
>     KrbServiceName HTTP/apache.foo.com at FOO.COM
>     Krb5Keytab /etc/httpd//conf/sviluppotab
>     KrbMethodNegotiate on
>     KrbMethodK5Passwd off
>     Require valid-user
>     Order Deny,Allow
>     Deny from all
>     Allow from 192.168.1
>     Allow from 127.0.0.1
>     SetHandler mod_python
>     PythonHandler mod_python.testhandler | .py
>     PythonAutoReload on
>     PythonDebug on
>     PythonOption ApplicationPath '/'
>     PythonOption SessionDbm '/var/www/html/authdata/sid/session.dbm'
>     PythonOption session_directory '/var/www/html/authdata/sid/session'
>
> RewriteEngine on
> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> RewriteRule .* - [F]
> ExtendedStatus On
> User apache
> Group apache
> ServerAdmin admin at foo.com
> ServerName apache.foo.com
> UseCanonicalName Off
> DocumentRoot "/var/www/html/site"
>
>     Options None
>     AllowOverride None
>     Order Deny,Allow
>
> UserDir disable root
> DirectoryIndex index.html index.html.var
> AccessFileName .htaccess
>
>     Order allow,deny
>     Deny from all
> TypesConfig /etc/mime.types
> DefaultType text/plain
> HostnameLookups Off
> ErrorLog /var/log/www/error.log
> LogLevel debug
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> LogFormat "%{Referer}i -> %U" referer
> LogFormat "%{User-agent}i" agent
> CustomLog /var/log/www/access.log combined
> ServerSignature Off
> IndexOptions FancyIndexing VersionSort NameWidth=*
> AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
> AddIconByType (TXT,/icons/text.gif) text/*
> AddIconByType (IMG,/icons/image2.gif) image/*
> AddIconByType (SND,/icons/sound2.gif) audio/*
> AddIconByType (VID,/icons/movie.gif) video/*
> AddIcon /icons/binary.gif .bin .exe
> AddIcon /icons/binhex.gif .hqx
> AddIcon /icons/tar.gif .tar
> AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
> AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
> AddIcon /icons/a.gif .ps .ai .eps
> AddIcon /icons/layout.gif .html .shtml .htm .pdf
> AddIcon /icons/text.gif .txt
> AddIcon /icons/c.gif .c
> AddIcon /icons/p.gif .pl .py
> AddIcon /icons/f.gif .for
> AddIcon /icons/dvi.gif .dvi
> AddIcon /icons/uuencoded.gif .uu
> AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
> AddIcon /icons/tex.gif .tex
> AddIcon /icons/bomb.gif core
> AddIcon /icons/back.gif ..
> AddIcon /icons/hand.right.gif README
> AddIcon /icons/folder.gif ^^DIRECTORY^^
> AddIcon /icons/blank.gif ^^BLANKICON^^
> DefaultIcon /icons/unknown.gif
> ReadmeName README.html
> HeaderName HEADER.html
> IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
> AddLanguage en .en
> AddLanguage it .it
> LanguagePriority en it
> AddDefaultCharset ISO-8859-1
> AddCharset ISO-8859-1  .iso8859-1  .latin1
> AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
> AddCharset ISO-8859-3  .iso8859-3  .latin3
> AddCharset ISO-8859-4  .iso8859-4  .latin4
> AddCharset UTF-8       .utf8
> AddCharset utf-8       .utf8
> AddType application/x-compress .Z
> AddType application/x-gzip .gz .tgz
> AddHandler imap-file map
> AddHandler type-map var
> AddType text/html .shtml
> AddOutputFilter INCLUDES .shtml
> Alias /error/ "/var/www/error/"
>
>     AllowOverride None
>     Options IncludesNoExec
>     AddOutputFilter Includes html
>     AddHandler type-map var
>     Order allow,deny
>     Allow from all
>     LanguagePriority en es de fr
>     ForceLanguagePriority Prefer Fallback
> BrowserMatch "Mozilla/2" nokeepalive
> BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
> BrowserMatch "RealPlayer 4\.0" force-response-1.0
> BrowserMatch "Java/1\.0" force-response-1.0
> BrowserMatch "JDK/1\.0" force-response-1.0
> BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
> BrowserMatch "^WebDrive" redirect-carefully
> BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
> BrowserMatch "^gnome-vfs" redirect-carefully
>
>
> Marco Cassiano
>
> Manifatture del Nord srl unipersonale
> Gruppo MaxMara
>
> via Mazzacurati 6
> 42100 Reggio Emilia RE
> ITALY
>
> Tel. +39 0522 358215
> Fax +39 0522 268715
> email : mcassiano at manord.com
> www.pennyblack.com
>
>
>
> ---------------------------------------------------------------------------------------------
>
> Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti.
>
>
>
> La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti.
>
> ---------------------------------------------------------------------------------------------
>
> The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained.
>
>
>
> The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties.
>
> ---------------------------------------------------------------------------------------------
>
>
> -----Original Message-----
> From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com]
> Sent: Monday, January 14, 2008 10:28 PM
> To: Cassiano, Marco
> Cc: mod_python at modpython.org
> Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb)
>
> No access to mod_python code right now to do any checking so only
> thing I can suggest is to set handler to be mod_python.testhandler and
> have a look at what it returns and see if you can see anything strange
> about the request details that make it through. You might scrub what
> it shows of any sensitive data and post it.
>
> Graham
>
> On 14/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
> > Graham,
> >
> > thank you for your answer.
> > I've made a very simple test script named domain_login.py. Here it is :
> >
> > def check_user(req):
> >         return 'ok'
> >
> > and I call it with the URL  http://apache.foo.com/login/domain_login.py/check_user
> >
> > So, to answer your question, the request is a GET.
> > It is strange that if I put in the URL a wrong (non-existent) name, for example :
> >
> >  http://apache.foo.com/login/domain_login.py/wrong_call
> >
> > I got the same Bad Request error. So the problem seems to occur before the execution of the script.
> > In the apache error log I only see that the kerberos authentication was ok and then nothing else...
> >
> >
> > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1485): [client 192.168.1.25] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1172): [client 192.168.1.25] Acquiring creds for HTTP/sviluppo.manord.com at MANORD.COM
> > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1316): [client 192.168.1.25] Verifying client data using SPNEGO GSS-API
> > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1332): [client 192.168.1.25] Verification returned code 0
> > [Mon Jan 14 10:04:35 2008] [debug] src/mod_auth_kerb.c(1350): [client 192.168.1.25] GSS-API token of length 151 bytes will be sent back
> >
> > In the apache access.log I see two entries
> >
> >
> > 192.168.1.25 - - [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 401 401 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
> > 192.168.1.25 - myuser at FOO.COM [14/Jan/2008:10:56:04 +0100] "GET /login/domain_login1.py/check_user HTTP/1.1" 404 231 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
> >
> >
> > In the second line the windows domain user is correctly reported so it seems the kerberos authentication worked...
> >
> >
> > If I remove the kerberos authentication, the script works ok.
> > If I remove the mod_python handler from the directory and I ask for a plain html page the kerberos authentication works...
> >
> > We also tried with mod_python.servlet (PythonHandler mod_python.servlet)
> > and the kerberos authentication works perfectly. The script is executed and we can retrieve the username in req.user.
> >
> > So it seems a problem related to the publisher....
> >
> >
> >
> > Thank you
> >
> >
> >
> > Marco Cassiano
> >
> > Manifatture del Nord srl unipersonale
> > Gruppo MaxMara
> >
> > via Mazzacurati 6
> > 42100 Reggio Emilia RE
> > ITALY
> >
> > Tel. +39 0522 358215
> > Fax +39 0522 268715
> > email : mcassiano at manord.com
> > www.pennyblack.com
> >
> >
> >
> > The contents of the present communication is strictly confidential and reserved solely to the referred addressees. In the event was received by person different from the addressee, it is forbidden the diffusion, distribution and copy. In the event you have received it mistakenly we ask you to inform us and to destroy and/or to delete it by your computer, without using the data herein contained.
> >
> >
> >
> > The present message (eventual annexes inclusive) shall not be considered any contractual proposal and/or acceptance of offer coming from the addressee, nor waiver neither recognizance of rights, debts and/or credits, and it shall not be binding, when it is not executed a subsequent agreement by person who could lawfully represent us. No pre-contractual liability shall derive to us, when the present communication is not followed by any binding agreement between the parties.
> >
> >
> >
> > -----Original Message-----
> > From: Graham Dumpleton [mailto:graham.dumpleton at gmail.com]
> > Sent: Friday, January 11, 2008 10:24 PM
> > To: Cassiano, Marco
> > Cc: mod_python at modpython.org
> > Subject: Re: [mod_python] Mod_python and kerberos authentication (mod_auth_kerb)
> >
> > When using mod_python.publisher, you would get a Bad Request error if
> > the request wasn't either a GET or POST. What is the type of HTTP
> > request?
> >
> > Graham
> >
> > On 12/01/2008, Cassiano, Marco <mcassiano at manord.com> wrote:
> > >
> > >
> > > Hi all,
> > >
> > > I've just configured our apache server (Linux RedHat) for kerberos
> > > authentication to allow our windows domain users to access it without having
> > > to reauthenticate.
> > > Everything works fine for a plain html directory, so I'm pretty sure that
> > > the kerberos configuration for the apache server is working.
> > > When I try to specify Kerberos authentication together with mod_python it's
> > > not working. I got the message :
> > >
> > >
> > >
> > > Bad Request
> > >
> > > Your browser sent a request that this server could not understand.
> > >
> > >
> > >
> > > My httpd configuration is :
> > >
> > >
> > > Alias /login/ "/var/www/kerb/login/"
> > >
> > >
> > > <Directory "/var/www/kerb/login">
> > > ##  AuthName "Kerberos Login"
> > >   AuthType Kerberos
> > >   KrbAuthRealm FOO.COM
> > >   KrbServiceName HTTP/apache.foo.com at FOO.COM
> > >   Krb5Keytab /etc/httpd/conf/apache.tab
> > >   KrbMethodNegotiate on
> > >   KrbMethodK5Passwd off
> > > #  KrbSaveCredentials off
> > > #  KrbVerifyKDC off
> > >   Require valid-user
> > >
> > >   Order Deny,Allow
> > >   Deny from all
> > >   Allow from foo.com
> > >   Allow from 127.0.0.1
> > >
> > >   SetHandler mod_python
> > >   PythonHandler mod_python.publisher | .py
> > >   PythonDebug on
> > >   PythonOption ApplicationPath '/'
> > >
> > > </Directory>
> > >
> > >
> > > Thanks in advance for your advice
> > >
> > >
> > > Marco Cassiano
> > >
> > > Manifatture del Nord srl
> > >
> > > Italy
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------------------------------
> > >
> > > Il contenuto della presente comunicazione è riservato e destinato
> > > esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da
> > > persona diversa dal destinatario sono proibite la diffusione, la
> > > distribuzione e la copia. Nel caso riceveste la presente per errore, Vi
> > > preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro
> > > computer, senza utilizzare i dati contenuti.
> > >
> > >
> > >
> > > La presente comunicazione (comprensiva dei documenti allegati) non avrà
> > > valore di proposta contrattuale e/o accettazione di proposte provenienti dal
> > > destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
> > > nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi
> > > può validamente obbligarci. Non deriverà alcuna responsabilità
> > > precontrattuale a ns. carico, se la presente non sia seguita da contratto
> > > sottoscritto dalle parti.
> > >
> > > ---------------------------------------------------------------------------------------------
> > >
> > > The contents of the present communication is strictly confidential and
> > > reserved solely to the referred addressees. In the event was received by
> > > person different from the addressee, it is forbidden the diffusion,
> > > distribution and copy. In the event you have received it mistakenly we ask
> > > you to inform us and to destroy and/or to delete it by your computer,
> > > without using the data herein contained.
> > >
> > >
> > >
> > > The present message (eventual annexes inclusive) shall not be considered any
> > > contractual proposal and/or acceptance of offer coming from the addressee,
> > > nor waiver neither recognizance of rights, debts and/or credits, and it
> > > shall not be binding, when it is not executed a subsequent agreement by
> > > person who could lawfully represent us. No pre-contractual liability shall
> > > derive to us, when the present communication is not followed by any binding
> > > agreement between the parties.
> > >
> > > ---------------------------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Mod_python mailing list
> > > Mod_python at modpython.org
> > > http://mailman.modpython.org/mailman/listinfo/mod_python
> > >
> > >
> >
>

More information about the Mod_python mailing list