projects
/
mod_auth_kerb.cvs
/
.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
f56cf04
)
Added more debug messages
author
kouril
<kouril>
Mon, 1 Nov 2004 22:25:07 +0000
(22:25 +0000)
committer
kouril
<kouril>
Mon, 1 Nov 2004 22:25:07 +0000
(22:25 +0000)
src/mod_auth_kerb.c
patch
|
blob
|
history
diff --git
a/src/mod_auth_kerb.c
b/src/mod_auth_kerb.c
index
7ae9bd4
..
46e870b
100644
(file)
--- a/
src/mod_auth_kerb.c
+++ b/
src/mod_auth_kerb.c
@@
-510,7
+510,7
@@
end:
* we had to use this call instead, which is only a bit modified version of
* krb5_verify_init_creds() */
static krb5_error_code
* we had to use this call instead, which is only a bit modified version of
* krb5_verify_init_creds() */
static krb5_error_code
-verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
+verify_krb5_init_creds(
request_rec *r,
krb5_context context, krb5_creds *creds,
krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
{
krb5_error_code ret;
krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
{
krb5_error_code ret;
@@
-519,6
+519,7
@@
verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
krb5_creds *new_creds = NULL;
krb5_auth_context auth_context = NULL;
krb5_keytab keytab = NULL;
krb5_creds *new_creds = NULL;
krb5_auth_context auth_context = NULL;
krb5_keytab keytab = NULL;
+ char *server_name;
memset(&req, 0, sizeof(req));
memset(&req, 0, sizeof(req));
@@
-530,16
+531,35
@@
verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
keytab = ap_req_keytab;
ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
keytab = ap_req_keytab;
ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_cc_resolve() failed when verifying KDC");
return ret;
return ret;
+ }
ret = krb5_cc_initialize(context, local_ccache, creds->client);
ret = krb5_cc_initialize(context, local_ccache, creds->client);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_cc_initialize() failed when verifying KDC");
goto end;
goto end;
+ }
ret = krb5_cc_store_cred (context, local_ccache, creds);
ret = krb5_cc_store_cred (context, local_ccache, creds);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_cc_initialize() failed when verifying KDC");
goto end;
goto end;
+ }
+
+ ret = krb5_unparse_name(context, ap_req_server, &server_name);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_unparse_name() failed when verifying KDC");
+ goto end;
+ }
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "Using principal %s to verify authenticity of KDC", server_name);
+ free(server_name);
if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
krb5_creds match_cred;
if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
krb5_creds match_cred;
@@
-551,25
+571,39
@@
verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
ret = krb5_get_credentials (context, 0, local_ccache,
&match_cred, &new_creds);
ret = krb5_get_credentials (context, 0, local_ccache,
&match_cred, &new_creds);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_get_credentials() failed when verifying KDC");
goto end;
goto end;
+ }
creds = new_creds;
}
ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req);
creds = new_creds;
}
ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_mk_req_extended() failed when verifying KDC");
goto end;
goto end;
+ }
krb5_auth_con_free (context, auth_context);
auth_context = NULL;
ret = krb5_auth_con_init(context, &auth_context);
krb5_auth_con_free (context, auth_context);
auth_context = NULL;
ret = krb5_auth_con_init(context, &auth_context);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_auth_con_init() failed when verifying KDC");
goto end;
goto end;
+ }
/* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
ret = krb5_rd_req (context, &auth_context, &req, ap_req_server,
keytab, 0, NULL);
/* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
ret = krb5_rd_req (context, &auth_context, &req, ap_req_server,
keytab, 0, NULL);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_rd_req() failed when verifying KDC");
+ goto end;
+ }
end:
#ifdef HEIMDAL
end:
#ifdef HEIMDAL
@@
-600,6
+634,7
@@
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
krb5_principal server = NULL;
krb5_error_code ret;
krb5_ccache ret_ccache = NULL;
krb5_principal server = NULL;
krb5_error_code ret;
krb5_ccache ret_ccache = NULL;
+ char *name = NULL;
/* XXX error messages shouldn't be logged here (and in the while() loop in
* authenticate_user_krb5pwd() as weell), in order to avoid confusing log
/* XXX error messages shouldn't be logged here (and in the while() loop in
* authenticate_user_krb5pwd() as weell), in order to avoid confusing log
@@
-607,6
+642,13
@@
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
memset(&creds, 0, sizeof(creds));
memset(&creds, 0, sizeof(creds));
+ ret = krb5_unparse_name(context, principal, &name);
+ if (ret == 0) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "Trying to get TGT for user %s", name);
+ free(name);
+ }
+
ret = krb5_get_init_creds_password(context, &creds, principal,
(char *)password, NULL,
NULL, 0, NULL, NULL);
ret = krb5_get_init_creds_password(context, &creds, principal,
(char *)password, NULL,
NULL, 0, NULL, NULL);
@@
-614,7
+656,7
@@
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"krb5_get_init_creds_password() failed: %s",
krb5_get_err_text(context, ret));
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"krb5_get_init_creds_password() failed: %s",
krb5_get_err_text(context, ret));
-
return ret
;
+
goto end
;
}
ret = krb5_sname_to_principal(context, ap_get_server_name(r), service,
}
ret = krb5_sname_to_principal(context, ap_get_server_name(r), service,
@@
-639,7
+681,7
@@
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
*/
if (krb_verify_kdc &&
*/
if (krb_verify_kdc &&
- (ret = verify_krb5_init_creds(context, &creds, server, keytab))) {
+ (ret = verify_krb5_init_creds(
r,
context, &creds, server, keytab))) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"failed to verify krb5 credentials: %s",
krb5_get_err_text(context, ret));
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"failed to verify krb5 credentials: %s",
krb5_get_err_text(context, ret));