--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libapache2-mod-auth-kerb: KrbAuthoritative is broken
- From: Richard A Nelson <cowboy@debian.org>
- Date: Fri, 21 Dec 2007 09:27:16 -0800
- Message-id: <20071221172716.22369.4748.reportbug@bandit-hall.svl.ibm.com>
Package: libapache2-mod-auth-kerb
Version: 5.3-1.3
Severity: important
Here is a fragment of what I was attempting to accomplish:
AuthType Basic
AuthName "w3"
AuthBasicProvider ldap file
AuthUserFile /etc/apache2/htpasswd
AuthzLDAPAuthoritative off
AuthLDAPURL ldapi:///ou=bluepages,o=ibm.com?mail?sub?
AuthType Kerberos
KrbAuthRealms COBPLI.SVL.IBM.COM SVLDEV.SVL.IBM.COM
KrbAuthoritative off
KrbDelegateBasic on
Krb5Keytab /etc/apache2/apache.keytab
require valid-user
So, the goal was to first do KRB, and if that failed, drop back to
LDAP, and if that failed, check the htpasswd file.
All that worked fine until I added Kerberos (LDAP falling back to file).
No, if KRB auth works, everything is fine, but KRB failures are *not*
being delegated to lower levels:
[error] [client 9.30.102.134] Specified realm `us.ibm.com' not allowed by configuration
There are a plethora of <cc>.ibm.com addresses, and I'm not going to be
able to keep the AuthRealms uptodate with them all, nor should I - as
they don't have KRB realms behind them. COBPLI and SVLDEV are the only two
domains with KRB backing them (both are local and have cross-domain
trust setup.
I noticed the earlier bug (288745) on multiple Realms, tagged moreinfo, so I
removed one from the list and tried again - but I get the same error :(
I can easily reproduce (and test) this error - and am could easily
verify any updates
-- System Information:
Debian Release: lenny/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.23.11 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-auth-kerb depends on:
ii apache2.2-common 2.2.6-3 Next generation, scalable, extenda
ii krb5-config 1.17 Configuration files for Kerberos V
ii libc6 2.7-4 GNU C Library: Shared libraries
ii libcomerr2 1.40.3-1 common error description library
ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
libapache2-mod-auth-kerb recommends no packages.
-- no debconf information
--- End Message ---