php_krb5 rc2

Moritz Bechler

php_krb5 rc2 Sun, Apr 11. 2010

Due to popular demand :), here comes a new candidate release fixing some bugs:

php_krb5-1.0rc2.tar.bz2

Version 1.0.0rc2:
- [BUG] Fixed two memory corruption bugs (NegotiateAuth::doAuthentication, GSSAPIContext::inquireCredentials)
- [BUG] Fix usage of krb5_random_confounder which is removed as of MIT krb5-1.8
- [FEATURE] Added GSSAPIContext::registerAcceptorIdentity to register a keytab from which credentials are fetched
- [BUILDBUG] Added /usr/include/et to include path to fix kadmin headers
- [BUILDBUG] Also scan lib64/ directories for kerberos libraries

Still open:
- kadmin API is now officially exported (starting with 1.7), but slighlty changed ... need to fix this
- Apache does not provide the authentication header via the default mechanism, but it would be possible to obtain it (circumvent this issue by using a rewrite rule which passes the Authorization header).
- anything I have possibly missed....

Thanks to those who reported the issues. Please let me know if I missed some of you issues.

Also I'm propably going to sign up for a PECL account, then a public SVN and bug tracker will be available.


Posted by Moritz Bechler Comments: (17) Trackbacks: (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 - Marty 2010-04-20 10:13 - (Reply)

Hi!
Thanks for the great module! I was searching for a while for a php kerberos solution! Nice work!
But I noticed a crash while having a problem with my dns server. It seems it crashes if the server name cannot be resolved:

php log:
[20-Apr-2010 11:52:05] PHP Warning: main(): Failed to get server FQDN - Lookup failure in /srv/www/htdocs/index.php on line 8

/var/log/messages:
Apr 20 11:52:05 sles11 kernel: php5[9201]: segfault at 0 ip 00007f8e3f8312f3 sp 00007fff4dd83c60 error 4 in krb5.so[7f8e3f82b000+9000]

Adjusting /etc/hosts fixes the problem but may not be an option for everyone.
Any updates an your PECL account? A decent issue tracker would be helpful to improve the module.
Marty

#1.1 - Moritz Bechler 2010-04-20 11:32 - (Reply)

Thanks, and thanks for the report (can confirm that problem).

The more general problem is determining the correct server principal, at the moment I'm using a lookup on the ServerName (SERVER_NAME) to get the FQDN (which should work in most cases when the ServerName is correctly configured). But propably I should add some means to statically configure the server principal.

I just posted to the pecl list, so may be that will be available shortly.

#2 - Ruslan 2010-04-30 13:43 - (Reply)

Hi, thanks for the extension!
I tried to compile it for Windows just like any other PECL extension but found out that config.w32 is missing. So is it possible to get the extension for Windows platform?

#2.1 - Moritz Bechler 2010-04-30 14:08 - (Reply)

I'm sorry, so far I haven't even looked at windows support. It should be perfectly possible to support windows (using MIT's kerberos for windows, not the native win kerberos stuff as this provides a completely different API) but I don't even have a PHP build environment on a windows platform.

If you have, you might try to put together a config.w32 file, that shouldn't be too hard (linking the gssapi library and setting some defines like in config.m4 should be sufficient), and try whether it compiles using VC.

I might look into that too some time. But that propably won't happen in the near future.

#3 - Zl0 2010-07-28 15:17 - (Reply)

Thanks for you nice job! It's best solution for php authorization in kerberos.

#4 - M Schot 2011-08-19 13:13 - (Reply)

Hi Moritz,

Great Module, I'm just wondering if there are any docs online.

I tried to use gendoc.sh in the doc folder but got a load of errors. (the start of it can be seen below)

Cheers


Checking for nsgmls... no
Generating /root/php_krb5-1.0rc2/doc/manual.xml... done
Generating /root/php_krb5-1.0rc2/doc/entities/version.ent... done
Generating /root/php_krb5-1.0rc2/doc/scripts/file-entities.php... done
Generating /root/php_krb5-1.0rc2/doc/scripts/missing-entities.php... done
Iterating over extension specific version files... OK
Saving it... OK
Creating file /root/php_krb5-1.0rc2/doc/entities/file-entities.ent... done
Removing /root/php_krb5-1.0rc2/doc/entities/missing-entities.ent
Removing /root/php_krb5-1.0rc2/doc/entities/missing-ids.xml
Loading and parsing manual.xml... done.
Validating manual.xml... failed.

The document didn't validate, trying to figure out what went wrong...
(This could take awhile. If you experience segfaults here, try again with --disable-xml-details)
PHP Warning: file(): Filename cannot be empty in /root/php_krb5-1.0rc2/doc/configure.php on line 197

Warning: file(): Filename cannot be empty in /root/php_krb5-1.0rc2/doc/configure.php on line 197

ERROR (:unknown)
Namespace default prefix was not found

ERROR (/root/php_krb5-1.0rc2/doc/en/reference/krb5/book.xml:12:19)
&reftitle.intro;
-------------------^
Element title namespace name for default namespace does not match the DTD
PHP Warning: file(): Filename cannot be empty in /root/php_krb5-1.0rc2/doc/configure.php on line 197

Warning: file(): Filename cannot be empty in /root/php_krb5-1.0rc2/doc/configure.php on line 197

ERROR (:unknown)
Namespace default prefix was not found

ERROR (/root/php_krb5-1.0rc2/doc/en/reference/krb5/setup.xml:5:18)
&reftitle.setup;
------------------^
Element title namespace name for default namespace does not match the DTD
PHP Warning: file(): Filename cannot be empty in /root/php_krb5-1.0rc2/doc/configure.php on line 197

Warning: file(): Filename cannot be empty in /root/php_krb5-1.0rc2/doc/configure.php on line 197

#5 - Moritz Bechler 2011-08-19 14:06 - (Reply)

Hi,

thanks for the report. Fixing and updating the docs is definitly on my Todo list (blocker for a new release) but I don't have much time at time moment. You could use the PDF version
http://svn.php.net/viewvc/pecl/krb5/trunk/manual.pdf?revision=310397&view=co
but that isn't 100% accurate.

I'll also advice to use the PECL SVN version of the module which includes some improvements and fixes.


Moritz

#6 - Sean said:
2012-03-22 13:04 - (Reply)

hi Moritz,

thanks for extension. I am working on a SSO solution for a PHP application in a big corporation (70,000+ employees). This extension is one of the candidates under review.

Just wondering if you could move all source code to github.com so we could get better support from the Open Source community.

Or if you don't mind, I could copy over to github.com under your permit ...

thanks,

-Sean

#7 - K Eberding 2012-08-19 12:23 - (Reply)

Hello,

I tried to install the module on Ubuntu 12.04, with PHP 5.3.10. I use standard packages for krb5-config, krb5-clients, krb5-user and libapache2-mod-auth-kerb.

The first error was that the krb5 libraries were not found, they are located at /usr/lib/x86_64-linux-gnu. After checking configure, I fixed that with
ln -s /usr/lib/x86_64-linux-gnu /usr/lib64

configure now runs through, but then I get a make error
In function 'krb5_cc_new_unique':
krb5.c:191:2: error: #error "No function to generate unique identifer found"

I tweaked a #define HAVE_KRB5_CC_NEW_UNIQUE, and could then build and install the extension. However, when restarting Apache, I get another error:
Cannot load /usr/lib/apache2/modules/mod_krb5.so into server: /usr/lib/apache2/modules/mod_krb5.so: undefined symbol: zval_used_for_init

I am now a bit lost. Do I need a complete build environment for PHP to make this work, or is there anything special with Ubuntu?

I am trying to implement a Kerberos authentication for a SOAP connection. The PHP server initiates a SOAP request through SoapClient to another web service. The SOAP request should forward (delegate) the Kerberos ticket from the end user to the web service, so the web service is contacted on behalf of the end user. Your module looks promising, but this scenario may also require some modifications on the SoapClient function. Any suggestions or additional information or examples covering this scenario would be helpful.

thanks
Karsten

#7.1 - Moritz Bechler 2012-08-19 13:15 - (Reply)

Did you use the rc2 package found here? If so, please use the PECL SVN version (https://svn.php.net/repository/pecl/krb5/trunk). This should at least fix the HAVE_KRB5_CC_NEW_UNIQUE problem. The undefined symbol error looks strange, is mod_krb5.so the extension module? This shouldn't be loaded as apache module but by PHP (add it using a extension= line in your php.ini).

What you want to do is definititly possible with this module. I do not know about SoapClient, you propably will have to find a way to pass a custom Authorization Header which will contain a SPNEGO (if you are doing Negotiate auth) or a GSSAPI token (if performing the Kerberos auth scheme). As far as I can see the SOAP extension uses cURL, which in theory is able to do the authentication but this mechanism seems not to be available trough the SOAPClient interface (https://bugs.php.net/bug.php?id=52231).

On the client side you will have to perform the Negotiate authentication mechanism, which is also implemented in the NegotiateAuth class of this extension, but that won't work when running mod_php. But it should be as simple as sending the appropriate WWW-Authenticate header, registering the acceptorIdentity for your server, and passing the token from the Authorization header into acceptSecContext. If the client is configured to perform credential delegation you'll also get a credential cache with the delegated credentials out of this function.

Using these credentials you will then be able to initialize a GSSAPI context for your backend, and pass it to your backend. If performing SPNEGO authentication you'll have to wrap the resulting GSSAPI token in the SPNEGO format.

One word about credential delegation in HTTP Negotiate: Enabling credential delegation causes the client to get a TGT for delegation for every authentication requested by the server. This can possibly add massive latency and load on the KDC. So, you will propably want to restrict delegation to some "login"-page, cache the delegated credentials on the server and possibly use session based authentication afterwards (or Negotitate, but not enabling delegation for these URLs).

#7.1.1 - Karsten Eberding 2012-08-22 10:22 - (Reply)

many thanks for your advice. Yes, I used the package found here, will try again with the update on PECL.

#7.1.2 - Ralf Bödeker 2013-05-06 09:18 - (Reply)

Hi Moritz,
".. If performing SPNEGO authentication you'll have to wrap the resulting GSSAPI token in the SPNEGO format. "

Are there any php tools that can do this? I've only seen the jgss Java-Library so far and the specs for SPNEGO I've seen were not helpfull...

Thank you,
Ralf

#7.1.2.1 - Moritz Bechler 2013-05-06 10:39 - (Reply)

The proper specification is http://www.ietf.org/rfc/rfc2478.txt and the data contained is very simple for the typical application, but encoded in ASN.1/DER (for which I don't think there is a proper encoder available for PHP, and might really be overkill anyways). A simple and dirty hack would be to construct a binary prefix and suffix (saw this once in some code, but don't remember where).

But I really should add a mechanism parameter, then initSecContext should be able to return a proper token. I cannot promise but maybe I'll be able to look into this later today.

#8 - Denix 2012-10-24 15:28 - (Reply)

Hi Moritz,
I confirm that the error is still there with ubuntu 12.04 and the svn version. While the config can be easily fixed by adding a line:
test -r "$DIRECTORY/lib/x86_64-linux-gnu/mit-krb5/libgssapi_krb5.so" && test -r "$DIRECTORY/lib/x86_64-linux-gnu/mit-krb5/libkrb5.so" && KERBEROS_DIR=$DIRECTORY && break

the compilation stop with:
/bin/bash /home/denix/krb5/libtool --mode=compile cc -I. -I/home/denix/krb5 -DPHP_ATOM_INC -I/home/denix/krb5/include -I/home/denix/krb5/main -I/home/denix/krb5 -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib -I/usr/include/et -DHAVE_CONFIG_H -Wall -g -O2 -c /home/denix/krb5/krb5.c -o krb5.lo
libtool: compile: cc -I. -I/home/denix/krb5 -DPHP_ATOM_INC -I/home/denix/krb5/include -I/home/denix/krb5/main -I/home/denix/krb5 -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib -I/usr/include/et -DHAVE_CONFIG_H -Wall -g -O2 -c /home/denix/krb5/krb5.c -fPIC -DPIC -o .libs/krb5.o
/home/denix/krb5/krb5.c: In function 'krb5_cc_new_unique':
/home/denix/krb5/krb5.c:209:2: error: #error "No function to generate unique identifer found"
/home/denix/krb5/krb5.c:211:2: warning: implicit declaration of function 'krb5_random_confounder' [-Wimplicit-function-declaration]
/home/denix/krb5/krb5.c: In function 'php_krb5_get_tgt_expire':
/home/denix/krb5/krb5.c:478:8: warning: variable 'errstr' set but not used [-Wunused-but-set-variable]
/home/denix/krb5/krb5.c: In function 'zim_KRB5CCache_setConfig':
/home/denix/krb5/krb5.c:1094:2: warning: implicit declaration of function 'krb5_set_config_files' [-Wimplicit-function-declaration]
make: *** [krb5.lo] Error 1

Thanks,
Denis

#9 - Moritz Bechler 2012-10-25 13:03 - (Reply)

I'll need to reorganize the configure script because it currently uses $KERBEROS_DIR/lib/ for the libraries. If you apply the fix you suggest this will result in the following checks not finding the library. The way that is currently used for locating the libraries is quite messy, but as of today MIT kerberos does not provide pkg-config files (this was recently discussed on krb5-dev). If you need to quickly fix this you'll also have to remove several occurances of the lib/ suffix later on in config.m4 ( AC_CHECK_LIB and PHP_ADD_LIBRARY_WITH_PATH, don't forget to rerun phpize).

Moritz

#10 - smokes2345 2012-12-13 19:23 - (Reply)

Since ldap doesn't have persistent connections and I don't wanna send credentials over the network everytime someone loads a page, i wanted to try using your extension to store credentials in between pages. So i'm using initPassword to get the initial TGT and trying to save it, but the extension says it couldn't initialize the destination cache because "Credentials cache permissions incorrect". I'm guessing it's referring to the filesystem permissions, but before I try saving credentials i'm making a whole new folder just for this use using "if(!file_exists($keytab_dir)) mkdir($keytab_dir,0600,true);" any ideas?

#10.1 - Moritz Bechler 2012-12-14 15:34 - (Reply)

I just tried, but cannot reproduce this issue. I'm assuming you try to use KRB5CCache->save and ->open? Typically this means some permission issue, but judging from the library source there are quite a few error conditions triggering this. Is this a regular file system that you try to save to? Can you attach strace to the php process to see what file access is made before it fails?

Moritz


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.


You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.