Reuse of Apache Kerberos Ticket

[C1-10P]

I've found that a cached Apache ticket can not be used immediately by the php-smbclient library. In my workaround, I use the krb5 php-lib to convert the ticket in the correct format. With this modification it is possible to authenticate cifs-shares with a kerberos sso-ticket. Apache only creates a ticket cache when you enable Kerberos delegation.

[icewind1991]

Can you move the KerberosAuth changes to a separate ApacheKerberosAuth class and pass the saveTicketInMemory as constructor parameter.

Also with the changes moved to a separate class it can properly throw an error when the krb5 extension is missing or the ticket is missing/invalid instead of silently changing the behaviour

[icewind1991]

I've been having issues properly testing this because no matter what I seem to do KrbSaveCredentials doesn't set the KRB5CCNAME, do you maybe have any ideas what I could be doing wrong

[C1-10P]

I had this kind of problem with php-fpm. The solution was to set
env["KRB5CCNAME"] = $KRB5CCNAME or clear_env = no in the fpm conf, because php-fpm clears all apache env-vars.

[C1-10P]

Here is a detailed description of a working setup: https://github.com/C1-10P/php_kerberos_cifs_poc

[C1-10P]

You must also configure Kerberos delegation. For the test I have activated "Trust this user for delegation to any service" https://blogs.msdn.microsoft.com/autz_auth_stuff/2011/05/03/kerberos-delegation/

[icewind1991]

If followed the steps from your writeup and I'm testing with curl with --delegation always

[icewind1991]

Finally got this running locally, seeing if I can get it running in CI before merging

[icewind1991]

Merged this manually to handle the rebase.

Thanks for the work!