headers
Mauricio Tavares | 31 Jan 2012 16:38
Picon

Kerberos auth being ignored?

So my authentication thingie (Apache 2.2.20, mod_auth_kerb 5.4)  looks
like this:

        <Location /kerbie>
                AuthType Kerberos
                KrbAuthRealms DOMAIN.COM
                KrbServiceName HTTP
                Krb5Keytab /etc/apache2/krb5.keytab
                KrbMethodNegotiate on
                KrbMethodK5Passwd on
                KrbLocalUserMapping on
                KrbDelegateBasic off
                Require valid-user

                AuthType basic
                AuthUserFile /srv/www/test/passwd
                AuthName You
                require valid-user
        </Location>

I would expect it to try kerberos and then failover to basic. Instead
It is going straight into the basic auth. Any suggestions for why?

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
(Continue reading)

Permalink | Reply |
headers
Rohit Kumar Mehta | 31 Jan 2012 16:43
Picon
Favicon

Re: Kerberos auth being ignored?

Hi Mauricio, I wanted to do exactly what you are doing, found it 
difficult and used mod_auth_pam (for kerberos and /etc/passwd 
authentication) instead.  This method was a lot easier (with some 
obvious tradeoffs).

If you need help with mod_auth_pam, email me off-list and I'm glad to 
give you a recipe.

Rohit

Mauricio Tavares wrote:
> So my authentication thingie (Apache 2.2.20, mod_auth_kerb 5.4)  looks
> like this:
>
>          <Location /kerbie>
>                  AuthType Kerberos
>                  KrbAuthRealms DOMAIN.COM
>                  KrbServiceName HTTP
>                  Krb5Keytab /etc/apache2/krb5.keytab
>                  KrbMethodNegotiate on
>                  KrbMethodK5Passwd on
>                  KrbLocalUserMapping on
>                  KrbDelegateBasic off
>                  Require valid-user
>
>                  AuthType basic
>                  AuthUserFile /srv/www/test/passwd
>                  AuthName You
>                  require valid-user
>          </Location>
(Continue reading)

Permalink | Reply |
headers
Henry B. Hotz | 1 Feb 2012 03:31
Picon
Picon
Favicon

Re: Kerberos auth being ignored?

Need more info.

Need a *lot* more info.

krb5.conf file?

klist -k -t /etc/apache2/krb5.keytab output?

results of "kinit -k -t /etc/apache2/krb5.keytab HTTP/whatever.the.server.is"?  (kinit
--keytab=/etc/apache2/krb5.keytab HTTP/whatever.the.server.is for Heimdal.)

Contents of the Apache error log?  (You are doing debug logging, right? ;-)

On Jan 31, 2012, at 7:38 AM, Mauricio Tavares wrote:

> So my authentication thingie (Apache 2.2.20, mod_auth_kerb 5.4)  looks
> like this:
> 
>        <Location /kerbie>
>                AuthType Kerberos
>                KrbAuthRealms DOMAIN.COM
>                KrbServiceName HTTP

Probably an irrelevant nit, but I recommend "Any" for this one, as long as you're using a separate keytab
file (which you are).

>                Krb5Keytab /etc/apache2/krb5.keytab
>                KrbMethodNegotiate on
>                KrbMethodK5Passwd on
>                KrbLocalUserMapping on
(Continue reading)

Permalink | Reply |
headers
Mauricio Tavares | 1 Feb 2012 22:58
Picon

Re: Kerberos auth being ignored?

On Tue, Jan 31, 2012 at 9:31 PM, Henry B. Hotz <hotz <at> jpl.nasa.gov> wrote:
> Need more info.
>
> Need a *lot* more info.
>
> krb5.conf file?
>
> klist -k -t /etc/apache2/krb5.keytab output?
>
> results of "kinit -k -t /etc/apache2/krb5.keytab HTTP/whatever.the.server.is"?  (kinit
--keytab=/etc/apache2/krb5.keytab HTTP/whatever.the.server.is for Heimdal.)
>
      Just to let you know, kinit -k -t /etc/apache2/krb5.keytab
HTTP/whatever.the.server.is does successfully create a ticket:

kinit -k -t /etc/apache2/krb5.keytab -c /tmp/pickles "HTTP/`hostname -f`"
klist -e /tmp/pickles
Ticket cache: FILE:/tmp/pickles
Default principal: HTTP/ubuntu1004-x64.internal.domain.com <at> DOMAIN.COM

Valid starting     Expires            Service principal
02/01/12 14:48:52  02/02/12 00:48:52  krbtgt/DOMAIN.COM <at> DOMAIN.COM
        renew until 02/08/12 14:48:52, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

(ignore hostname; it is running ubuntu 11.10)

Also, if I am only authenticating against kerberos using mod_auth_kerb,

       <Location /kerbie>
(Continue reading)

Permalink | Reply |

Gmane