Hello,
Ok, as I wrote this email out, I identified the
problem, figured since I typed it up, and google wasn't helping me, I'd
post anyways, so google could help others :)
I'm attempting to configure kerberos authentication for http via mod_auth_kerb.
It was working a little bit ago, and I'm at a loss at to what broke it.
I can kinit my user, with a password, i.e.
$> kinit [user]@[realm]
password:
$>
I can kinit HTTP/[domain]@[realm] using the keytab, i.e.
$> kinit HTTP/[domain]@[realm] -t -k /etc/httpd.keytab
(both kinit commands were executed from the web server via a ssh shell)
The ServerName is set to the host.domain.
The ServerName is a DNS-resolvable FQDN of the server.
[realm] is the capitalized domain.
My auth_kerb.conf is
like so:
[root@sipc2 ~]# cat /etc/httpd/conf.d/auth_kerb.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /webapp/ >
AuthType Kerberos
AuthName "Login for [server]"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms [realm]
Krb5KeyTab /etc/httpd.keytab
KrbVerifyKDC Off
require user [user name]
</Location>
But when I got to any file under /webapp/
I get the browser dialog asking for the username and password.
I enter it.
I get 401 Authorization Denied.
I have no errors or anything kerberos related, other than:
[Thu Apr 25 18:44:43 2013] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 1 in child 24630 for (*)
[Thu Apr 25 18:44:43 2013] [notice] Apache/2.2.15 (Unix) DAV/2
mod_auth_kerb/5.4 configured -- resuming normal operations
[Thu Apr 25 18:44:43 2013] [info] Server built: Feb 13 2012 22:31:42
[Thu Apr 25
18:44:43 2013] [debug] prefork.c(1018): AcceptMutex: sysvsem (default: sysvsem)
As you will note, I have LogLevel set to debug. Nothing else related to
kerberos shows up in the logs:
On the Kerberos side, all I see when the browser issues the request is:
Apr
25 18:54:35 linux-client krb5kdc[8519](info): AS_REQ (4 etypes {18 17
16 23}) 10.170.3.102: ISSUE: authtime 1366941275, etypes {rep=18 tkt=18
ses=18}, [user]@[realm] for krbtgt/[realm]@[realm]
I tried to dig up as much as I could about kerberos errors, but this looks like
it's saying it issued the ticket just fine.
But the httpd access_log shows:
[ip]
- [user]@[realm] [25/Apr/2013:18:54:21 -0700] "GET /webapp/setup.html
HTTP/1.1" 401 492 "-" "Mozilla/5.0 (Windows NT 5.2; WOW64; rv:20.0)
Gecko/20100101 Firefox/20.0"
And then the browser seems to cache the credentials (that don't work), and then
I'm hosed...
Any tips?
Even something that could
just help me debug why it's getting 401?
I even tried watching
the request with wireshark, pulling the base64 username:password out of
the header, and double-checking they were correct.. they were.
Ok, the problem was:
require user [user name]
Should have been
require user [username]@[realm]
It
is ODD that httpd appears smart enough to append the realm to the
username when it sends out the authorization request, but does not use
the appended realm when verifying the user.
Note that I took apart
the base64 encoded field sent by the browser. The browser was NOT
appending the realm. So HTTPD must have appended it before it sent it
out to kerberos, and before it checked it against the require list.
I
would think that whatever transformations made to the user when a
request is made to Kerberos for authorization would also be applied the
require user list before httpd checks the username against the list, OR
the user checked against the list would be transformation-free.
And at least there would be some hints in the debug logs about what happened :(
To check if this is your problem, just change the require line to:
require valid-user
and restart httpd
Take care,
-stu
