Hello,
I'm migration a legacy system from mod_kerberos to this module.
And when I try to authenticate, it fails from time to time:
>/home/gregoire clear ; for i in `seq 0 40` ; do curl -su 'gpineau:foobar' http://foobar:8080/build/2.4956d9f2.js -I | grep HTTP ; done
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
In the log, I can read, only when it fails:
[Tue Jun 25 18:51:17.496746 2024] [auth_gssapi:error] [pid 103358] [client 127.0.0.1:40726] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [No credentials were supplied, or the credentials were unavailable or inaccessible (No key table entry found matching HTTP/prod-01-isy.prod.com@)]
When it success, there are nothing useful.
Apache Conf
<VirtualHost *:80>
DocumentRoot /home/foobar/htdocs/isyapp.foobar.fr/current/public
ServerName isyapp.foobar.fr
<Directory "/home/foobar/htdocs/isyapp.foobar.fr/current/public">
<If "%{THE_REQUEST} =~ m# /apiex/?#i">
AuthType None
AllowOverride None
Order Allow,deny
Allow from All
</If>
<Else>
Options Indexes FollowSymLinks MultiViews
# Help:
# * https://docs.active-directory-wp.com/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html
# * https://github.com/gssapi/mod_auth_gssapi
AuthType GSSAPI
AuthName "Kerberos authenticated intranet"
GssapiCredStore keytab:/etc/kerberos.keytab
# Only allow krb5 and ignore ntlmssp and iakerb
GssapiAllowedMech krb5
# We want to fallback to Basic Auth (linux user)
GssapiBasicAuth On
# Resolve remote's user into REMOTE_USER variable. Proper setting of [realms].auth_to_local in /etc/krb5.conf is required
GssapiLocalName On
GssapiNegotiateOnce On
GssapiAcceptorName HTTP@isyapp.foobar.fr
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/;httponly;
Require valid-user
</Else>
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>
</Directory>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog ${APACHE_LOG_DIR}/isyapp.foobar.fr.access.log combined
ErrorLog ${APACHE_LOG_DIR}/isyapp.foobar.fr.error.log
</VirtualHost>
/etc/krb5.conf
[libdefaults]
default_realm = CER02.INTRA
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
/etc/kerberos.keytab
root@p-02-webisy:/etc/apache2# ktutil
ktutil: r
read_kt read_st rkt rst
ktutil: read_kt /etc/kerberos.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/isy.foobar.fr@CER02.INTRA
2 4 HTTP/isyapp.foobar.fr@CER02.INTRA
To be honest, I really don't know kerberos or GSS API, but I tried many things...
I'm not sure, if it's the root issue, but I was not able to migrate the following config option
KrbAuthRealms CER02.INTRA
Hello,
I'm migration a legacy system from mod_kerberos to this module.
And when I try to authenticate, it fails from time to time:
In the log, I can read, only when it fails:
When it success, there are nothing useful.
Apache Conf
/etc/krb5.conf
/etc/kerberos.keytab
To be honest, I really don't know kerberos or GSS API, but I tried many things...
I'm not sure, if it's the root issue, but I was not able to migrate the following config option