Discussing problems related to the Kerberos authentication module for Apache

Aleks Feltin | 13 May 2009 22:16

Picon

Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Hello,

Firstly, I would like to thank you for your time spent on reading this. 

My question concerns atn/atz topic. Namely, I would like to utilize Negotiate and LDAP Basic atn with LDAP
group based atz for Apache virtual directory.
What I want to achieve is to have Negotiate method failback to LDAP Basic in case browser is not capable to
send SPNEGO token. I am using following configuration:

      <Location /gss>
          Options Indexes

          # Kerberos V5
          Authtype Kerberos
          KrbAuthoritative on
          KrbAuthRealms DEV.REALM.NET
          KrbServiceName HTTP
          Krb5Keytab /etc/httpd/security/nympha.ktab
          KrbMethodNegotiate on
          KrbMethodK5Passwd off
          KrbDelegateBasic on
          # End Kerberos V5

          # LDAP
          AuthBasicProvider ldap
          AuthzLDAPAuthoritative on
          AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
          AuthLDAPBindPassword "*****"
          AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"
          AuthName HTTP_Protected_Place

(Continue reading)

Matej Prišťák | 14 May 2009 00:10

Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Hi,
you should try the latest version of mod_auth_kerb from CVS and try the Basic
provider support recently added there.

The configuration file should look something like this:

       <Location /gss>
           Options Indexes

           # Kerberos V5
           Authtype Basic
           KrbAuthoritative on
           KrbAuthRealms DEV.REALM.NET
           KrbServiceName HTTP
           Krb5Keytab /etc/httpd/security/nympha.ktab
           KrbMethodNegotiate on
           KrbMethodK5Passwd off
           KrbDelegateBasic on
           # End Kerberos V5

           # LDAP
           AuthBasicProvider kerberos ldap
           AuthzLDAPAuthoritative on
           AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
           AuthLDAPBindPassword "*****"
           AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"
           AuthName HTTP_Protected_Place
           Require ldap-group CN=SVN_Access_EnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=realm,DC=net
           # End LDAP

(Continue reading)

Aleks Feltin | 14 May 2009 08:57

Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Thank you for your reply. I did CVS checkout and compiled the module. I also changed my configuration as you suggested.
Unfortunately nothing changed and I keep receiving mentioned messages in error log after Basic
authentication attempt.

[Thu May 14 09:52:51 2009] [debug] src/mod_auth_kerb.c(1728): [client 192.168.80.29]
kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
[Thu May 14 09:52:51 2009] [error] [client 192.168.80.29] access to /gss failed, reason: verification of
user id '<null>' not configured

regards,

Aleks F.

On 14/05/09 00:10 +0200, Matej Pri??????k wrote:
>Hi,
>you should try the latest version of mod_auth_kerb from CVS and try the Basic
>provider support recently added there.
>
>The configuration file should look something like this:
>
>       <Location /gss>
>           Options Indexes
> 
>           # Kerberos V5
>           Authtype Basic
>           KrbAuthoritative on
>           KrbAuthRealms DEV.REALM.NET
>           KrbServiceName HTTP
>           Krb5Keytab /etc/httpd/security/nympha.ktab
>           KrbMethodNegotiate on

(Continue reading)

Matej Prišťák | 14 May 2009 09:33

Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Sorry, my fault, Basic auth naturally wont work with Nego.
Basically, Apache does not support using multiple authentication methods in one
request and Basic provider can be used only with password auth.

You can try our new "general" provider module, which extends AuthType
directive.
Download URL: http://meta.cesnet.cz/soubory/mod_auth_provider-0.1.tar.gz

With this module, your configuration should look something like:

<Location /gss>
           Options Indexes

           # Kerberos V5
           Authtype Kerberos:Basic
           KrbAuthoritative on
           KrbAuthRealms DEV.REALM.NET
           KrbServiceName HTTP
           Krb5Keytab /etc/httpd/security/nympha.ktab
           KrbMethodNegotiate on
           KrbMethodK5Passwd off
           KrbDelegateBasic on
           # End Kerberos V5

           # LDAP
           AuthBasicProvider ldap
           AuthzLDAPAuthoritative on
           AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
           AuthLDAPBindPassword "*****"
           AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"

(Continue reading)

Aleks Feltin | 14 May 2009 09:59

Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

OK, I compiled this module. I am using following configuration now:

     <Location /gss>
         Options Indexes

         # Kerberos V5
         Authtype Kerberos:Basic
         KrbAuthoritative on
         KrbAuthRealms DEV.HANSA.EE
         KrbServiceName HTTP
         Krb5Keytab /etc/httpd/security/nympha.ktab
         KrbMethodNegotiate on
         KrbMethodK5Passwd off
         KrbDelegateBasic on
         # End Kerberos V5

         # LDAP
         AuthBasicProvider ldap
         AuthzLDAPAuthoritative on
         AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=hansa,DC=ee"
         AuthLDAPBindPassword "r"
         AuthLDAPURL "ldap://ldap.dev.hansa.ee:389/OU=Employees,OU=Accounts,DC=dev,DC=hansa,DC=ee?userPrincipalName?sub?(objectClass=user)"
         AuthName HTTP_Protected_Place
         Require ldap-group CN=SVN_Access_KerberosEnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=hansa,DC=ee
         Require ldap-group CN=SVN_Access_PasswordEnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=hansa,DC=ee
         # End LDAP

     </Location>

Seems that Basic is asked now every time, regardless of browser sending the SPNEGO. Basic works fine now,

(Continue reading)

Markus Schuh | 14 May 2009 10:58

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

On 5/13/2009 10:16 PM, Aleks Feltin wrote:
> My question concerns atn/atz topic. Namely, I would like to utilize
> Negotiate and LDAP Basic atn with LDAP group based atz for Apache
> virtual directory.
> What I want to achieve is to have Negotiate method failback to LDAP
> Basic in case browser is not capable to send SPNEGO token. I am using
> following configuration:

I use this setup with mod_auth_kerb 5.3

Going back to the first setup, you sent:

>  <Location /gss>
[...]
>      # Kerberos V5
>      Authtype Kerberos
>      KrbAuthoritative on
>      KrbAuthRealms DEV.REALM.NET
>      KrbServiceName HTTP
>      Krb5Keytab /etc/httpd/security/nympha.ktab
>      KrbMethodNegotiate on
>      KrbMethodK5Passwd off
>      KrbDelegateBasic on
>      # End Kerberos V5
> 
>      # LDAP
>      AuthBasicProvider ldap
>      AuthzLDAPAuthoritative on
>      AuthLDAPBindDN ...
>      AuthLDAPBindPassword "*****"

(Continue reading)

Aleks Feltin | 14 May 2009 12:49

Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

I am extremely happy, as now it is working exactly as I expected.
Special thanks to Markus Schuh! In case someone is puzzled with similar atn/atz task, here is my config:

     <Location /gss>
         Options Indexes

         # Kerberos V5
         Authtype Kerberos
         KrbAuthoritative off
         KrbAuthRealms DEV.REALM.NET
         KrbServiceName HTTP
         Krb5Keytab /etc/httpd/security/nympha.ktab
         KrbMethodNegotiate on
         KrbMethodK5Passwd on
         KrbDelegateBasic off
         # End Kerberos V5

         # LDAP
         #AuthBasicProvider ldap
         AuthzLDAPAuthoritative off
         AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
         AuthLDAPBindPassword "******"
         AuthName HTTP_Protected_Place
         AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"
         Require ldap-group CN=SVN_Access_EnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=realm,DC=net
         # End LDAP

     </Location>

On 14/05/09 10:58 +0200, Markus Schuh wrote:

(Continue reading)

Steven Moix | 22 May 2009 15:34

Picon

NTLM authentication error

Hello,

I'm having a problem for single-signons with mod_auth_kerb and Apache. I'm
re trying to automatically login users with IE and Firefox, but it doesn't
work. A login box gets displayed instead of having an automatic login.
Loging in this way works perfectly (that's the log below), but the
automatic login doesn't...

In the Apache logs we have this:

[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
172.16.228.111] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
172.16.228.111] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1240): [client
172.16.228.111] Acquiring creds for HTTP <at> srvcos002.xxx.yyy.dom
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1385): [client
172.16.228.111] Verifying client data using KRB5 GSS-API 
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1401): [client
172.16.228.111] Client didn't delegate us their credential
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1429): [client
172.16.228.111] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1101): [client
172.16.228.111] GSS-API major_status:00090000, minor_status:00000000
[Fri May 22 14:58:35 2009] [error] [client 172.16.228.111]
gss_accept_sec_context() failed: Invalid token was supplied (, No error)

(Continue reading)

Antonio Suels | 26 May 2009 16:05

Picon

Picon

Help with Configuration Problem

Hi,

I am having trouble configuring and getting the module to work. Any help 
would be appreciated.

In my organisation there is a MS Win 2003 Domain with an AD Server 
working as a KDC server.  The installation is based on Achim Gromls 
(http://www.grolmsnet.de/kerbtut/) walk through.

The environment´s configuration follows:

/etc/krb5.conf
[libdefaults]
         default_realm = DOMAIN.NET

         default_tgs_enctypes = des-cbc-md5
         default_tkt_enctypes = des-cbc-md5

[domain_realm]
         servicebackend.domain.net = DOMAIN.NET

[realms]
         DOMAIN.NET = {
                 kdc = dione.domain.net
                 kdc = pandia.domain.net
                 admin_server = dione.domain.net
                 default_domain = domain.net

a kinit user <at> DOMAIN.COM and corresponding password gives me a ticket:

(Continue reading)

Henry B. Hotz | 26 May 2009 18:52

Picon

Picon

Re: NTLM authentication error

This is usually a client problem with IE.

On May 22, 2009, at 6:34 AM, Steven Moix wrote:

> Hello,
>
> I'm having a problem for single-signons with mod_auth_kerb and  
> Apache. I'm
> re trying to automatically login users with IE and Firefox, but it  
> doesn't
> work. A login box gets displayed instead of having an automatic login.
> Loging in this way works perfectly (that's the log below), but the
> automatic login doesn't...
>
> In the Apache logs we have this:
>
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
> 172.16.228.111] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
> 172.16.228.111] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1240): [client
> 172.16.228.111] Acquiring creds for HTTP <at> srvcos002.xxx.yyy.dom
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1385): [client
> 172.16.228.111] Verifying client data using KRB5 GSS-API
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1401): [client
> 172.16.228.111] Client didn't delegate us their credential
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1429): [client
> 172.16.228.111] Warning: received token seems to be NTLM, which isn't

(Continue reading)

Group

gmane.comp.apache.mod-auth-kerb.general.

Advertisement

Project Web Page

Discussing problems related to the Kerberos authentication module for Apache

Search Archive

Page

1 | 2

Articles in period: 14

May 2009

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Patch to port to Apache 2.4 (3 Jun 2013)
Configuration behind Microsoft TMG (15 Apr 2013)
Mod_auth_kerb: Warning: received token seems to be NTLM, possible issu (27 Mar 2013)
gss_acquire_cred() failed - unknown error (28 Nov 2012)
500 error w/ mod_auth_kerb and mod_authnz_ldap (27 Nov 2012)
Compiling error - no Kerberos environment found (22 Oct 2012)
Prevauth and KRB5CCNAME not set (28 Sep 2012)
src/mod_auth_kerb.c(1628):kerb_authenticate_user entered with user (NU (21 Sep 2012)
No SPNEGO available during compilation (17 Sep 2012)
Segmentation Fault on OS X … trying to figure out log_rerror() (12 Sep 2012)
Cannot retrieve KRB5CCNAME if logged in with kerberos ticket (27 Aug 2012)
No login possible with Windows2008r2 (12 Jun 2012)
Lower Case Usernames (2 Jun 2012)
Reverse proxy (18 Apr 2012)
FW: make fails with apache 2.4.1 on Centos5.5 (7 Apr 2012)
*****SPAM***** Re: Windows 2000 Ad Server german (7 Apr 2012)
Windows 2000 Ad Server german (7 Apr 2012)
Windows 2008R2 and MIT kerberos library version (14 Mar 2012)
newsletter: Slow page loads when in failover with mod_auth_kerb (7 Mar 2012)
OpenBSD chroot and hostname? (7 Mar 2012)
Slow page loads when in failover with mod_auth_kerb (6 Mar 2012)

Archives

1	June 2013
1	April 2013
1	March 2013
3	February 2013
2	November 2012
1	October 2012
13	September 2012
6	August 2012
7	June 2012
7	April 2012
29	March 2012
13	February 2012
20	January 2012
4	December 2011
7	November 2011
1	October 2011
4	September 2011
30	August 2011
11	July 2011
23	June 2011
21	May 2011
1	March 2011
19	February 2011
4	November 2010
57	September 2010
34	August 2010
3	July 2010
4	June 2010
4	May 2010
36	April 2010
14	March 2010
3	January 2010
20	December 2009
20	November 2009
2	October 2009
2	August 2009
10	July 2009
11	June 2009
14	May 2009
7	April 2009
19	March 2009
16	February 2009
29	January 2009
24	December 2008
4	November 2008
24	October 2008
4	September 2008
9	August 2008
23	July 2008
18	June 2008
19	May 2008
9	April 2008
9	March 2008
41	February 2008
15	January 2008
36	December 2007
23	November 2007
57	October 2007
41	September 2007
29	August 2007
112	July 2007
5	June 2007
46	May 2007
5	April 2007
15	March 2007
29	February 2007
134	January 2007
30	December 2006
77	November 2006
17	October 2006
22	September 2006
58	August 2006
26	July 2006
57	June 2006
64	May 2006
36	April 2006
50	March 2006
63	February 2006
7	January 2006
5	December 2005
17	November 2005
26	October 2005
14	September 2005
24	August 2005
14	July 2005
1	June 2005
35	May 2005
19	April 2005
51	March 2005
43	February 2005
27	January 2005
41	December 2004
29	November 2004
32	October 2004
28	September 2004
82	August 2004
50	July 2004
189	June 2004
1	January 2003

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template