Aleks Feltin | 13 May 22:16 2009
Picon

Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Hello,

Firstly, I would like to thank you for your time spent on reading this. 

My question concerns atn/atz topic. Namely, I would like to utilize Negotiate and LDAP Basic atn with LDAP
group based atz for Apache virtual directory.
What I want to achieve is to have Negotiate method failback to LDAP Basic in case browser is not capable to
send SPNEGO token. I am using following configuration:

      <Location /gss>
          Options Indexes

          # Kerberos V5
          Authtype Kerberos
          KrbAuthoritative on
          KrbAuthRealms DEV.REALM.NET
          KrbServiceName HTTP
          Krb5Keytab /etc/httpd/security/nympha.ktab
          KrbMethodNegotiate on
          KrbMethodK5Passwd off
          KrbDelegateBasic on
          # End Kerberos V5

          # LDAP
          AuthBasicProvider ldap
          AuthzLDAPAuthoritative on
          AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
          AuthLDAPBindPassword "*****"
          AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"
          AuthName HTTP_Protected_Place
(Continue reading)

Matej Prišťák | 14 May 00:10 2009
Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Hi,
you should try the latest version of mod_auth_kerb from CVS and try the Basic
provider support recently added there.

The configuration file should look something like this:

       <Location /gss>
           Options Indexes

           # Kerberos V5
           Authtype Basic
           KrbAuthoritative on
           KrbAuthRealms DEV.REALM.NET
           KrbServiceName HTTP
           Krb5Keytab /etc/httpd/security/nympha.ktab
           KrbMethodNegotiate on
           KrbMethodK5Passwd off
           KrbDelegateBasic on
           # End Kerberos V5

           # LDAP
           AuthBasicProvider kerberos ldap
           AuthzLDAPAuthoritative on
           AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
           AuthLDAPBindPassword "*****"
           AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"
           AuthName HTTP_Protected_Place
           Require ldap-group CN=SVN_Access_EnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=realm,DC=net
           # End LDAP

(Continue reading)

Aleks Feltin | 14 May 08:57 2009
Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Thank you for your reply. I did CVS checkout and compiled the module. I also changed my configuration as you suggested.
Unfortunately nothing changed and I keep receiving mentioned messages in error log after Basic
authentication attempt.

[Thu May 14 09:52:51 2009] [debug] src/mod_auth_kerb.c(1728): [client 192.168.80.29]
kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
[Thu May 14 09:52:51 2009] [error] [client 192.168.80.29] access to /gss failed, reason: verification of
user id '<null>' not configured

regards,

Aleks F.

On 14/05/09 00:10 +0200, Matej Pri??????k wrote:
>Hi,
>you should try the latest version of mod_auth_kerb from CVS and try the Basic
>provider support recently added there.
>
>The configuration file should look something like this:
>
>       <Location /gss>
>           Options Indexes
> 
>           # Kerberos V5
>           Authtype Basic
>           KrbAuthoritative on
>           KrbAuthRealms DEV.REALM.NET
>           KrbServiceName HTTP
>           Krb5Keytab /etc/httpd/security/nympha.ktab
>           KrbMethodNegotiate on
(Continue reading)

Matej Prišťák | 14 May 09:33 2009
Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

Sorry, my fault, Basic auth naturally wont work with Nego.
Basically, Apache does not support using multiple authentication methods in one
request and Basic provider can be used only with password auth.

You can try our new "general" provider module, which extends AuthType
directive.
Download URL: http://meta.cesnet.cz/soubory/mod_auth_provider-0.1.tar.gz

With this module, your configuration should look something like:

<Location /gss>
           Options Indexes

           # Kerberos V5
           Authtype Kerberos:Basic
           KrbAuthoritative on
           KrbAuthRealms DEV.REALM.NET
           KrbServiceName HTTP
           Krb5Keytab /etc/httpd/security/nympha.ktab
           KrbMethodNegotiate on
           KrbMethodK5Passwd off
           KrbDelegateBasic on
           # End Kerberos V5

           # LDAP
           AuthBasicProvider ldap
           AuthzLDAPAuthoritative on
           AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
           AuthLDAPBindPassword "*****"
           AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"
(Continue reading)

Aleks Feltin | 14 May 09:59 2009
Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

OK, I compiled this module. I am using following configuration now:

     <Location /gss>
         Options Indexes

         # Kerberos V5
         Authtype Kerberos:Basic
         KrbAuthoritative on
         KrbAuthRealms DEV.HANSA.EE
         KrbServiceName HTTP
         Krb5Keytab /etc/httpd/security/nympha.ktab
         KrbMethodNegotiate on
         KrbMethodK5Passwd off
         KrbDelegateBasic on
         # End Kerberos V5

         # LDAP
         AuthBasicProvider ldap
         AuthzLDAPAuthoritative on
         AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=hansa,DC=ee"
         AuthLDAPBindPassword "r"
         AuthLDAPURL "ldap://ldap.dev.hansa.ee:389/OU=Employees,OU=Accounts,DC=dev,DC=hansa,DC=ee?userPrincipalName?sub?(objectClass=user)"
         AuthName HTTP_Protected_Place
         Require ldap-group CN=SVN_Access_KerberosEnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=hansa,DC=ee
         Require ldap-group CN=SVN_Access_PasswordEnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=hansa,DC=ee
         # End LDAP

     </Location>

Seems that Basic is asked now every time, regardless of browser sending the SPNEGO. Basic works fine now,
(Continue reading)

Markus Schuh | 14 May 10:58 2009

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

On 5/13/2009 10:16 PM, Aleks Feltin wrote:
> My question concerns atn/atz topic. Namely, I would like to utilize
> Negotiate and LDAP Basic atn with LDAP group based atz for Apache
> virtual directory.
> What I want to achieve is to have Negotiate method failback to LDAP
> Basic in case browser is not capable to send SPNEGO token. I am using
> following configuration:

I use this setup with mod_auth_kerb 5.3

Going back to the first setup, you sent:

>  <Location /gss>
[...]
>      # Kerberos V5
>      Authtype Kerberos
>      KrbAuthoritative on
>      KrbAuthRealms DEV.REALM.NET
>      KrbServiceName HTTP
>      Krb5Keytab /etc/httpd/security/nympha.ktab
>      KrbMethodNegotiate on
>      KrbMethodK5Passwd off
>      KrbDelegateBasic on
>      # End Kerberos V5
> 
>      # LDAP
>      AuthBasicProvider ldap
>      AuthzLDAPAuthoritative on
>      AuthLDAPBindDN ...
>      AuthLDAPBindPassword "*****"
(Continue reading)

Aleks Feltin | 14 May 12:49 2009
Picon

Re: Apache 2.2.x and mod_auth_kerb-5.4 atn/atz question

I am extremely happy, as now it is working exactly as I expected.
Special thanks to Markus Schuh! In case someone is puzzled with similar atn/atz task, here is my config:

     <Location /gss>
         Options Indexes

         # Kerberos V5
         Authtype Kerberos
         KrbAuthoritative off
         KrbAuthRealms DEV.REALM.NET
         KrbServiceName HTTP
         Krb5Keytab /etc/httpd/security/nympha.ktab
         KrbMethodNegotiate on
         KrbMethodK5Passwd on
         KrbDelegateBasic off
         # End Kerberos V5

         # LDAP
         #AuthBasicProvider ldap
         AuthzLDAPAuthoritative off
         AuthLDAPBindDN "CN=reader,OU=Service Accounts,OU=Accounts,DC=dev,DC=realm,DC=net"
         AuthLDAPBindPassword "******"
         AuthName HTTP_Protected_Place
         AuthLDAPURL "ldap://ldap.dev.realm.net:389/OU=Employees,OU=Accounts,DC=dev,DC=realm,DC=net?userPrincipalName?sub?(objectClass=user)"
         Require ldap-group CN=SVN_Access_EnabledUsers,OU=Access,OU=SVN,OU=Groups,DC=dev,DC=realm,DC=net
         # End LDAP

     </Location>

On 14/05/09 10:58 +0200, Markus Schuh wrote:
(Continue reading)

Steven Moix | 22 May 15:34 2009
Picon

NTLM authentication error

Hello,

I'm having a problem for single-signons with mod_auth_kerb and Apache. I'm
re trying to automatically login users with IE and Firefox, but it doesn't
work. A login box gets displayed instead of having an automatic login.
Loging in this way works perfectly (that's the log below), but the
automatic login doesn't...

In the Apache logs we have this:

[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
172.16.228.111] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
172.16.228.111] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1240): [client
172.16.228.111] Acquiring creds for HTTP <at> srvcos002.xxx.yyy.dom
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1385): [client
172.16.228.111] Verifying client data using KRB5 GSS-API 
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1401): [client
172.16.228.111] Client didn't delegate us their credential
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1429): [client
172.16.228.111] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.
[Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1101): [client
172.16.228.111] GSS-API major_status:00090000, minor_status:00000000
[Fri May 22 14:58:35 2009] [error] [client 172.16.228.111]
gss_accept_sec_context() failed: Invalid token was supplied (, No error)

(Continue reading)

Antonio Suels | 26 May 16:05 2009
Picon
Picon

Help with Configuration Problem

Hi,

I am having trouble configuring and getting the module to work. Any help 
would be appreciated.

In my organisation there is a MS Win 2003 Domain with an AD Server 
working as a KDC server.  The installation is based on Achim Gromls 
(http://www.grolmsnet.de/kerbtut/) walk through.

The environment´s configuration follows:

/etc/krb5.conf
[libdefaults]
         default_realm = DOMAIN.NET

         default_tgs_enctypes = des-cbc-md5
         default_tkt_enctypes = des-cbc-md5

[domain_realm]
         servicebackend.domain.net = DOMAIN.NET

[realms]
         DOMAIN.NET = {
                 kdc = dione.domain.net
                 kdc = pandia.domain.net
                 admin_server = dione.domain.net
                 default_domain = domain.net

a kinit user <at> DOMAIN.COM and corresponding password gives me a ticket:

(Continue reading)

Henry B. Hotz | 26 May 18:52 2009
Picon
Picon

Re: NTLM authentication error

This is usually a client problem with IE.

On May 22, 2009, at 6:34 AM, Steven Moix wrote:

> Hello,
>
> I'm having a problem for single-signons with mod_auth_kerb and  
> Apache. I'm
> re trying to automatically login users with IE and Firefox, but it  
> doesn't
> work. A login box gets displayed instead of having an automatic login.
> Loging in this way works perfectly (that's the log below), but the
> automatic login doesn't...
>
> In the Apache logs we have this:
>
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
> 172.16.228.111] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1628): [client
> 172.16.228.111] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1240): [client
> 172.16.228.111] Acquiring creds for HTTP <at> srvcos002.xxx.yyy.dom
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1385): [client
> 172.16.228.111] Verifying client data using KRB5 GSS-API
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1401): [client
> 172.16.228.111] Client didn't delegate us their credential
> [Fri May 22 14:58:35 2009] [debug] src/mod_auth_kerb.c(1429): [client
> 172.16.228.111] Warning: received token seems to be NTLM, which isn't
(Continue reading)


Gmane