stackoom
  简体   繁体   中英

CentOS 7 Apache HTTPD Kerberos Windows AD Issues

 原文  2016-06-27 18:19:14       linux/ apache/ centos/ kerberos/ centos7

Question

I am reaaallly about to loose my mind with this issue so I hope you can help me. I have googled for hours but just cannot seem to get the right config.

I am setting up Apache on CentOS 7 with Kerberos authentication so that I can achieve SSO in a Windows AD environment. From my understanding this is possible and I should be able to achieve true SSO when accessing via Internet Explorer. Currently I have the following config which generates a 500 Internal Server Error when accessing the site via Internet Explorer but strangely works when using Firefox (albeit I have to enter credentials into a prompt).

I first generated a Service Principal and exported the keytab in Windows using the following command. 

ktpass -princ HTTP/server.example.local@EXAMPLE.LOCAL -mapuser EXAMPLE\http-user -crypto ALL -ptype KRB5_NT_PRINCIPAL -mapop set -pass password -out D:\krb5.keytab

After copying the keytab to the CentOS server under /etc/httpd/conf/krb5.keytab I have the following virtual host configured. 

<VirtualHost *:80>
    ServerName server.shc.local
    DocumentRoot /var/www/html/test

    LogLevel debug
    ErrorLog /var/log/httpd/test-error.log
    CustomLog /var/log/httpd/test-custom.log combined

<Location />
    Options Indexes
    AuthType Kerberos
    KrbServiceName "HTTP/server.example.local@EXAMPLE.LOCAL"
    AuthName "Welcome to the KRB5 Test"
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbVerifyKDC off
    KrbAuthRealms SHC.LOCAL
    Krb5KeyTab /etc/httpd/conf/krb5.keytab
    require valid-user
</Location>

</VirtualHost>

When I access the site via Internet Explorer I get a 500 Internal Server Error and the log looks like this: 

[Mon Jun 27 19:14:07.552584 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552637 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552690 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21545] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:14:07.552747 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1295): [client 192.168.214.202:21545] Acquiring creds for HTTP/server.example.local@EXAMPLE.LOCAL
[Mon Jun 27 19:14:07.555237 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1155): [client 192.168.214.202:21545] GSS-API major_status:000d0000, minor_status:0000000d
[Mon Jun 27 19:14:07.555250 2016] [auth_kerb:error] [pid 2832] [client 192.168.214.202:21545] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Permission denied)

And then when I access the site via Firefox I get prompted to enter credentials but then I am successfully authenticated. The logs look like this: 

[Mon Jun 27 19:16:49.936807 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936849 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936888 2016] [auth_kerb:debug] [pid 2828] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21577] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:16:50.042925 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042960 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042982 2016] [auth_kerb:debug] [pid 2829] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21578] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Does anyone have any idea what I need to do to get seamless SSO working when accessing the site via Internet Explorer.

1 answers

solution1
 0  2016-06-30 12:36:28

OK, I have finally worked this out. I had to disable SELinux! I cannot believe it was that simple but all I did was disable SElinux, restart the server and the authentication started working. I hope this saves someone else the headaches I have been having!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can't get Apache httpd on CentOS to core dump CentOS 7 - Apache Reverse Proxy - SSL Issues Centos 5 restarts Apache server with different httpd.conf after I install yum php-devel Centos: there are many 'httpd start' process problems centos 7 httpd service restart How to open Vmware(centos) apache server from hostmachine(Windows) browser Error restarting httpd during OTRS Install on CentOS 6 Kerberos Authentication with Team Explorer Everywhere in CentOS Centos httpd using 7.5GB of memory How to reload httpd.service in Centos
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM