RHEL8和GSSAPI KERBEROS通过Apache问题进行身份验证
我正在尝试在当前运行Red Code Enterprise Linux版本8.5(OOTPA)的机器上运行Apache VirtualHost,并使用Kerberos身份验证使用新的GSSAPI模块(更换MOD_AUTH_KERB)。
我还配置了LDAP指令,通过mod_ldap,通过LDAP来验证我的用户。
我的krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MY.DOMAIN = {
kdc = ADserver.my.domain
a_server = ADserver.my.domain
default_domain = my.domain
}
[domain_realm]
.kerberos.server = MY.DOMAIN
.my.domain = MY.DOMAIN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
我创建了一个用户,分配了一个键盘。我的用户被称为“ userso”
SPN信息:
C:\Users\me>setspn -L usersso
Registered ServicePrincipalNames for CN=UserSso,OU=Users,DC=MY,DC=DOMAIN:
HTTP/myserver.my.domain
C:\Users\me>setspn -Q HTTP/myserver.my.domain
Checking domain DC=MY,DC=DOMAIN
CN=UserSso,OU=Users,DC=MY,DC=DOMAIN
HTTP/myserver.my.domain
Existing SPN found!
我将键盘发送到Apache Server:
[root@myserver conf.d]# klist -ek /etc/httpd/usersso.keytab
Keytab name: FILE:/etc/httpd/usersso.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
keytab tests:
[root@myserver httpd]# kinit -V -kt /etc/httpd/usersso.keytab -p HTTP/[email protected]
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/[email protected]
Using keytab: /etc/httpd/usersso.keytab
Authenticated to Kerberos v5
[root@myserver httpd]# klist -Af
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
16/06/2022 13:03:23 16/06/2022 23:03:23 krbtgt/[email protected]
renew until 17/06/2022 13:03:23, Flags: FPRIA
keytab看起来很好。
然后现在我的VirtualHost配置:
<VirtualHost 192.168.168.168:80>
ServerName myserver.my.domain
ErrorLog /var/log/httpd/myserver.my.domain_error.log
TransferLog /var/log/httpd/myserver.my.domain_access.log
LogLevel debug
<Location />
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiBasicAuth On
GssapiBasicAuthMech krb5
GssapiAllowedMech krb5
GssapiCredStore keytab:/etc/httpd/usersso.keytab
GssapiLocalName On
BrowserMatch Windows gssapi-no-negotiate
AuthLDAPURL ldap://ldapserver:10400/ou=users,o=enterprise,dc=city,dc=fr?uid?sub?(objectclass=person)
AuthLDAPGroupAttribute member
AuthLDAPBindDN "cn=apache,ou=users,o=enterprise,dc=city,dc=fr"
AuthLDAPBindPassword "XXXX"
AuthzSendForbiddenOnFailure On
Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr
</Location>
# tag::TLSClient[]
SSLProxyEngine on
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLProxyCipherSuite HIGH:!aNULL:!MD5
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyVerifyDepth 10
SSLOCSPEnable off
# end::TLSClient[]
ProxyPass / https://anotherserver:443/
ProxyPassReverse / https://anotherserver:443/
</VirtualHost>
当我尝试访问我的VirtualHost时,我没有直接发送到Anotherserver,但是我有一个身份验证窗口提示符,该提示符出现在我的Google Chrome浏览器上(这意味着Kerberos authentication not not not not正常工作)
access_log说:
10.10.10.10(me) - - [16/Jun/2022:11:53:21 +0200] "GET / HTTP/1.1" 401 381
错误日志说:
[Thu Jun 16 12:49:42.867213 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867231 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867256 2022] [auth_gssapi:debug] [pid 8154:tid 139726585538304] mod_auth_gssapi.c(901): [client 10.10.10.10:62252] URI: /, no main, no prev
[Thu Jun 16 12:49:42.867273 2022] [auth_gssapi:info] [pid 8154:tid 139726585538304] [client 10.10.10.10:62252] NO AUTH DATA Client did not send any authentication headers
最后,如果我通过提示凭据Chrome浏览器输入我的凭据,我会成功地使用我的LDAP组进行身份验证,并且可以访问我的Anotherserver,但是SSO感谢Kerberos GSSAPI不起作用,我仍然必须手动输入我的凭据.. :(
curl结果:www-authenticate:谈判响应标题是PRETER:
curl -k -L http://myserver.my.domain/ -v
* Trying 192.168.168.168:80...
* TCP_NODELAY set
* Connected to myserver.my.domain (192.168.168.168) port 80 (#0)
> GET / HTTP/1.1
> Host: myserver.my.domain
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Thu, 16 Jun 2022 10:57:31 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="GSSAPI Single Sign On Login"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host myserver.my.domain left intact
有人可以帮助我解决这个问题。谢谢
!
-
- 服务,因为我仍然无法在rhel8.6中使用
- ,然后不要忘记将
emoverucation = gss_use_proxy更改为0,以避免“ gss_localname()输入错误”在Apache错误日志中。
I'm trying to run an apache virtualhost, on a machine currently running Red Hat Enterprise Linux release 8.5 (Ootpa), with Kerberos authentication using the new GSSAPI module (replacement of mod_auth_kerb).
I also configured LDAP directives to authenticate my users through an LDAP thanks to mod_ldap.
My krb5.conf :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MY.DOMAIN = {
kdc = ADserver.my.domain
a_server = ADserver.my.domain
default_domain = my.domain
}
[domain_realm]
.kerberos.server = MY.DOMAIN
.my.domain = MY.DOMAIN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I created a user on which is assigned a keytab. My user is called "usersso"
SPN info :
C:\Users\me>setspn -L usersso
Registered ServicePrincipalNames for CN=UserSso,OU=Users,DC=MY,DC=DOMAIN:
HTTP/myserver.my.domain
C:\Users\me>setspn -Q HTTP/myserver.my.domain
Checking domain DC=MY,DC=DOMAIN
CN=UserSso,OU=Users,DC=MY,DC=DOMAIN
HTTP/myserver.my.domain
Existing SPN found!
I sent my keytab to my apache server :
[root@myserver conf.d]# klist -ek /etc/httpd/usersso.keytab
Keytab name: FILE:/etc/httpd/usersso.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
Keytab tests :
[root@myserver httpd]# kinit -V -kt /etc/httpd/usersso.keytab -p HTTP/[email protected]
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/[email protected]
Using keytab: /etc/httpd/usersso.keytab
Authenticated to Kerberos v5
[root@myserver httpd]# klist -Af
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
16/06/2022 13:03:23 16/06/2022 23:03:23 krbtgt/[email protected]
renew until 17/06/2022 13:03:23, Flags: FPRIA
Keytab looks like OK.
Then now my virtualhost configuration :
<VirtualHost 192.168.168.168:80>
ServerName myserver.my.domain
ErrorLog /var/log/httpd/myserver.my.domain_error.log
TransferLog /var/log/httpd/myserver.my.domain_access.log
LogLevel debug
<Location />
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiBasicAuth On
GssapiBasicAuthMech krb5
GssapiAllowedMech krb5
GssapiCredStore keytab:/etc/httpd/usersso.keytab
GssapiLocalName On
BrowserMatch Windows gssapi-no-negotiate
AuthLDAPURL ldap://ldapserver:10400/ou=users,o=enterprise,dc=city,dc=fr?uid?sub?(objectclass=person)
AuthLDAPGroupAttribute member
AuthLDAPBindDN "cn=apache,ou=users,o=enterprise,dc=city,dc=fr"
AuthLDAPBindPassword "XXXX"
AuthzSendForbiddenOnFailure On
Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr
</Location>
# tag::TLSClient[]
SSLProxyEngine on
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLProxyCipherSuite HIGH:!aNULL:!MD5
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyVerifyDepth 10
SSLOCSPEnable off
# end::TLSClient[]
ProxyPass / https://anotherserver:443/
ProxyPassReverse / https://anotherserver:443/
</VirtualHost>
When I try to access my virtualhost, I am not directly sent to anotherserver but I have an authentication window prompt that appears on my Google Chrome browser (which means Kerberos authentication doesn't work properly)
Access_log says :
10.10.10.10(me) - - [16/Jun/2022:11:53:21 +0200] "GET / HTTP/1.1" 401 381
Error log says :
[Thu Jun 16 12:49:42.867213 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867231 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867256 2022] [auth_gssapi:debug] [pid 8154:tid 139726585538304] mod_auth_gssapi.c(901): [client 10.10.10.10:62252] URI: /, no main, no prev
[Thu Jun 16 12:49:42.867273 2022] [auth_gssapi:info] [pid 8154:tid 139726585538304] [client 10.10.10.10:62252] NO AUTH DATA Client did not send any authentication headers
And finally, if i enter my credentials through the prompt credentials chrome browser, I'm successfully authenticate with my LDAP group and I can access to my anotherserver but the SSO thanks to Kerberos GSSAPI doesn't work, I still have to enter my credentials manually .. :(
curL result : The WWW-authenticate : Negotiate response header is présent:
curl -k -L http://myserver.my.domain/ -v
* Trying 192.168.168.168:80...
* TCP_NODELAY set
* Connected to myserver.my.domain (192.168.168.168) port 80 (#0)
> GET / HTTP/1.1
> Host: myserver.my.domain
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Thu, 16 Jun 2022 10:57:31 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="GSSAPI Single Sign On Login"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host myserver.my.domain left intact
Can somebody help me about this issue ?
Thanks !
EDIT :
I finally found the solution !
- I removed "
BrowserMatch Windows gssapi-no-negotiate" to my apache conf, - And stop+disable the
gssproxyservice because i'm still unable to work with in RHEL8.6 - And then don't forget to change
Environment=GSS_USE_PROXYto 0 to avoid"gss_localname() input error"in apache error logs.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论