Apache-2.2
Apache 2.2 mod_auth_kerb SSO 停止工作
我完全不知道為什麼它剛剛停止工作,這就是我檢查的內容:
httpd-error.log:
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN> [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1446): [client 10.105.5.131] GSS-API token of length 22 bytes will be sent back [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN> [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1125): [client 10.105.5.131] GSS-API major_status:00090000, minor_status:00000000
sudo kinit -t /etc/krb5.keytab HTTP/<FQDN>
工作正常,沒有錯誤
須藤清單:
Credentials cache: FILE:/tmp/krb5cc_0 Principal: HTTP/<FQDN>@<LOCAL.DOMAIN> Issued Expires Principal Jun 11 17:21:58 2015 Jun 12 00:01:57 2015 krbtgt/<LOCAL.DOMAIN>@<LOCAL.DOMAIN>
krb5.conf
[libdefaults] ticket_lifetime = 24000 default_realm = <LOCAL.DOMAIN> dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = /etc/krb5.keytab rdns = false [realms] KC.KPLUS = { kdc = <dc.ip>:88 admin_server = <dc.ip>:88 default_domain = <LOCAL.DOMAIN> } [domain_realm] .<local.domain> = <LOCAL.DOMAIN> <local.domain> = <LOCAL.DOMAIN> [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
.htaccess
AddHandler cgi-script .cgi .pl Options +ExecCGI DirectoryIndex index.pl AuthName "<LOCAL.DOMAIN>" AuthType Kerberos Krb5Keytab /etc/krb5.keytab KrbAuthRealm <LOCAL.DOMAIN> KrbMethodNegotiate on KrbServiceName HTTP/<FQDN>@<LOCAL.DOMAIN> KrbMethodK5Passwd off KrbSaveCredentials on KrbVerifyKDC off Require valid-user
檢查客戶端的流量,顯然它開始協商,同意 KRB5 機器並發送票證。結果收到 401。
我無法弄清楚這裡有什麼問題,任何想法都將不勝感激。
當密鑰表中列出的 SPN 與客戶端(瀏覽器)提供的主體名稱不匹配時,就會發生這種情況。
它可能取決於所使用的瀏覽器(一些瀏覽器從 URL 中獲取名稱,另一些瀏覽器對它們連接的 IP 地址進行反向查找)。
常見的解決方案是將 KrbServiceName 設置為 Any:
KrbServiceName Any
這將放鬆檢查,允許使用伺服器密鑰表中的任何密鑰。
如果您使用的是 Debian,您最近是否從 wheezy 更新為 jessie?我有一個類似的問題,並且在 apache 2.4 (jessie) 模組中刪除了 apache 2.2 (wheezy) 模組的一些 ldap 指令 (AuthzLDAPAuthoritative) ( Upgrading to 2.4 from 2.2 )。也許同樣的情況也發生在 kerberos 上。