Apache-2.2

Apache 2.2 mod_auth_kerb SSO 停止工作

  • June 17, 2015

我完全不知道為什麼它剛剛停止工作,這就是我檢查的內容:

httpd-error.log:

[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN>
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1446): [client 10.105.5.131] GSS-API token of length 22 bytes will be sent back
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN>
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1125): [client 10.105.5.131] GSS-API major_status:00090000, minor_status:00000000
sudo kinit -t /etc/krb5.keytab HTTP/<FQDN> 

工作正常,沒有錯誤

須藤清單:

Credentials cache: FILE:/tmp/krb5cc_0
   Principal: HTTP/<FQDN>@<LOCAL.DOMAIN>

Issued                Expires               Principal
Jun 11 17:21:58 2015  Jun 12 00:01:57 2015  krbtgt/<LOCAL.DOMAIN>@<LOCAL.DOMAIN>

krb5.conf

[libdefaults]
ticket_lifetime = 24000
default_realm = <LOCAL.DOMAIN>
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
rdns = false

[realms]
KC.KPLUS = {
 kdc = <dc.ip>:88
 admin_server = <dc.ip>:88
 default_domain = <LOCAL.DOMAIN>
}

[domain_realm]
.<local.domain> = <LOCAL.DOMAIN>
<local.domain> = <LOCAL.DOMAIN>



[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

.htaccess

AddHandler cgi-script .cgi .pl
Options +ExecCGI
DirectoryIndex index.pl
AuthName "<LOCAL.DOMAIN>"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealm <LOCAL.DOMAIN>
KrbMethodNegotiate on
KrbServiceName HTTP/<FQDN>@<LOCAL.DOMAIN>
KrbMethodK5Passwd off
KrbSaveCredentials on
KrbVerifyKDC off
Require valid-user

檢查客戶端的流量,顯然它開始協商,同意 KRB5 機器並發送票證。結果收到 401。

我無法弄清楚這裡有什麼問題,任何想法都將不勝感激。

當密鑰表中列出的 SPN 與客戶端(瀏覽器)提供的主體名稱不匹配時,就會發生這種情況。

它可能取決於所使用的瀏覽器(一些瀏覽器從 URL 中獲取名稱,另一些瀏覽器對它們連接的 IP 地址進行反向查找)。

常見的解決方案是將 KrbServiceName 設置為 Any:

   KrbServiceName Any

這將放鬆檢查,允許使用伺服器密鑰表中的任何密鑰。

如果您使用的是 Debian,您最近是否從 wheezy 更新為 jessie?我有一個類似的問題,並且在 apache 2.4 (jessie) 模組中刪除了 apache 2.2 (wheezy) 模組的一些 ldap 指令 (AuthzLDAPAuthoritative) ( Upgrading to 2.4 from 2.2 )。也許同樣的情況也發生在 kerberos 上。

引用自:https://serverfault.com/questions/698336