Hi List,
My goal in sending this email is to get some direction on where to start
looking to solve my problem. Thank you all in advance for reading through
this and providing any guidance!
I'm working on moving to new servers, upgrading from CentOS 6.7 to CentOS
7.5. In this move, we are also upgrading from Apache/2.2.15 to Apache/
2.4.33. Our servers are all sitting behind a load balancer end point.
====System specifics===CentOS Linux release 7.5.1804 (Core)
Server version: Apache/2.4.33 (Unix)
Server built: Jul 3 2018 11:33:42
On all of our CentOS 6.7 machines, kerberos works. On all of our 7.5
machines, it fails.
I am looking, at this point, for direction on where to start looking.
Here is some relevant information:
====Output from apache error log===
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require valid-user : denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered
with user (NULL) and auth_type Kerberos
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require valid-user : denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered
with user (NULL) and auth_type Kerberos
[auth_kerb:debug] src/mod_auth_kerb.c(1400): Verifying client data using
KRB5 GSS-API
[auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn't delegate us
their credential
[auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning: received token seems
to be NTLM, which isn't supported by the Kerberos module. Check your IE
configuration.
[auth_kerb:debug] src/mod_auth_kerb.c(1116): GSS-API major_status:00010000,
minor_status:00000000
[auth_kerb:error] gss_accept_sec_context() failed: An unsupported mechanism
was requested (, Unknown error)
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso
====apache vhost files===
==site specific=
<VirtualHost *:80>
Define vhost_name siteName
Define vhost_home /path/to/site/home
Include conf/vhosts.d/template.inc
</VirtualHost>
==conf/vhosts.d/template.inc contains=
<Directory "${vhost_home}/sso">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthoritative off
KrbAuthRealms [list of realms removed for security]
Krb5Keytab "/etc/krb5.keytab"
KrbServiceName Any
require valid-user
ErrorDocument 401 "<html><meta
http-equiv=\"refresh\"
content=\"0;url=/login/anonlogin.php\"></html>"
</Directory>
====And some output from kinit and klist===
$ sudo kinit -V -t /etc/krb5.keytab HTTP/six.***********.com at
EXT.**********.COM
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/six.***********.com at EXT.**********.COM
Using keytab: /etc/krb5.keytab
kinit: Client 'HTTP/six.***********.com at EXT.**********.COM
Kerberos database while getting initial credentials
$ sudo klist -etk
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
3 09/27/2018 10:22:17 HTTP/one.***********.com at aaa.**********.COM
(arcfour-hmac)
3 09/27/2018 10:22:17 HTTP/two.***********.com at aaa.**********.COM
(arcfour-hmac)
3 09/27/2018 10:22:17 HTTP/three.***********.com at aaa.**********.COM
(arcfour-hmac)
3 09/27/2018 10:22:17 HTTP/four.***********.com at aaa.**********.COM
(arcfour-hmac)
3 09/27/2018 10:22:17 HTTP/five.***********.com at aaa.**********.COM
(arcfour-hmac)
3 09/27/2018 10:22:17 HTTP/six.***********.com at aaa.**********.COM
(arcfour-hmac)