thr3ads.net - CentOS - [CentOS] CentOS 7.5, Apache 2.4, Kerberos [Oct 2018]

If this information is useful, please help other people find it:
Share via:

rebecca coleman

2018-Oct-04 15:58 UTC

[CentOS] CentOS 7.5, Apache 2.4, Kerberos

Hi List,

My goal in sending this email is to get some direction on where to start
looking to solve my problem.  Thank you all in advance for reading through
this and providing any guidance!

I'm working on moving to new servers, upgrading from CentOS 6.7 to CentOS
7.5.  In this move, we are also upgrading from Apache/2.2.15 to Apache/
2.4.33.  Our servers are all sitting behind a load balancer end point.

====System specifics===CentOS Linux release 7.5.1804 (Core)
Server version: Apache/2.4.33 (Unix)
Server built:   Jul  3 2018 11:33:42

On all of our CentOS 6.7 machines, kerberos works.  On all of our 7.5
machines, it fails.

I am looking, at this point, for direction on where to start looking.
Here is some relevant information:

====Output from apache error log===
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require valid-user : denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered
with user (NULL) and auth_type Kerberos
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require valid-user : denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: denied (no authenticated user yet)
[auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered
with user (NULL) and auth_type Kerberos
[auth_kerb:debug] src/mod_auth_kerb.c(1400): Verifying client data using
KRB5 GSS-API
[auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn't delegate us
their credential
[auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning: received token seems
to be NTLM, which isn't supported by the Kerberos module. Check your IE
configuration.
[auth_kerb:debug] src/mod_auth_kerb.c(1116): GSS-API major_status:00010000,
minor_status:00000000
[auth_kerb:error] gss_accept_sec_context() failed: An unsupported mechanism
was requested (, Unknown error)
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
<RequireAny>: granted, referer: https://six.***********.com/sso


====apache vhost files===
==site specific=
<VirtualHost *:80>

Define vhost_name siteName
Define vhost_home /path/to/site/home

Include conf/vhosts.d/template.inc

</VirtualHost>

==conf/vhosts.d/template.inc contains=
 <Directory "${vhost_home}/sso">
      AuthType Kerberos
      AuthName "Kerberos Login"
      KrbMethodNegotiate on
      KrbMethodK5Passwd off
      KrbAuthoritative off
      KrbAuthRealms [list of realms removed for security]
      Krb5Keytab "/etc/krb5.keytab"
      KrbServiceName Any
      require valid-user
      ErrorDocument 401 "<html><meta
http-equiv=\"refresh\"
content=\"0;url=/login/anonlogin.php\"></html>"
  </Directory>

====And some output from kinit and klist===
$ sudo kinit -V -t /etc/krb5.keytab HTTP/six.***********.com at
EXT.**********.COM

keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/six.***********.com at EXT.**********.COM
Using keytab: /etc/krb5.keytab
kinit: Client 'HTTP/six.***********.com at EXT.**********.COM
Kerberos database while getting initial credentials

$ sudo klist -etk
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- -------------------
------------------------------------------------------
   3 09/27/2018 10:22:17 HTTP/one.***********.com at aaa.**********.COM
(arcfour-hmac)
   3 09/27/2018 10:22:17 HTTP/two.***********.com at aaa.**********.COM
(arcfour-hmac)
   3 09/27/2018 10:22:17 HTTP/three.***********.com at aaa.**********.COM
(arcfour-hmac)
   3 09/27/2018 10:22:17 HTTP/four.***********.com at aaa.**********.COM
(arcfour-hmac)
   3 09/27/2018 10:22:17 HTTP/five.***********.com at aaa.**********.COM
(arcfour-hmac)
   3 09/27/2018 10:22:17 HTTP/six.***********.com at aaa.**********.COM
(arcfour-hmac)

mark

2018-Oct-04 18:00 UTC

head link

[CentOS] CentOS 7.5, Apache 2.4, Kerberos

Hi, rebecca,

rebecca coleman wrote:>
> My goal in sending this email is to get some direction on where to start
> looking to solve my problem.  Thank you all in advance for reading through
>  this and providing any guidance!
>
> I'm working on moving to new servers, upgrading from CentOS 6.7 to
CentOS
>  7.5.  In this move, we are also upgrading from Apache/2.2.15 to Apache/
> 2.4.33.  Our servers are all sitting behind a load balancer end point.
>
<snip>> [auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn't delegate us
> their credential [auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning:
> received token seems to be NTLM, which isn't supported by the Kerberos
> module. Check your IE configuration. [auth_kerb:debug]
> src/mod_auth_kerb.c(1116): GSS-API major_status:00010000,
> minor_status:00000000
> [auth_kerb:error] gss_accept_sec_context() failed: An unsupported
> mechanism was requested (, Unknown error) [headers:debug]
> mod_headers.c(900): AH01503: headers:<snip>
This is where I'd start. If you're using IE (why?!), what's it
looking for
for authentication?

Also, the new version of CentOS and /etc/httpd/conf.d/ssl.conf may have
the encryption that you're currently using disabled, as it's too weak.

     mark

Gordon Messmer

2018-Oct-07 07:15 UTC

head link

[CentOS] CentOS 7.5, Apache 2.4, Kerberos

On 10/4/18 8:58 AM, rebecca coleman wrote:> My goal in sending this email is to get some direction on where to start
> looking to solve my problem.  Thank you all in advance for reading through
> this and providing any guidance!
...> [auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn't delegate us
> their credential
> [auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning: received token seems
> to be NTLM, which isn't supported by the Kerberos module. Check your IE
> configuration.

IE will normally only attempt KRB5 auth when the hostname in the URL has 
no dots, or when the hostname has been specifically added to the "Local 
intranet" zone.

Seemingly Similar Threads

Search for more maybe matching threads

CentOS - Oct 2018 - CentOS 7.5, Apache 2.4, Kerberos

[CentOS] CentOS 7.5, Apache 2.4, Kerberos

[CentOS] CentOS 7.5, Apache 2.4, Kerberos

[CentOS] CentOS 7.5, Apache 2.4, Kerberos

Seemingly Similar Threads