gss_localname() with multiple KDC/User Directories + Apache + mod_auth_gssapi
Tobias Kritten (EXT)
tk at dogado.de
Mon Jul 19 10:32:53 EDT 2021
Hi!
I am using the latest mod_auth_gssapi with apache 2.4.46 on debian 10.8 with krb5 1.17 and can't get gss_localname() to work.
Kerberos Environment:
* FreeIPA as default Realm
* Aditional Active Directory
* Users are on FreeIPA OR Active Directory and should be able to authenticate against the website
Authentication with GssApiLocalName off is working well, but the application is not able to handle Realms.
krb5.conf:
[libdefaults]
default_realm = WORKSTATION.OFFICE
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
WORKSTATION.OFFICE= {
kdc = ipa.workstation.office:88
default_domain = workstation.office
}
CORPORATE.LOCAL = {
kdc = int-ad04.corporate.local
admin_server = int-ad04.corporate.local
default_domain = corporate.local
auth_to_local = RULE:[1:$1@$0](.*@CORPORATE\.LOCAL)s/@.*//
}
[domain_realm]
.workstation.office = WORKSTATION.OFFICE
workstation.office = WORKSTATION.OFFICE
.corporate.local = CORPORATE.LOCAL
corporate.local = CORPORATE.LOCAL
corporate.de = CORPORATE.LOCAL
.corporate.de = CORPORATE.LOCAL
.htaccess of the affected website:
<RequireAll>
AuthType GSSAPI
AuthName "GSSAPI Login"
GssapiAllowedMech krb5
GssapiPublishErrors On
GssapiLocalName on
GssapiBasicAuth off
GssapiCredStore keytab:/home/office/office-ad.keytab
require valid-user
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
AuthLDAPUrl "ldaps://ldap.office/cn=accounts,dc=workstation,dc=office?uid?sub?(objectClass=inetOrgPerson)" SSL
## this is required to get / allow auth eq to require valid-user
# Require ldap-filter &(objectClass=inetOrgPerson)(|(memberOf=cn=office-ita,cn=groups,cn=accounts,dc=workstation,dc=office)(memberOf=cn=office-cod,cn=groups,cn=accounts,dc=workstation,dc=office))
require valid-user
</RequireAll>
The following errors are logged:
[Tue Jul 06 12:08:41.148773 2021] [auth_gssapi:error] [pid 30765:tid 140024582170368] [client 192.168.212.52:0] GSS ERROR gss_localname() failed: [The operation or option is not available or unsupported (No such file or directory)]
[Tue Jul 06 12:08:41.211385 2021] [auth_gssapi:error] [pid 30764:tid 140030051854080] [client 192.168.212.52:0] INTERNAL ERROR Mechanism needs continuation but neither GssapiConnectionBound nor GssapiUseSessions are configured
I also wrote a small debug programm to call the gss_localname() function directly. Output:
gss_localname return code: min 2 / maj 1048576
The operation or option is not available or unsupported
Discussion with the mod_auth_gssapi module: https://github.com/gssapi/mod_auth_gssapi/discussions/254
Looking forward to your help! Thanks,
Tobias
--
Mit freundlichen Gr??en aus Dortmund,
Tobias Kritten (EXT), Head of Internal IT
________________________________
dogado GmbH
Antonio-Segni-Stra?e 11
44263 Dortmund
Hotline: +49 (231) 28 66 200
Fax: +49 (231) 28 66 20 20
Website: http://www.dogado.de
Profil auf XING: http://www.xing.com/companies/dogado
The Cloud Sourcing Blog: http://www.dogado.de/blog
Twitter: https://twitter.com/dogado
Facebook: https://www.facebook.com/dogado
Technischer Support: support at dogado.de<mailto:support at dogado.de>
Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund,
Ust-IdNr: DE249338561 Gesch?ftsf?hrer: Marcel Chorengel, Daniel Hagemeier, Ralph Cammerrath, Claus Boyens
________________________________
More information about the Kerberos
mailing list