Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be???

kerbie_newbie zarafield at sky.com
Thu Apr 16 18:30:21 EDT 2009 

Will be setting up ldap authentication and trying the suggestions to mix the
two ...

Looking back to the main reason for this query - Windows users with expired
TGT's. 

(Env: Apache2, MIT Kerberos 5, mod_auth_kerb, IE7, Active Directory KDC)

Current directives:

          AuthType Kerberos
          AuthName "... login"
          KrbMethodNegotiate on
          KrbAuthRealms x y z
          KrbMethodK5Passwd on
          require valid-user
          Krb5Keytab /etc/krb5.keytab
          KrbServiceName HTTP/webservice at x
          KrbSaveCredentials on

I am also connecting to AD on its Global port ...


I have users from several realms, eg. me at x.x.x, you at y.y.y

I have a keytab 'x|webservice' which, seems to me, relates to realm x. (?)

For authentication across realms with valid TGT's, they keytab realm does
not pose any issues as I have several realms included in my KrbAuthRealms
directive.

However, if a user's ticket granting ticket has expired - can Kerberos not
obtain a new ticket granting ticket? I thought this was happening when some
users were prompted for their usr/pwd and that Kerberos was using it's
internal kinit to get a new TGT from Active Directory? 

If it can, is it restricted to the domain on the keytab or by some
delegation setting in Active Directory?

If it can't, why is it prompting for a usr/pwd instead of just showing the
404 error?

Another theory I had was related to DNS suffix search lists ... most, if not
all of the users that cannot authenticate when being prompted do not have
their active directory domain at the top of the list. I read that this is
how Kerberos creates tickets and was thinking that if they were trying to
get a TGT with a realm that is not in the 'trusted realms', then this is why
they could not authenticate. 

This was further spurred on by the error logs containing something along the
lines of 'could not find requested realm'. I have since been 'advised' that
the DNS should bear no relevance but this similarity keep appearing. 

Final concern (for this evening at least) is that these users are getting
expired TGT's in the first place. For me, locking/unlocking (CTL-AlT-Delete)
AND when it is automatically locked (company policy after 10 mins)through
idle, I get a renewed ticket with a new expire time 7 days in the future.
Could this whole problem be stemming from some issue on their PC or Active
Directory account?

Thanks in advance for your thoughts!


Richard E. Silverman wrote:
> 
>     kn> Actually, since you say
> 
>     >>> Anyway, take into account that both fallbacks require a secure
>     >>> server, which is not the case for credential based authentication.
> 
>     kn> you mean that I would need to have some local storage (on my Linux
>     kn> box) of all user ids or some sort of synchronization with Active
>     kn> Directory? (... or have I misunderstood?). There are more than
>     kn> 50,000 users ...
> 
> No; mod_auth_kerb will do the equivalent of kinit to validate the user's
> password (as well as an anti-spoof check on the KDC).
> 
> - Richard
> 
> 
>     kn> Thanks again
> 
> 
>     kn> kerbie_newbie wrote:
>     >> 
>> Thanks for the responses ... still a little confused though. In another
>     >> thread I've read
>     >> 
>     >> " Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap
>     >> 
>     >> ...
>     >> 
>     >> At least in Apache 2.0, it is extremely difficult in Apache to get
>     >> two authentication modules to co-exist; Apache by and large
>     >> considers any particular portion of the URL space to be protected
>     >> by only one authentication scheme (possibly combined with IP
>     >> address restrictions).  This is partly a limitation of Apache
>     >> (particularly the configuration syntax) and partly related to
>     >> difficulties in the HTTP protocol (you can't easily negotiate and
>     >> attempt multiple authentication protocols in turn).
>     >> 
>     >> However, that being said, mod_auth_kerb does support:
>     >> 
>     >> KrbDelegateBasic on | off (set to off by default) If set to 'on'
>     >> this options causes that Basic authentication is always offered
>     >> regardless setting the KrbMethodK[45]Pass directives. Then, if a
>     >> Basic authentication header arrives authentication decision is
>     >> passed along to another modules. This option is a work-around for
>     >> insufficient authentication scheme in Apache (Apache 2.1 seems to
>     >> provide better support for multiple various authentication
>     >> mechanisms).
>     >> 
>     >> The trick is that for this to work properly, mod_auth_kerb needs to
>     >> go first and then the other authentication module needs to follow
>     >> afterwards in the processing stack. That's something that modules
>     >> can control in their own C code to some extent, but I don't know
>     >> how you'd control this from outside without making code
>     >> modifications."
>     >> 
>     >> ...  "
>     >> 
>     >> Also, my server is not secure so Basic Authentication (which by my
>     >> reckoning does not authenticate against AD) is not an option.
>     >> 
>     >> Thanks again.
>     >> 
>     >> 
>     >> Javier Palacios-2 wrote:
>     >>> 
>>> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson <dkelson at gurulabs.com> wrote:
>>>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote:
>>>>
>>>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos
>>>>> as the
>>>>> authtype it is pretty much Kerberos or nothing ... is this correct? I
>>>>> can
>>>>> see no way to intercept the failure.
>>>>
>>>> This not correct. What you want are these two directives:
>>>>
>>>> KrbMethodNegotiate On
>>>> KrbMethodK5Passwd On
>>> 
>>> If I remember right, there is a directive called something like
>>> authoritative.
>>> I did never use it but it is used to pass authentication to other
>>> modules (again, if I remember well).
>>> That is exactly what you need so instead of enabling password
>>> authentication, you need to stack the ldap authentication also, and
>>> let proceed if negotiate fails.
>>> 
>>> Anyway, take into account that both fallbacks require a secure server,
>>> which is not the case for credential based authentication.
>>> 
>>> Javier Palacios
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>> 
>>> 
>> 
>> 
> 
> -- 
> View this message in context:
> http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html
> Sent from the Kerberos - General mailing list archive at Nabble.com.
> 
> 
> -- 
>   Richard Silverman
>   res at qoxp.net
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p23087770.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list