Apache 2 mod_auth_kerb / mod_auth_gssapi

Andreas Ladanyi andreas.ladanyi at kit.edu
Mon Apr 4 08:29:57 EDT 2016


Hi Simo,
> On Thu, 2016-03-24 at 14:12 +0100, Andreas Ladanyi wrote:
>> The login should also (like on the old system) be possible from a client
>> outside the kerberos realm, so a username/password popup should appear.
> If the basic auth header is received the browser will either show a
> popup, or just send credentials if it had them previously cached.
is this the HTTP 401 message from the server to the browser ?
>
>> I thought this is possible because the GssapiBasicAuth is On.
> GssapiBasicAuth On enables Basic Auth fallback indeed, but this option
> is supported only starting with version 1.2.0, what version do you use ?
i use version 1.3.1
>
>> So how i could debug/solve this issue ?
> Check with developer tools if the browser is receiving a basic auth
> header, if not check the apache error logs after raising debug level to
> see if mod_auth_gssapi is logging any error.
>
> Keep in mind that browsers will attempt negotiate auth in preference.

i used the Live HTTP header addon for firefox and get this response from
the Apache server:

HTTP/1.1 200 OK
Date: Mon, 04 Apr 2016 09:04:48 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=1he24b9k0igddspei4vnpt7sd6; path=/; HttpOnly
Set-Cookie: MANTIS_secure_session=0; path=/; httponly
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Mon, 04 Apr 2016 09:04:48 GMT
x-content-type-options: nosniff
Expires: Mon, 04 Apr 2016 09:04:48 GMT
X-Frame-Options: DENY
X-Content-Security-Policy: allow 'self'; options inline-script
eval-script; frame-ancestors 'none'
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 1470
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8


I cant see a HTTP 401 server message in the firefox log. So the apache
doesnt know (????) that 401 should be send to the browser so the
username/password popup doesnt appear ?


I cant see 401 messages in error_log/access_log from apache.


regards,
Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5326 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20160404/f6427a73/attachment.bin


More information about the Kerberos mailing list