Apache 2 mod_auth_kerb / mod_auth_gssapi

Simo Sorce simo at redhat.com
Mon Apr 4 10:06:08 EDT 2016 

On Mon, 2016-04-04 at 14:29 +0200, Andreas Ladanyi wrote:
> Hi Simo,
> > On Thu, 2016-03-24 at 14:12 +0100, Andreas Ladanyi wrote:
> >> The login should also (like on the old system) be possible from a client
> >> outside the kerberos realm, so a username/password popup should appear.
> > If the basic auth header is received the browser will either show a
> > popup, or just send credentials if it had them previously cached.
> is this the HTTP 401 message from the server to the browser ?
> >
> >> I thought this is possible because the GssapiBasicAuth is On.
> > GssapiBasicAuth On enables Basic Auth fallback indeed, but this option
> > is supported only starting with version 1.2.0, what version do you use ?
> i use version 1.3.1
> >
> >> So how i could debug/solve this issue ?
> > Check with developer tools if the browser is receiving a basic auth
> > header, if not check the apache error logs after raising debug level to
> > see if mod_auth_gssapi is logging any error.
> >
> > Keep in mind that browsers will attempt negotiate auth in preference.
> 
> i used the Live HTTP header addon for firefox and get this response from
> the Apache server:
> 
> HTTP/1.1 200 OK
> Date: Mon, 04 Apr 2016 09:04:48 GMT
> Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
> PHP/5.4.16
> X-Powered-By: PHP/5.4.16
> Set-Cookie: PHPSESSID=1he24b9k0igddspei4vnpt7sd6; path=/; HttpOnly
> Set-Cookie: MANTIS_secure_session=0; path=/; httponly
> Cache-Control: no-store, no-cache, must-revalidate
> Last-Modified: Mon, 04 Apr 2016 09:04:48 GMT
> x-content-type-options: nosniff
> Expires: Mon, 04 Apr 2016 09:04:48 GMT
> X-Frame-Options: DENY
> X-Content-Security-Policy: allow 'self'; options inline-script
> eval-script; frame-ancestors 'none'
> Content-Encoding: gzip
> Vary: Accept-Encoding
> Content-Length: 1470
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=utf-8
> 
> 
> I cant see a HTTP 401 server message in the firefox log. So the apache
> doesnt know (????) that 401 should be send to the browser so the
> username/password popup doesnt appear ?
> 
> 
> I cant see 401 messages in error_log/access_log from apache.

Sound like your Apache server is not configured to apply authentication
modules to the location you are asking for ?

A 200 OK message means either that authentication was successful, or was
not needed.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list