Beginner Kerberos question - problem with spnego authentication with webserver
JSoet
jordan.soet at ca.ibm.com
Wed Jun 22 18:41:19 EDT 2016
I'm trying to modify a webserver that I work on to do SPNEGO authentication
with an Active Directory server. In preparation for that I've set up 2
machines to test the authentication and I thought I'd try and use an
existing simple webserver to check that I have them set up correctly before
I start modifying my webserver, so I'm trying to test it using the
flask-kerberos project: https://flask-kerberos.readthedocs.io/en/latest/
Unfortunately, it seems that there's a problem with the setup and I'm not
sure where to look next to solve it. When running the flask webserver I get
this error when it tries to do the authGSSServerInit call:
/GSSError: (('Unspecified GSS failure. Minor code may provide more
information', 851968), ('', 100004))/
My setup is I have 3 machines - 1 Windows Server with Active Directory
installed and a couple users set up, and a user and SPN set for the
webserver. Then a CentOS machine with the webserver on it and a windows 7
machine that's on the AD domain with an authenticated user. When I try and
authenticate from the windows 7 machine to the /protected page created by
the flask webserver then I get the message above.
>From what I can tell my krb5.conf is configured correctly, I can run kinit
with a couple different usernames and they seem to work fine.
/[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TEST.LOCAL = {
kdc = WIN-KBRA593O67I.Test.local
admin_server = WIN-KBRA593O67I.Test.local
}
[domain_realm]
.Test.local = TEST.LOCAL
Test.local = TEST.LOCAL/
And I think my keytab file is ok. If I run klist -k I get the following
output
/[root at TestCentOSGui testFlask]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 HTTP/TestCentOSGui.Test.local at TEST.LOCAL/
And I can do kinit with the service principal with kinit -k, and afterwards
klist shows the ticket:
/root at TestCentOSGui testFlask]# kinit HTTP/TestCentOSGui.Test.local -k
root at TestCentOSGui testFlask]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/TestCentOSGui.Test.local at TEST.LOCAL
Valid starting Expires Service principal
06/22/16 15:02:12 06/23/16 01:02:16 krbtgt/TEST.LOCAL at TEST.LOCAL
renew until 06/29/16 15:02:12/
I'm hoping that there's something simple that I'm missing, but I'm not
really sure where to look or what to try next, so any advice would be
welcome.
--
View this message in context: http://kerberos.996246.n3.nabble.com/Beginner-Kerberos-question-problem-with-spnego-authentication-with-webserver-tp45585.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list