Apache 2 mod_auth_kerb / mod_auth_gssapi

Andreas Ladanyi andreas.ladanyi at kit.edu
Thu Mar 24 09:12:06 EDT 2016 

Hi,

i want to migrate from mod_auth_kerb to mod_auth_gssapi.

config of the old system:
===============

Apache 2 (Linux), mod_auth_kerb, Mantis IT web plattform configured with
basic auth in the config.php

Apache config for the directory entry of the mantis plattform:

AuthName bla
AuthType Kerberos
KrbAuthRealms REALM
KrbMethodNegotiate On
KrbServiceName HTTP
KrbLocalUserMapping On
Require valid-user

behavior of the old system:
================

1. Request the web plattform (on Firefox and Linux)
2. a user/password window pops up (like on basic auth. Its equal if iam
in the realm with a tgt or ouside the realm without tgt the popup
appears in both situations) and i enter my username / password from the
kerberos realm principal. So for my comprehension the basic auth takes
the user/pass from the popup window and validates it against the KDC
(MIT on Linux).
3. login successfull on the webplattform

config of the new system:
===============

Apache 2.4 (Linux), mod_auth_gssapi, Mantis IT web plattform configured
with basic auth in the config.php (same as on the old system)

Apache config for the directory entry of the mantis plattform:

AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiBasicAuth On
GssapiLocalName on
GssapiCredStore keytab:/etc/httpd/http.keytab
Require valid-user

behavior of the new system:
=================

1. Request the web plattform (on Firefox and Linux)
2. NO username/password window shows up
2. the webplattform tells me that the username is invalid

The login should also (like on the old system) be possible from a client
outside the kerberos realm, so a username/password popup should appear.
I thought this is possible because the GssapiBasicAuth is On. So how i
could debug/solve this issue ? Is the expected behavior possible with
mod_auth_gssapi ?

regards,
Andreas





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5326 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20160324/07b2a192/attachment-0001.bin

More information about the Kerberos mailing list