Kerberos and Apache reverse proxy

Jaap Winius jwinius at umrk.nl
Fri Jul 13 20:25:00 EDT 2018


Quoting Dmitri Pal <dpal at redhat.com>:

> It should not. The Kerberos authenticated users should just map to existing
> users.
> See mod_auth_gssapi for more details.
> https://github.com/modauthgssapi/mod_auth_gssapi/blob/master/README

It's great to hear that a solution like this exists, but as my luck  
would have it, mod_auth_gssapi, which is included in the Debian  
package libapache2-mod-auth-gssapi, is not available for Debian  
wheezy, and this is the OS that my MediaWiki server is still running  
on. So currently, if I access the MediaWiki server directly, all is  
fine. But if I attempt to access it through the proxy, the proxy's  
Apache error.log says:

   [Sat Jul 14 00:44:41.794483 2018] [access_compat:error] [pid 25847]  
[client 72.85.26.20:39214] \
   AH01797: client denied by server configuration:  
proxy:http://192.168.20.22/mediawiki

While over on the backend MediaWiki server, the Apache error.log says:

   [Sat Jul 14 01:44:41 2018] [error] [client 185.57.111.47]  
gss_accept_sec_context() failed: \
   Unspecified GSS failure.  Minor code may provide more information (, )

It looks like this is where I could really use mod_auth_gssapi on the  
backend, but alas. Might anyone know of a workaround, or another  
package that I could use instead?

Thanks,

Jaap



More information about the Kerberos mailing list