gss_localname() with multiple KDC/User Directories + Apache + mod_auth_gssapi

Tobias Kritten (EXT) tk at
Mon Jul 19 12:50:08 EDT 2021

I am using the latest mod_auth_gssapi with apache 2.4.46 on debian 10.8 with krb5 1.17 and can't get gss_localname() to work.
Kerberos Environment:

* FreeIPA as default Realm
* Aditional Active Directory
* Users are on FreeIPA OR Active Directory and should be able to authenticate against the website

Authentication with GssApiLocalName off is working well, but the application is not able to handle Realms.

default_realm = WORKSTATION.OFFICE
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes

  kdc =
  default_domain =
  kdc = int-ad04.corporate.local
  admin_server = int-ad04.corporate.local
  default_domain = corporate.local
  auth_to_local = RULE:[1:$1@$0](mailto:.*@CORPORATE\.LOCAL)s/@.*//

.corporate.local = CORPORATE.LOCAL

.htaccess of the affected website:
  AuthType GSSAPI
  AuthName "GSSAPI Login"
  GssapiAllowedMech krb5
  GssapiPublishErrors On
  GssapiLocalName on

  GssapiBasicAuth off
  GssapiCredStore keytab:/home/office/office-ad.keytab

  require valid-user
  AuthBasicProvider           ldap
  AuthLDAPGroupAttributeIsDN  on
  AuthLDAPGroupAttribute      member
  AuthLDAPUrl                 "ldaps://,dc=workstation,dc=office?uid?sub?(objectClass=inetOrgPerson)" SSL

  ## this is required to get / allow auth eq to require valid-user
  # Require ldap-filter &(objectClass=inetOrgPerson)(|(memberOf=cn=office-ita,cn=groups,cn=accounts,dc=workstation,dc=office)(memberOf=cn=office-cod,cn=groups,cn=accounts,dc=workstation,dc=office))

  require valid-user

The following errors are logged:
[Tue Jul 06 12:08:41.148773 2021] [auth_gssapi:error] [pid 30765:tid 140024582170368] [client] GSS ERROR gss_localname() failed: [The operation or option is not available or unsupported (No such file or directory)]
[Tue Jul 06 12:08:41.211385 2021] [auth_gssapi:error] [pid 30764:tid 140030051854080] [client] INTERNAL ERROR Mechanism needs continuation but neither GssapiConnectionBound nor GssapiUseSessions are configured

I also wrote a small debug programm to call the gss_localname() function directly. Output:
gss_localname return code: min 2 / maj 1048576
The operation or option is not available or unsupported

Discussion with the mod_auth_gssapi module:

Looking forward to your help! Thanks,

Mit freundlichen Grüßen aus Dortmund,
Tobias Kritten (EXT), Head of Internal IT
dogado GmbH
Antonio-Segni-Straße 11
44263 Dortmund

Hotline:        +49 (231) 28 66 200
Fax:    +49 (231) 28 66 20 20
Profil auf XING:
The Cloud Sourcing Blog:
Technischer Support:    support at<mailto:support at>

Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund,
Ust-IdNr: DE249338561 Geschäftsführer: Marcel Chorengel, Daniel Hagemeier, Ralph Cammerrath, Claus Boyens


More information about the Kerberos mailing list