Mod_auth_kerb Realm Not Stripped

Home » CentOS » Mod_auth_kerb Realm Not Stripped
CentOS No Comments

Hello all.

We have a CentOS 7 system integrated with Active Directory. Achieved using realmd, SSSD and krb5-workstation together with a ktpass-generated keytab.

Apache’s mod_auth_kerb allows users to authenticate via their AD accounts, and authorise with “require user” directive. But so far we fail to authorise via AD group membership. i.e. adding AuthLDAPUrl and “require ldap-group”
directives to httpd.conf results in access being denied. Using ldapsearch with GSSAPI (or password entry) works as expected.

After looking at debug logs and tcpdump output, I (possibly incorrectly) put the issue down to being unsure how to get krb5_aname_to_localname to function appropriately with the KrbLocalUserMapping directive of apache’s mod_auth_kerb.

It does do some transformation, converting to lowercase. However the realm part is not stripped off. Example output from apache error_log:

[Thu Jan 25 11:53:33.969841 2018] [auth_kerb:debug] [pid 2176]
src/mod_auth_kerb.c(1855): [client 192.168.254.170:65016]
kerb_authenticate_a_name_to_local_name Test12 at X.Y.Z -> test12 at x.y.z

(All other examples I found have output of format:
… Test12 at X.Y.Z -> Test12 )

I have tried experimenting with auth_to_local tags in the [realms] sections of
/etc/krb5.conf, but could see no evidence of the rules being invoked. i.e. Same output in the apache error log regardless.

This then appears to get passed on for use in subsequent ldap authorisations
(apache mod_authnz_ldap). This does not work for us as we need to authorise against stripped user names (Active Directory sAMAccount or similar; our userPrincipalName is a different format: Test12 at Q.Y.Z, so can’t workaround using that).

I previously posted a similar messages to kerberos@mit.edu but got no feedback. Hopefully this list might be more appropriate.

Grateful for any advice, Ewae.

LEAVE A COMMENT