CentOS 7.5, Apache 2.4, Kerberos

Home » CentOS » CentOS 7.5, Apache 2.4, Kerberos
CentOS 2 Comments

Hi List,

My goal in sending this email is to get some direction on where to start looking to solve my problem. Thank you all in advance for reading through this and providing any guidance!

I’m working on moving to new servers, upgrading from CentOS 6.7 to CentOS
7.5. In this move, we are also upgrading from Apache/2.2.15 to Apache/
2.4.33. Our servers are all sitting behind a load balancer end point.

====System specifics===CentOS Linux release 7.5.1804 (Core)
Server version: Apache/2.4.33 (Unix)
Server built: Jul 3 2018 11:33:42

On all of our CentOS 6.7 machines, kerberos works. On all of our 7.5
machines, it fails.

I am looking, at this point, for direction on where to start looking. Here is some relevant information:

====Output from apache error log===
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: granted
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: denied (no authenticated user yet)
[auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: denied (no authenticated user yet)
[auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[auth_kerb:debug] src/mod_auth_kerb.c(1400): Verifying client data using KRB5 GSS-API
[auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn’t delegate us their credential
[auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning: received token seems to be NTLM, which isn’t supported by the Kerberos module. Check your IE
configuration.
[auth_kerb:debug] src/mod_auth_kerb.c(1116): GSS-API major_status:00010000, minor_status:00000000
[auth_kerb:error] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: granted, referer: https://six.***********.com/sso
[headers:debug] mod_headers.c(900): AH01503: headers:
ap_headers_error_filter()
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of
: granted, referer: https://six.***********.com/sso

====apache vhost files===
==site specific=

Define vhost_name siteName Define vhost_home /path/to/site/home

Include conf/vhosts.d/template.inc

==conf/vhosts.d/template.inc contains=

AuthType Kerberos
AuthName “Kerberos Login”
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthoritative off
KrbAuthRealms [list of realms removed for security]
Krb5Keytab “/etc/krb5.keytab”
KrbServiceName Any
require valid-user
ErrorDocument 401 “

====And some output from kinit and klist===
$ sudo kinit -V -t /etc/krb5.keytab HTTP/six.***********.com@EXT.**********.COM

keytab specified, forcing -k Using default cache: /tmp/krb5cc_0
Using principal: HTTP/six.***********.com@EXT.**********.COM
Using keytab: /etc/krb5.keytab kinit: Client ‘HTTP/six.***********.com@EXT.**********.COM
Kerberos database while getting initial credentials

$ sudo klist -etk Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
—- —————–

2 thoughts on - CentOS 7.5, Apache 2.4, Kerberos

  • Hi, rebecca,

    rebecca coleman wrote:


    This is where I’d start. If you’re using IE (why?!), what’s it looking for for authentication?

    Also, the new version of CentOS and /etc/httpd/conf.d/ssl.conf may have the encryption that you’re currently using disabled, as it’s too weak.

    mark

  • IE will normally only attempt KRB5 auth when the hostname in the URL has no dots, or when the hostname has been specifically added to the “Local intranet” zone.