William Muriithi via FreeIPA-users wrote: > Evening, > > I am attempting to get apache authenticating with IPA but not sure why > its rejecting the keytab. I have even recreated the keytab a number of > times but this isn't making any difference. To make sure the problem > isn't anywhere else, I briefly used a httpasswd file and it worked fine, > so confident it has to do with apache IPA integration. Does anybody > notice anything wrong with the setup below? > > [Tue Jul 24 17:13:55.754808 2018] [auth_gssapi:debug] [pid 27797] > mod_auth_gssapi.c(857): [client 192.168.20.221:46106 > <http://192.168.20.221:46106/>] URI: /git/, no main, no prev > [Tue Jul 24 17:13:55.809525 2018] [auth_gssapi:error] [pid 27797] > [client 192.168.20.221:46106 <http://192.168.20.221:46106/>] GSS ERROR > gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS > failure. Minor code may provide more information (Keytab > FILE:/etc/httpd/conf.d/httpd.keytab is nonexistent or empty)] > [Tue Jul 24 17:13:55.811160 2018] [ssl:debug] [pid 27797] > ssl_engine_io.c(993): [client 192.168.20.221:46106 > <http://192.168.20.221:46106/>] AH02001: Connection closed to child 3 > with standard shutdown (server gitolite4.eng.example.com:443 > <http://gitolite4.eng.example.com:443/>) > > Full log here: > https://pastebin.com/v3KKVs6W > > However, the keytab looks fine. > Keytab name: FILE:/etc/httpd/conf.d/httpd.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 1 07/23/2018 16:19:22 http/gitolite4.eng.example....@eng.example.com > <mailto:gitolite4.eng.example....@eng.example.com> (aes256-cts-hmac-sha1-96) > 1 07/23/2018 16:19:22 http/gitolite4.eng.example....@eng.example.com > <mailto:gitolite4.eng.example....@eng.example.com> (aes128-cts-hmac-sha1-96) > 1 07/23/2018 16:19:22 http/gitolite4.eng.example....@eng.example.com > <mailto:gitolite4.eng.example....@eng.example.com> (des3-cbc-sha1) > 1 07/23/2018 16:19:22 http/gitolite4.eng.example....@eng.example.com > <mailto:gitolite4.eng.example....@eng.example.com> (arcfour-hmac) > [root@gitolite4 ~]# > > Also, I have confirmed this isn't selinux related > > [root@gitolite4 ~]# getenforce > Permissive > > This is the version of apache module that I am using. > [root@gitolite4 ~]# rpm -qa | grep gssapi > mod_auth_gssapi-1.5.1-5.el7.x86_64 > python-gssapi-1.2.0-3.el7.x86_64 > cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 > [root@gitolite4 ~]# > > This is the configuration that I am using: > <Location /git> > LimitXMLRequestBody 0 > LimitRequestBody 0 > AuthType GSSAPI > AuthName "Linux Account" > GssapiConnectionBound On > GssapiBasicAuth On > GssapiNegotiateOnce On > GssapiLocalName on > AuthzSendForbiddenOnFailure On > GssapiCredStore keytab:/etc/httpd/conf.d/httpd.keytab > GssapiSignalPersistentAuth On > GssapiSSLonly On > Require expr %{REMOTE_USER} =~ /@eng.example.com > <http://eng.example.com/>$/ > </Location>
The keytab is readable by the apache user? rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4Z5L46UBCQSBVSKKAPVL35EMXHNUBOF6/
