Hi!
I am using the latest mod_auth_gssapi with apache 2.4.46 on debian 10.8 with
krb5 1.17 and can't get gss_localname() to work.
Kerberos Environment:
* FreeIPA as default Realm
* Aditional Active Directory
* Users are on FreeIPA OR Active Directory and should be able to authenticate
against the website
Authentication with GssApiLocalName off is working well, but the application is
not able to handle Realms.
krb5.conf:
[libdefaults]
default_realm = WORKSTATION.OFFICE
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
WORKSTATION.OFFICE= {
kdc = ipa.workstation.office:88
default_domain = workstation.office
}
CORPORATE.LOCAL = {
kdc = int-ad04.corporate.local
admin_server = int-ad04.corporate.local
default_domain = corporate.local
auth_to_local = RULE:[1:$1@$0](mailto:.*@CORPORATE\.LOCAL)s/@.*//
}
[domain_realm]
.workstation.office = WORKSTATION.OFFICE
workstation.office = WORKSTATION.OFFICE
.corporate.local = CORPORATE.LOCAL
corporate.local = CORPORATE.LOCAL
corporate.de = CORPORATE.LOCAL
.corporate.de = CORPORATE.LOCAL
.htaccess of the affected website:
<RequireAll>
AuthType GSSAPI
AuthName "GSSAPI Login"
GssapiAllowedMech krb5
GssapiPublishErrors On
GssapiLocalName on
GssapiBasicAuth off
GssapiCredStore keytab:/home/office/office-ad.keytab
require valid-user
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
AuthLDAPUrl
"ldaps://ldap.office/cn=accounts,dc=workstation,dc=office?uid?sub?(objectClass=inetOrgPerson)"
SSL
## this is required to get / allow auth eq to require valid-user
# Require ldap-filter
&(objectClass=inetOrgPerson)(|(memberOf=cn=office-ita,cn=groups,cn=accounts,dc=workstation,dc=office)(memberOf=cn=office-cod,cn=groups,cn=accounts,dc=workstation,dc=office))
require valid-user
</RequireAll>
The following errors are logged:
[Tue Jul 06 12:08:41.148773 2021] [auth_gssapi:error] [pid 30765:tid
140024582170368] [client 192.168.212.52:0] GSS ERROR gss_localname() failed:
[The operation or option is not available or unsupported (No such file or
directory)]
[Tue Jul 06 12:08:41.211385 2021] [auth_gssapi:error] [pid 30764:tid
140030051854080] [client 192.168.212.52:0] INTERNAL ERROR Mechanism needs
continuation but neither GssapiConnectionBound nor GssapiUseSessions are
configured
I also wrote a small debug programm to call the gss_localname() function
directly. Output:
gss_localname return code: min 2 / maj 1048576
The operation or option is not available or unsupported
Discussion with the mod_auth_gssapi module:
https://github.com/gssapi/mod_auth_gssapi/discussions/254
Looking forward to your help! Thanks,
Tobias
--
Mit freundlichen Grüßen aus Dortmund,
Tobias Kritten (EXT), Head of Internal IT
________________________________
dogado GmbH
Antonio-Segni-Straße 11
44263 Dortmund
Hotline: +49 (231) 28 66 200
Fax: +49 (231) 28 66 20 20
Website: http://www.dogado.de
Profil auf XING: http://www.xing.com/companies/dogado
The Cloud Sourcing Blog: http://www.dogado.de/blog
Twitter: https://twitter.com/dogado
Facebook: https://www.facebook.com/dogado
Technischer Support: supp...@dogado.de<mailto:supp...@dogado.de>
Sitz der Gesellschaft: Dortmund Handelsregister: HRB 19737 Amtsgericht Dortmund,
Ust-IdNr: DE249338561 Geschäftsführer: Marcel Chorengel, Daniel Hagemeier,
Ralph Cammerrath, Claus Boyens
________________________________
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
