[users@httpd] Error with Kerberos in Apache

[Luiz Guilherme Nunes Fernandes]

Well, i try my first test and work,  if i authentic with Ldap protocols
without kerberos work, but i try add kerberos, show erros messages in log.
Any idea?

No errors in apachectl configtest


###############################################
cat /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REDE.COM.BR
 dns_lookup_realm = false
 dns_lookup_kdc = true
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 REDE.COM.BR = {
 kdc = REDE.COM.BR
 admin_server = REDE.COM.BR
 }

[domain_realm]
 .rede.com.br=REDE.COM.BR
 rede.com.br=REDE.COM.BR

###############################################

kinit root
Password for r...@rede.com.br:

klist
Ticket cache: KEYRING:persistent:0:0
Default principal: r...@rede.com.br

Valid starting       Expires              Service principal
05/09/2017 09:45:36  05/09/2017 19:45:36  krbtgt/rede.com...@rede.com.br
renew until 05/16/2017 09:45:34

###############################################
 cat /etc/httpd/conf.d/proxy.conf
<VirtualHost *:80>
    ProxyPreserveHost Off
    ProxyPass / http://localhost:631/
    ProxyPassReverse / http://localhost:631/


LogLevel debug

<Location />

 AuthType Kerberos
 KrbMethodNegotiate On
 AuthName "REDE.COM.BR Domain Login"
 KrbMethodK5Passwd On
 KrbAuthRealms REDE.COM.BR
 Krb5KeyTab /etc/httpd/conf.d/httpd.keytab
 KrbLocalUserMapping on
 require valid-user

#   AuthName "Informe usuario da rede"
#   AuthType Basic
#   AuthBasicProvider ldap
   AuthLDAPUrl ldap://
rede.com.br/ou=usuarios,dc=rede,dc=com,dc=br?sAMAccountName
   AuthLDAPBindDN cn=users,dc=rede,dc=com,dc=br
   AuthLDAPBindPassword XXXXXX
   Require valid-user
   LDAPReferrals Off
   </Location>
#</Directory>

</VirtualHost>


###############################################

[root@delorean1 conf.d]# tail -f /var/log/httpd/error_log
[Mon May 08 17:48:42.320886 2017] [auth_kerb:error] [pid 19879] [client
10.251.14.140:55636] failed to verify krb5 credentials: Server not found in
Kerberos database, referer: http://10.1.1.75/
[Mon May 08 17:48:42.320898 2017] [auth_kerb:debug] [pid 19879]
src/mod_auth_kerb.c(1127): [client 10.251.14.140:55636]
kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL),
referer: http://10.1.1.75/
[Mon May 08 17:48:55.301656 2017] [authz_core:debug] [pid 19881]
mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet), referer:
http://10.1.1.75/
[Mon May 08 17:48:55.301702 2017] [authz_core:debug] [pid 19881]
mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet), referer:
http://10.1.1.75/
[Mon May 08 17:48:55.301710 2017] [authz_core:debug] [pid 19881]
mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet), referer:
http://10.1.1.75/
[Mon May 08 17:48:55.301736 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(1954): [client 10.251.14.140:55638]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos,
referer: http://10.1.1.75/
[Mon May 08 17:48:55.302037 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(1048): [client 10.251.14.140:55638] Using
HTTP/10.1.1.75@ as server principal for password verification, referer:
http://10.1.1.75/
[Mon May 08 17:48:55.302062 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(752): [client 10.251.14.140:55638] Trying to get TGT
for user rede.com.brr...@rede.com.br, referer: http://10.1.1.75/
[Mon May 08 17:48:55.306313 2017] [auth_kerb:error] [pid 19881] [client
10.251.14.140:55638] krb5_get_init_creds_password() failed: Client not
found in Kerberos database, referer: http://10.1.1.75/
[Mon May 08 17:48:55.306348 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(1127): [client 10.251.14.140:55638]
kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL),
referer: http://10.1.1.75/
-- 
<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>

< Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao
Pai, senão por mim >
                                                             (João 14:6)

                                                                    Att.
                                        ♪ ♫  Luiz Guilherme Nunes
Fernandes  ♫ ♪

<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>