You are not logged in.

#1 2008-04-21 10:08:06

malaguna
Member
From: Spain
Registered: 2008-04-21
Posts: 4

Spnego authentication problem whit Apache, Heimdal and mod_auth_kerb

Hi all,

We have an older server running Fedora 5 that uses Tomcat, AJP connector and the MIT implementation of kerberos. Our clients can access the applications by means of SSO using firefox and explorer. Now we want to change the older Fedora 5 server by a new server with Archlinux, but we are having problems with kerberos.

I have an archlinux server with following features:

* Apache 2.2.6.-3. I compiled apache because it has not ldap support so I downloaded the pkbuilds of apr, apr-utils and apache and added ldap support. Apache works ok with Tomcat (Using AJP) validating against LDAP.
* Heimdal 1.0.1-2, it is correctly configured with our Windows KDC. It valdiates users and the server principal using the keytab (kinit -k -t)
* mod_auth_kerb-5.3 compiled from source. (only with the option --without-krb4)

This is the auth configuration in apache:

<Location "/prodcientif">
       Order allow,deny
       Allow from all
       AuthType  Kerberos
       AuthName "Authentication"

       # Kerberos directives
       KrbMethodNegotiate on
       KrbMethodK5Passwd off
       KrbAuthoritative on
       KrbAuthRealms OUR.DOMAIN
       KrbVerifyKDC on
       KrbServiceName HTTP
       Krb5Keytab /etc/httpd/keytab/airen.keytab
       KrbSaveCredentials off

       require valid-user
</Location>

This is the error that we get into apache when a firefox or explorer client tries to log into:

[Mon Apr 21 10:59:03 2008] [error] [client 10.36.7.19] gss_display_name() failed:  An invalid name was supplied (unknown mech-code 0 for mech unknown)

Thansk in advance.


La vida es aquello que ocurre mientras te empeñas en cumplir tus expectativas.
Live is what happens to you, while your busy making other plans

Offline

#2 2008-04-23 12:12:09

malaguna
Member
From: Spain
Registered: 2008-04-21
Posts: 4

Re: Spnego authentication problem whit Apache, Heimdal and mod_auth_kerb

Well I compile MIT Kerberos implementation and uninstall Heimdal. It works.

I am testing the solution and tuning the software, I will post here and in AUR the PKGBUILD's for MIT Kerberos and mod_auth_kerb.


La vida es aquello que ocurre mientras te empeñas en cumplir tus expectativas.
Live is what happens to you, while your busy making other plans

Offline

#3 2008-04-23 16:49:47

malaguna
Member
From: Spain
Registered: 2008-04-21
Posts: 4

Re: Spnego authentication problem whit Apache, Heimdal and mod_auth_kerb

After some testing I found a problem with subversion, the python-subversion binding depends on libgssapi that is provided by heimdal package. I tried to reinstall heimdal and now all is working, but I don't like at all my actual configuration, so I think the better solution is to get mod_auth_kerb working with heimdal, but I am no able to do it.

Other choice is creating a PKGBUILD that compiles MIT implementation with mod_auth_kerb and install it such way it doesn't disturb heimdal, but it sounds a bad solution.

I would like to receive some ideas about, Is anybody interested in?


La vida es aquello que ocurre mientras te empeñas en cumplir tus expectativas.
Live is what happens to you, while your busy making other plans

Offline

#4 2008-04-24 16:39:31

zenlord
Member
From: Belgium
Registered: 2006-05-24
Posts: 1,221
Website

Re: Spnego authentication problem whit Apache, Heimdal and mod_auth_kerb

I'm interested, but my knowledge is practically zero.

I would like to enhance our existing Kerberos-system (not set up by me though) with Apache and Postgresql in order for my PHP-file-program (still to be written in my spare time *sigh*) to work with SSO.

I am currently reading up on it and found this thread by accident... THX for your work and sharing it already!

Zl.

Offline

Board footer

Powered by FluxBB