You are not logged in.
Hi all,
We have an older server running Fedora 5 that uses Tomcat, AJP connector and the MIT implementation of kerberos. Our clients can access the applications by means of SSO using firefox and explorer. Now we want to change the older Fedora 5 server by a new server with Archlinux, but we are having problems with kerberos.
I have an archlinux server with following features:
* Apache 2.2.6.-3. I compiled apache because it has not ldap support so I downloaded the pkbuilds of apr, apr-utils and apache and added ldap support. Apache works ok with Tomcat (Using AJP) validating against LDAP.
* Heimdal 1.0.1-2, it is correctly configured with our Windows KDC. It valdiates users and the server principal using the keytab (kinit -k -t)
* mod_auth_kerb-5.3 compiled from source. (only with the option --without-krb4)
This is the auth configuration in apache:
<Location "/prodcientif">
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Authentication"
# Kerberos directives
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthoritative on
KrbAuthRealms OUR.DOMAIN
KrbVerifyKDC on
KrbServiceName HTTP
Krb5Keytab /etc/httpd/keytab/airen.keytab
KrbSaveCredentials off
require valid-user
</Location>
This is the error that we get into apache when a firefox or explorer client tries to log into:
[Mon Apr 21 10:59:03 2008] [error] [client 10.36.7.19] gss_display_name() failed: An invalid name was supplied (unknown mech-code 0 for mech unknown)
Thansk in advance.
La vida es aquello que ocurre mientras te empeñas en cumplir tus expectativas.
Live is what happens to you, while your busy making other plans
Offline
Well I compile MIT Kerberos implementation and uninstall Heimdal. It works.
I am testing the solution and tuning the software, I will post here and in AUR the PKGBUILD's for MIT Kerberos and mod_auth_kerb.
La vida es aquello que ocurre mientras te empeñas en cumplir tus expectativas.
Live is what happens to you, while your busy making other plans
Offline
After some testing I found a problem with subversion, the python-subversion binding depends on libgssapi that is provided by heimdal package. I tried to reinstall heimdal and now all is working, but I don't like at all my actual configuration, so I think the better solution is to get mod_auth_kerb working with heimdal, but I am no able to do it.
Other choice is creating a PKGBUILD that compiles MIT implementation with mod_auth_kerb and install it such way it doesn't disturb heimdal, but it sounds a bad solution.
I would like to receive some ideas about, Is anybody interested in?
La vida es aquello que ocurre mientras te empeñas en cumplir tus expectativas.
Live is what happens to you, while your busy making other plans
Offline
I'm interested, but my knowledge is practically zero.
I would like to enhance our existing Kerberos-system (not set up by me though) with Apache and Postgresql in order for my PHP-file-program (still to be written in my spare time *sigh*) to work with SSO.
I am currently reading up on it and found this thread by accident... THX for your work and sharing it already!
Zl.
Offline