[37450] in Kerberos
Apache 2 mod_auth_kerb / mod_auth_gssapi
daemon@ATHENA.MIT.EDU (Andreas Ladanyi)
Thu Mar 24 09:12:22 2016
To: kerberos@mit.edu
From: Andreas Ladanyi <andreas.ladanyi@kit.edu>
Message-ID: <56F3E7A6.4060507@kit.edu>
Date: Thu, 24 Mar 2016 14:12:06 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6457481996314080930=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============6457481996314080930==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms040104020900040905050407"
This is a cryptographically signed message in MIME format.
--------------ms040104020900040905050407
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi,
i want to migrate from mod_auth_kerb to mod_auth_gssapi.
config of the old system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Apache 2 (Linux), mod_auth_kerb, Mantis IT web plattform configured with
basic auth in the config.php
Apache config for the directory entry of the mantis plattform:
AuthName bla
AuthType Kerberos
KrbAuthRealms REALM
KrbMethodNegotiate On
KrbServiceName HTTP
KrbLocalUserMapping On
Require valid-user
behavior of the old system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1. Request the web plattform (on Firefox and Linux)
2. a user/password window pops up (like on basic auth. Its equal if iam
in the realm with a tgt or ouside the realm without tgt the popup
appears in both situations) and i enter my username / password from the
kerberos realm principal. So for my comprehension the basic auth takes
the user/pass from the popup window and validates it against the KDC
(MIT on Linux).
3. login successfull on the webplattform
config of the new system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Apache 2.4 (Linux), mod_auth_gssapi, Mantis IT web plattform configured
with basic auth in the config.php (same as on the old system)
Apache config for the directory entry of the mantis plattform:
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiBasicAuth On
GssapiLocalName on
GssapiCredStore keytab:/etc/httpd/http.keytab
Require valid-user
behavior of the new system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1. Request the web plattform (on Firefox and Linux)
2. NO username/password window shows up
2. the webplattform tells me that the username is invalid
The login should also (like on the old system) be possible from a client
outside the kerberos realm, so a username/password popup should appear.
I thought this is possible because the GssapiBasicAuth is On. So how i
could debug/solve this issue ? Is the expected behavior possible with
mod_auth_gssapi ?
regards,
Andreas
--------------ms040104020900040905050407
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
D/owggTVMIIDvaADAgECAghQTsb1PRG0ZDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRy
dXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMTQw
NzIyMTIwODI2WhcNMTkwNzA5MjM1OTAwWjBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZO
LVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xv
YmFsIC0gRzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZvDZ4X5Da71jVTD
llA1PWLpbkztlNcAW5UidNQg6zSP1uzAMQQLmYHiphTSUqAoI4SLdIkEXlvg4njBeMsWyyg1
OXstkEXQ7aAAeny/Sg4bAMOG6VwrMRF7DPOCJEOMHDiLamgAmu7cT3ir0sYTm3at7t4m6O8B
r3QPwQmi9mvOvdPNFDBP9eXjpMhim4IaAycwDQJlYE3t0QkjKpY1WCfTdsZxtpAdxO3/NYZ9
bzOz2w/FEcKKg6GUXUFr2NIQ9Uz9ylGs2b3vkoO72uuLFlZWQ8/h1RM9ph8nMM1JVNvJEzSa
cXXFbOqnC5j5IZ0nrz6jOTlIaoytyZn7wxLyvQIDAQABo4IBhjCCAYIwDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBRJt8bP6D0ff+pEexMp9/EKcD7eZDAfBgNVHSMEGDAWgBQxw3kbuvVT
1xfgiXotF2wKsyudMzASBgNVHRMBAf8ECDAGAQH/AgECMGIGA1UdIARbMFkwEQYPKwYBBAGB
rSGCLAEBBAICMBEGDysGAQQBga0hgiwBAQQDADARBg8rBgEEAYGtIYIsAQEEAwEwDwYNKwYB
BAGBrSGCLAEBBDANBgsrBgEEAYGtIYIsHjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vcGtp
MDMzNi50ZWxlc2VjLmRlL3JsL0RUX1JPT1RfQ0FfMi5jcmwweAYIKwYBBQUHAQEEbDBqMCwG
CCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjA6BggrBgEFBQcw
AoYuaHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvRFRfUk9PVF9DQV8yLmNlcjANBgkq
hkiG9w0BAQsFAAOCAQEAYyAo/ZwhhnK+OUZZOTIlvKkBmw3Myn1BnIZtCm4ssxNZdbEzkhth
Jxb/w7LVNYL7hCoBSb1mu2YvssIGXW4/buMBWlvKQ2NclbbhMacf1QdfTeZlgk4y+cN8ekvN
TVx07iHydQLsUj7SyWrTkCNuSWc1vn9NVqTszC/Pt6GXqHI+ybxA1lqkCD3WvILDt7cyjrEs
jmpttzUCGc/1OURYY6ckABCwu/xOr24vOLulV0k/2G5QbyyXltwdRpplic+uzPLl2Z9Tsz6h
L5Kp2AvGhB8Exuse6J99tXulAvEkxSRjETTMWpMgKnmIOiVCkKllO3yG0xIVIyn8LNrMOVtU
FzCCBYUwggRtoAMCAQICBxhtyX6NkEowDQYJKoZIhvcNAQELBQAwgb8xCzAJBgNVBAYTAkRF
MRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcTCUthcmxzcnVoZTEqMCgG
A1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MScwJQYDVQQLEx5TdGVp
bmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMTBktJVC1DQTEZMBcGCSqGSIb3
DQEJARYKY2FAa2l0LmVkdTAeFw0xNDEwMjcxMzQzMTBaFw0xNzEwMjYxMzQzMTBaMFMxCzAJ
BgNVBAYTAkRFMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kx
GDAWBgNVBAMTD0FuZHJlYXMgTGFkYW55aTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALS9FLhBNDEFmD+TGTrfkgQQ5hh2Q3/fcVM7BcMsbwWqEt0wWQv4bpfMpTbDk6zrzW3S
RTj0wYs6n2EBn/iSMQID6JshuI6JkLzF4Sl3H/6G4X+ZY9ngTdJ6f8C5LTLxb4/hyBAYd/P9
aN2VxEleGjIbzVvVTtdeitH4d/+0xJZLGfeczY++47PyaBDEAfJhsNu4cObvFTiqwxFrs0wb
uDO1YDHcza2IvptwImL9ZtddIuqyeKLW04RkX3BGwx8KnzjX5op4nc8kuGh6Tcju1PfMZp9+
tJvKrKt7JhJ+10RkYFZac7u5TbifALymRj6zODidUYYMaOXp7ktV1cNvSAcCAwEAAaOCAe8w
ggHrMEAGA1UdIAQ5MDcwEQYPKwYBBAGBrSGCLAEBBAMCMBEGDysGAQQBga0hgiwCAQQDATAP
Bg0rBgEEAYGtIYIsAQEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUUgcXFlk6p+3d+XhNLFJVkl3zzoswHwYDVR0j
BBgwFoAUH3Rl9JodevYx6d9hG3MrDW3QM0kwIgYDVR0RBBswGYEXYW5kcmVhcy5sYWRhbnlp
QGtpdC5lZHUwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQt
Y2EvcHViL2NybC9jYWNybC5jcmwwNaAzoDGGL2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUva2l0
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIGSBggrBgEFBQcBAQSBhTCBgjA/BggrBgEFBQcwAoYz
aHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MD8G
CCsGAQUFBzAChjNodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2tpdC1jYS9wdWIvY2FjZXJ0L2Nh
Y2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAC5rCfqimLg9U02MWAGHDlHOz8N0gSPj1/eN
c3tZ9nKAHrl2Ni3Xdpa48oq0vHh7jwmYoZm1ZTHv9ulqgcAyzf75OxQuXNGmrYnUM+jKKrli
Vpx0o9V5QfwDr/Wg+LSix1EcO3oxb2N4pqLbf76yya7dlo2Lz2jL8AKGSoE2Nm1xGUI1mJxi
UbYbitThuAhSZUKYURInsLqs4wsQAZwt0ZqOwVsv8hnjBkpDLE4ProTsL/OevCrSRN8+Lk1r
TdcNHU9biNf7ieY67MqKHVIP6t9ZRhoLa5hJQsKxyUpPuh6eigl4pc2PXfzfwkF5B5zS7umg
4HPIF5/WP3C3qUSimb8wggWUMIIEfKADAgECAgcXr/dvIyLpMA0GCSqGSIb3DQEBCwUAMFox
CzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVyZWluMRAwDgYDVQQLEwdERk4tUEtJMSQw
IgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwgLSBHMDEwHhcNMTQwNjA1MTQwODMxWhcN
MTkwNzA5MjM1OTAwWjCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVt
YmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRl
IG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGlu
ZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLKoiomigEFRKS9tHTwdCHo00T62o0Su5sMF6aga
PwDzTfCD7XG9eqSE7W+cEAGnlT77vGAPm4uVNw5v8XhQWskEHL1AKdOHMJv56ob73gjDqbwu
NaoIqiv2UrA0JSK3u/M0A4J3SvSI0JhXb/Fwry0dIfDeYZeC/B9jQX2PXidQSD2d3mQ+rQDD
2JAcO5ic7PcDw1VOlelMLOJBMJklBgRMOwL6fKdA3ay8CYBXdXUclF78APqJ3L/oc3QS0Ag4
+UTWnHXg0VLhJmpST8Xi8PynFLP9hTBsIYrggfftX1txtCYDw000oG0UupfX2i+5CffaVHBJ
b8LPceP7NJE/cwIDAQABo4IB9zCCAfMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8E
BAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMB0GA1UdDgQWBBQfdGX0mh169jHp32EbcysNbdAz
STAfBgNVHSMEGDAWgBRJt8bP6D0ff+pEexMp9/EKcD7eZDAVBgNVHREEDjAMgQpjYUBraXQu
ZWR1MIGIBgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwt
cm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDA9oDugOYY3aHR0cDovL2NkcDIucGNhLmRmbi5k
ZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDCB1wYIKwYBBQUHAQEEgcowgccw
MwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NTUDBH
BggrBgEFBQcwAoY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIv
Y2FjZXJ0L2NhY2VydC5jcnQwRwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUv
Z2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IB
AQA6Fib/1FcgfZ37KMpvcSqfGu7Di2uF0j1P8ayheA6d1HZSncwytib8ws4hedEoh+eGbim7
ClGumF8B4lhzu7bFFtvq+nJ23+hRnL8pcnjrXrULKCrwdmzIRBtH59QePvZOSLlyaXEEh4im
YUWv5ajVjveYSh74bVDvHZU2LZU2khJr+kQHH8NiXGCogdhgve4d2KcIpgwtebH88GHZ4U3U
lxeeAlT4MBzy/OXEf2COypULY7yOss9eJpmu332Delu1AQzz3P+XpomCIMW8BARWeaK35Lz7
X3iVLk9xSO0QZhPJj5f23rXn3Wc6hdRd+e3pq6bhh/YGWyaffEoK7kKoMYIEkjCCBI4CAQEw
gcswgb8xCzAJBgNVBAYTAkRFMRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNV
BAcTCUthcmxzcnVoZTEqMCgGA1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9s
b2d5MScwJQYDVQQLEx5TdGVpbmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMT
BktJVC1DQTEZMBcGCSqGSIb3DQEJARYKY2FAa2l0LmVkdQIHGG3Jfo2QSjANBglghkgBZQME
AgEFAKCCApcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTYw
MzI0MTMxMjA2WjAvBgkqhkiG9w0BCQQxIgQgsJUlO0Amt3KYgAqAWeDZL/b3TgnpaEUl9KnI
7uEXYG4wbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDCB3AYJKwYBBAGCNxAEMYHOMIHLMIG/MQswCQYDVQQGEwJERTEbMBkGA1UECBMS
QmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNVBAoTIUthcmxz
cnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5idWNoIENlbnRy
ZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0BCQEWCmNhQGtp
dC5lZHUCBxhtyX6NkEowgd4GCyqGSIb3DQEJEAILMYHOoIHLMIG/MQswCQYDVQQGEwJERTEb
MBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNV
BAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5i
dWNoIENlbnRyZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0B
CQEWCmNhQGtpdC5lZHUCBxhtyX6NkEowDQYJKoZIhvcNAQEBBQAEggEAImEcRH/TPg+AmJUP
LZdlW3S6M4JS5hEGY2A4eHRPOInBKiBqIF5/gPhMI7xXds3SBnCjsO1rGpovxf4tZoWvClWp
sHU57KB7WskNsocXHrV3cosb7leEFVWWdYSHGeRf1vwh9Tv/Xr8g2uK9KkFrrkTUdfyg9Ih3
xLdLRxb8EDX29xd7aOmA8ER9pgYEQMJqP7CBa04HmXeYbBCKHB7GjUmKGSp91N/tXAlZFVLh
6DWKVdbzhlpgQ8pUdZcc8krLrEa35PC1Lual+ENJzfQFRHI9Kj8KMk7YJELpHVff0TRjOBGa
rPhL5/1AvlvCgyI/ut2SJBwjd2YD88HohyGL7QAAAAAAAA==
--------------ms040104020900040905050407--
--===============6457481996314080930==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============6457481996314080930==--
