[37465] in Kerberos
Re: Apache 2 mod_auth_kerb / mod_auth_gssapi
daemon@ATHENA.MIT.EDU (Andreas Ladanyi)
Mon Apr 4 08:30:17 2016
To: Simo Sorce <simo@redhat.com>
From: Andreas Ladanyi <andreas.ladanyi@kit.edu>
Message-ID: <57025E45.60108@kit.edu>
Date: Mon, 4 Apr 2016 14:29:57 +0200
MIME-Version: 1.0
In-Reply-To: <1458835130.16994.94.camel@redhat.com>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============2348582727987749665=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============2348582727987749665==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms050204030707010202030502"
This is a cryptographically signed message in MIME format.
--------------ms050204030707010202030502
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Simo,
> On Thu, 2016-03-24 at 14:12 +0100, Andreas Ladanyi wrote:
>> The login should also (like on the old system) be possible from a clie=
nt
>> outside the kerberos realm, so a username/password popup should appear=
=2E
> If the basic auth header is received the browser will either show a
> popup, or just send credentials if it had them previously cached.
is this the HTTP 401 message from the server to the browser ?
>
>> I thought this is possible because the GssapiBasicAuth is On.
> GssapiBasicAuth On enables Basic Auth fallback indeed, but this option
> is supported only starting with version 1.2.0, what version do you use =
?
i use version 1.3.1
>
>> So how i could debug/solve this issue ?
> Check with developer tools if the browser is receiving a basic auth
> header, if not check the apache error logs after raising debug level to=
> see if mod_auth_gssapi is logging any error.
>
> Keep in mind that browsers will attempt negotiate auth in preference.
i used the Live HTTP header addon for firefox and get this response from
the Apache server:
HTTP/1.1 200 OK
Date: Mon, 04 Apr 2016 09:04:48 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1
PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=3D1he24b9k0igddspei4vnpt7sd6; path=3D/; HttpOnly
Set-Cookie: MANTIS_secure_session=3D0; path=3D/; httponly
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Mon, 04 Apr 2016 09:04:48 GMT
x-content-type-options: nosniff
Expires: Mon, 04 Apr 2016 09:04:48 GMT
X-Frame-Options: DENY
X-Content-Security-Policy: allow 'self'; options inline-script
eval-script; frame-ancestors 'none'
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 1470
Keep-Alive: timeout=3D5, max=3D100
Connection: Keep-Alive
Content-Type: text/html; charset=3Dutf-8
I cant see a HTTP 401 server message in the firefox log. So the apache
doesnt know (????) that 401 should be send to the browser so the
username/password popup doesnt appear ?
I cant see 401 messages in error_log/access_log from apache.
regards,
Andreas
--------------ms050204030707010202030502
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
D/owggTVMIIDvaADAgECAghQTsb1PRG0ZDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRy
dXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMTQw
NzIyMTIwODI2WhcNMTkwNzA5MjM1OTAwWjBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZO
LVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xv
YmFsIC0gRzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZvDZ4X5Da71jVTD
llA1PWLpbkztlNcAW5UidNQg6zSP1uzAMQQLmYHiphTSUqAoI4SLdIkEXlvg4njBeMsWyyg1
OXstkEXQ7aAAeny/Sg4bAMOG6VwrMRF7DPOCJEOMHDiLamgAmu7cT3ir0sYTm3at7t4m6O8B
r3QPwQmi9mvOvdPNFDBP9eXjpMhim4IaAycwDQJlYE3t0QkjKpY1WCfTdsZxtpAdxO3/NYZ9
bzOz2w/FEcKKg6GUXUFr2NIQ9Uz9ylGs2b3vkoO72uuLFlZWQ8/h1RM9ph8nMM1JVNvJEzSa
cXXFbOqnC5j5IZ0nrz6jOTlIaoytyZn7wxLyvQIDAQABo4IBhjCCAYIwDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBRJt8bP6D0ff+pEexMp9/EKcD7eZDAfBgNVHSMEGDAWgBQxw3kbuvVT
1xfgiXotF2wKsyudMzASBgNVHRMBAf8ECDAGAQH/AgECMGIGA1UdIARbMFkwEQYPKwYBBAGB
rSGCLAEBBAICMBEGDysGAQQBga0hgiwBAQQDADARBg8rBgEEAYGtIYIsAQEEAwEwDwYNKwYB
BAGBrSGCLAEBBDANBgsrBgEEAYGtIYIsHjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vcGtp
MDMzNi50ZWxlc2VjLmRlL3JsL0RUX1JPT1RfQ0FfMi5jcmwweAYIKwYBBQUHAQEEbDBqMCwG
CCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjA6BggrBgEFBQcw
AoYuaHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvRFRfUk9PVF9DQV8yLmNlcjANBgkq
hkiG9w0BAQsFAAOCAQEAYyAo/ZwhhnK+OUZZOTIlvKkBmw3Myn1BnIZtCm4ssxNZdbEzkhth
Jxb/w7LVNYL7hCoBSb1mu2YvssIGXW4/buMBWlvKQ2NclbbhMacf1QdfTeZlgk4y+cN8ekvN
TVx07iHydQLsUj7SyWrTkCNuSWc1vn9NVqTszC/Pt6GXqHI+ybxA1lqkCD3WvILDt7cyjrEs
jmpttzUCGc/1OURYY6ckABCwu/xOr24vOLulV0k/2G5QbyyXltwdRpplic+uzPLl2Z9Tsz6h
L5Kp2AvGhB8Exuse6J99tXulAvEkxSRjETTMWpMgKnmIOiVCkKllO3yG0xIVIyn8LNrMOVtU
FzCCBYUwggRtoAMCAQICBxhtyX6NkEowDQYJKoZIhvcNAQELBQAwgb8xCzAJBgNVBAYTAkRF
MRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcTCUthcmxzcnVoZTEqMCgG
A1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MScwJQYDVQQLEx5TdGVp
bmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMTBktJVC1DQTEZMBcGCSqGSIb3
DQEJARYKY2FAa2l0LmVkdTAeFw0xNDEwMjcxMzQzMTBaFw0xNzEwMjYxMzQzMTBaMFMxCzAJ
BgNVBAYTAkRFMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kx
GDAWBgNVBAMTD0FuZHJlYXMgTGFkYW55aTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALS9FLhBNDEFmD+TGTrfkgQQ5hh2Q3/fcVM7BcMsbwWqEt0wWQv4bpfMpTbDk6zrzW3S
RTj0wYs6n2EBn/iSMQID6JshuI6JkLzF4Sl3H/6G4X+ZY9ngTdJ6f8C5LTLxb4/hyBAYd/P9
aN2VxEleGjIbzVvVTtdeitH4d/+0xJZLGfeczY++47PyaBDEAfJhsNu4cObvFTiqwxFrs0wb
uDO1YDHcza2IvptwImL9ZtddIuqyeKLW04RkX3BGwx8KnzjX5op4nc8kuGh6Tcju1PfMZp9+
tJvKrKt7JhJ+10RkYFZac7u5TbifALymRj6zODidUYYMaOXp7ktV1cNvSAcCAwEAAaOCAe8w
ggHrMEAGA1UdIAQ5MDcwEQYPKwYBBAGBrSGCLAEBBAMCMBEGDysGAQQBga0hgiwCAQQDATAP
Bg0rBgEEAYGtIYIsAQEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUUgcXFlk6p+3d+XhNLFJVkl3zzoswHwYDVR0j
BBgwFoAUH3Rl9JodevYx6d9hG3MrDW3QM0kwIgYDVR0RBBswGYEXYW5kcmVhcy5sYWRhbnlp
QGtpdC5lZHUwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQt
Y2EvcHViL2NybC9jYWNybC5jcmwwNaAzoDGGL2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUva2l0
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIGSBggrBgEFBQcBAQSBhTCBgjA/BggrBgEFBQcwAoYz
aHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MD8G
CCsGAQUFBzAChjNodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2tpdC1jYS9wdWIvY2FjZXJ0L2Nh
Y2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAC5rCfqimLg9U02MWAGHDlHOz8N0gSPj1/eN
c3tZ9nKAHrl2Ni3Xdpa48oq0vHh7jwmYoZm1ZTHv9ulqgcAyzf75OxQuXNGmrYnUM+jKKrli
Vpx0o9V5QfwDr/Wg+LSix1EcO3oxb2N4pqLbf76yya7dlo2Lz2jL8AKGSoE2Nm1xGUI1mJxi
UbYbitThuAhSZUKYURInsLqs4wsQAZwt0ZqOwVsv8hnjBkpDLE4ProTsL/OevCrSRN8+Lk1r
TdcNHU9biNf7ieY67MqKHVIP6t9ZRhoLa5hJQsKxyUpPuh6eigl4pc2PXfzfwkF5B5zS7umg
4HPIF5/WP3C3qUSimb8wggWUMIIEfKADAgECAgcXr/dvIyLpMA0GCSqGSIb3DQEBCwUAMFox
CzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVyZWluMRAwDgYDVQQLEwdERk4tUEtJMSQw
IgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwgLSBHMDEwHhcNMTQwNjA1MTQwODMxWhcN
MTkwNzA5MjM1OTAwWjCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVt
YmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRl
IG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGlu
ZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLKoiomigEFRKS9tHTwdCHo00T62o0Su5sMF6aga
PwDzTfCD7XG9eqSE7W+cEAGnlT77vGAPm4uVNw5v8XhQWskEHL1AKdOHMJv56ob73gjDqbwu
NaoIqiv2UrA0JSK3u/M0A4J3SvSI0JhXb/Fwry0dIfDeYZeC/B9jQX2PXidQSD2d3mQ+rQDD
2JAcO5ic7PcDw1VOlelMLOJBMJklBgRMOwL6fKdA3ay8CYBXdXUclF78APqJ3L/oc3QS0Ag4
+UTWnHXg0VLhJmpST8Xi8PynFLP9hTBsIYrggfftX1txtCYDw000oG0UupfX2i+5CffaVHBJ
b8LPceP7NJE/cwIDAQABo4IB9zCCAfMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8E
BAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMB0GA1UdDgQWBBQfdGX0mh169jHp32EbcysNbdAz
STAfBgNVHSMEGDAWgBRJt8bP6D0ff+pEexMp9/EKcD7eZDAVBgNVHREEDjAMgQpjYUBraXQu
ZWR1MIGIBgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwt
cm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDA9oDugOYY3aHR0cDovL2NkcDIucGNhLmRmbi5k
ZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDCB1wYIKwYBBQUHAQEEgcowgccw
MwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NTUDBH
BggrBgEFBQcwAoY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIv
Y2FjZXJ0L2NhY2VydC5jcnQwRwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUv
Z2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IB
AQA6Fib/1FcgfZ37KMpvcSqfGu7Di2uF0j1P8ayheA6d1HZSncwytib8ws4hedEoh+eGbim7
ClGumF8B4lhzu7bFFtvq+nJ23+hRnL8pcnjrXrULKCrwdmzIRBtH59QePvZOSLlyaXEEh4im
YUWv5ajVjveYSh74bVDvHZU2LZU2khJr+kQHH8NiXGCogdhgve4d2KcIpgwtebH88GHZ4U3U
lxeeAlT4MBzy/OXEf2COypULY7yOss9eJpmu332Delu1AQzz3P+XpomCIMW8BARWeaK35Lz7
X3iVLk9xSO0QZhPJj5f23rXn3Wc6hdRd+e3pq6bhh/YGWyaffEoK7kKoMYIEkjCCBI4CAQEw
gcswgb8xCzAJBgNVBAYTAkRFMRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNV
BAcTCUthcmxzcnVoZTEqMCgGA1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9s
b2d5MScwJQYDVQQLEx5TdGVpbmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMT
BktJVC1DQTEZMBcGCSqGSIb3DQEJARYKY2FAa2l0LmVkdQIHGG3Jfo2QSjANBglghkgBZQME
AgEFAKCCApcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTYw
NDA0MTIyOTU3WjAvBgkqhkiG9w0BCQQxIgQgXMs6JokZIOf0qk7wJ0kqQXCSgOGv/wFNkCQM
3bnvSBIwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDCB3AYJKwYBBAGCNxAEMYHOMIHLMIG/MQswCQYDVQQGEwJERTEbMBkGA1UECBMS
QmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNVBAoTIUthcmxz
cnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5idWNoIENlbnRy
ZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0BCQEWCmNhQGtp
dC5lZHUCBxhtyX6NkEowgd4GCyqGSIb3DQEJEAILMYHOoIHLMIG/MQswCQYDVQQGEwJERTEb
MBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNV
BAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5i
dWNoIENlbnRyZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0B
CQEWCmNhQGtpdC5lZHUCBxhtyX6NkEowDQYJKoZIhvcNAQEBBQAEggEAZIaESfHfDbyGrFdO
o/+oMN+QwiXG2wcpN6sXyFCPwfo8BEkbGVVoYCs2Ay9p3JzYZPU+GCyO+dhld3j+AvIlXpcP
GT5/u2tWTDXDmflrt2yhWXAMvxJXr5Lg3GtHxenS0lUIvA52hxEXdbBMDBhVlqMGNP49pgAO
FHBdcPwRBK417iYRQl6u5e4EwLMzeWleR17Yl5Q6z+HTh03H7PJ/tfmOt1FPW99E4FCHTrGA
mZ0s1lTWI8D/WnJD/dz2jcG2uVAaZw1lcKwfQxIWy7xRLbcWAH7lH/DLGY/xQ51Nsf9F1A9d
VOFPOGGMeupl0qG6vZSo/SpPa+BNf/OHU0A2WQAAAAAAAA==
--------------ms050204030707010202030502--
--===============2348582727987749665==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============2348582727987749665==--
