[38282] in Kerberos
Re: Kerberos and Apache reverse proxy
daemon@ATHENA.MIT.EDU (Jaap Winius)
Fri Jul 13 20:25:24 2018
Date: Sat, 14 Jul 2018 00:25:00 +0000
Message-ID: <20180714002500.Horde.T3p15c57gZ-gNFpcDLYeMuh@bhr1.umrk.nl>
From: Jaap Winius <jwinius@umrk.nl>
To: Dmitri Pal <dpal@redhat.com>
In-Reply-To: <CAOPuEqXJJ_-9_0Oxwn5ynVnUsbOoTpa4-qMPx2C8xvZYs+21Kg@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Quoting Dmitri Pal <dpal@redhat.com>:
> It should not. The Kerberos authenticated users should just map to existing
> users.
> See mod_auth_gssapi for more details.
> https://github.com/modauthgssapi/mod_auth_gssapi/blob/master/README
It's great to hear that a solution like this exists, but as my luck
would have it, mod_auth_gssapi, which is included in the Debian
package libapache2-mod-auth-gssapi, is not available for Debian
wheezy, and this is the OS that my MediaWiki server is still running
on. So currently, if I access the MediaWiki server directly, all is
fine. But if I attempt to access it through the proxy, the proxy's
Apache error.log says:
[Sat Jul 14 00:44:41.794483 2018] [access_compat:error] [pid 25847]
[client 72.85.26.20:39214] \
AH01797: client denied by server configuration:
proxy:http://192.168.20.22/mediawiki
While over on the backend MediaWiki server, the Apache error.log says:
[Sat Jul 14 01:44:41 2018] [error] [client 185.57.111.47]
gss_accept_sec_context() failed: \
Unspecified GSS failure. Minor code may provide more information (, )
It looks like this is where I could really use mod_auth_gssapi on the
backend, but alas. Might anyone know of a workaround, or another
package that I could use instead?
Thanks,
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
