[38285] in Kerberos
Re: Kerberos and Apache reverse proxy
daemon@ATHENA.MIT.EDU (Dmitri Pal)
Fri Jul 13 21:33:33 2018
MIME-Version: 1.0
In-Reply-To: <20180714002500.Horde.T3p15c57gZ-gNFpcDLYeMuh@bhr1.umrk.nl>
From: Dmitri Pal <dpal@redhat.com>
Date: Fri, 13 Jul 2018 21:00:05 -0400
Message-ID: <CAOPuEqWE24yH9m=EYZEnQtmSbX08uzkZ4b5H72vYw=NzvncHAA@mail.gmail.com>
To: Jaap Winius <jwinius@umrk.nl>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
You can use an older package called mod_auth_kerb.
It is not recommended as mod_auth_gssapi much better but if you distro does
not have it you might not have a choice.
Thanks
Dmitri
On Fri, Jul 13, 2018 at 8:25 PM, Jaap Winius <jwinius@umrk.nl> wrote:
>
> Quoting Dmitri Pal <dpal@redhat.com>:
>
> It should not. The Kerberos authenticated users should just map to existing
>> users.
>> See mod_auth_gssapi for more details.
>> https://github.com/modauthgssapi/mod_auth_gssapi/blob/master/README
>>
>
> It's great to hear that a solution like this exists, but as my luck would
> have it, mod_auth_gssapi, which is included in the Debian package
> libapache2-mod-auth-gssapi, is not available for Debian wheezy, and this is
> the OS that my MediaWiki server is still running on. So currently, if I
> access the MediaWiki server directly, all is fine. But if I attempt to
> access it through the proxy, the proxy's Apache error.log says:
>
> [Sat Jul 14 00:44:41.794483 2018] [access_compat:error] [pid 25847]
> [client 72.85.26.20:39214] \
> AH01797: client denied by server configuration: proxy:
> http://192.168.20.22/mediawiki
>
> While over on the backend MediaWiki server, the Apache error.log says:
>
> [Sat Jul 14 01:44:41 2018] [error] [client 185.57.111.47]
> gss_accept_sec_context() failed: \
> Unspecified GSS failure. Minor code may provide more information (, )
>
> It looks like this is where I could really use mod_auth_gssapi on the
> backend, but alas. Might anyone know of a workaround, or another package
> that I could use instead?
>
> Thanks,
>
> Jaap
>
>
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
