Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Roman Kulakovich2017-09-07 05:17:07
Apache HTTP Server
Roman Kulakovich, 2017-09-07 05:17:07

Apache + PAM + sssd + sso pass-through authentication?

I want to do pass-through authentication using an AD account.
Available:
Debian 9 server, AD domain joined with SSSD/realmd, configured with Kerberos;
An account has been created and a keytab file has been generated. Added SPN records;
Web server: Apache2 (2.4.25-3+deb9u2);
Icinga2 for which everything started;
keytab output:

Keytab name: FILE:/etc/apache2/Apache-Krb.keytab
KVNO Timestamp Principal
---- ------------------- --------- --------------------------------------------------
4 01.01.1970 07 :00:00 HTTP/[email protected] (des-cbc-crc)
4 01/01/1970 07:00:00 HTTP/[email protected] (des-cbc-md5)
4 01/01/1970 07:00:00 HTTP/[email protected] (arcfour-hmac)
4 01/01/1970 07:00:00 HTTP/Apache-Krb [email protected] (aes256-cts-hmac-sha1-96)
4 01/01/1970 07:00:00 HTTP/[email protected] (aes128-cts- hmac-sha1-96)
4 01/01/1970 07:00:00 HTTP/[email protected] (des-cbc-crc)
4 01/01/1970 07:00:00 HTTP/[email protected] (des-cbc-md5)
4 01/01/1970 07:00:00 HTTP/[email protected] CORP.DOMAIN.RU (arcfour-hmac)
4 01/01/1970 07:00:00 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
4 01/01/1970 07 :00:00 HTTP/[email protected] (aes128-cts-hmac-sha1-96)

Rows duplicated due to multiple SPN records
Apache config:
Alias ​​/icingaweb2 "/usr/share/icingaweb2/public"
AuthType Kerberos
AuthName "PAM authentication"
Krb5Keytab /etc/apache2/Apache-Krb.keytab
KrbAuthRealms CORP.DOMAIN.RU
KrbMethodK5Passwd on
Require pam-account apache2-icingaweb2
Options
SymLinksIfOverrideMatch
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
RewriteEngine on
RewriteBase /icingaweb2/
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC, L]
RewriteRule ^.*$ index.php [NC,L]
DirectoryIndex error_norewrite.html
ErrorDocument 404 /error_norewrite.html

I go to the page 192.168.0.1/icingaweb2, or corp.domain.ru/icingaweb2 and get the Apache authorization window. I can’t go further than the authorization window and I get a 401 error. I go to the server itself under the domain account [email protected] and there are no problems with authorization.
Tell me which way to drip, where I messed up, what I'm doing wrong.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
D
DEUS92017-08-30 14:00:32
GPO windows server 2008r2 why is not applied on some PCs? 3Reply
G
Gruapk2020-03-12 11:44:08
How, for example, after entering the correct password, do it so that another .Cs file is executed? 3Reply
V
viktorspr2017-08-16 16:06:06
I need to enable https for one page, how to do it? 0Reply
I
iamdivine2020-01-24 15:51:07
Remove showing the ip of the internal server? 2Reply
_
_umr2017-08-21 23:16:09
Is it normal to have 40 apache processes in htop on digitalolution with attendance of 2-10 people per day? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question