Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Roman Kulakovich2017-09-07 05:17:07
Apache HTTP Server
Roman Kulakovich, 2017-09-07 05:17:07

Apache + PAM + sssd + sso pass-through authentication?

I want to do pass-through authentication using an AD account.
Available:
Debian 9 server, AD domain joined with SSSD/realmd, configured with Kerberos;
An account has been created and a keytab file has been generated. Added SPN records;
Web server: Apache2 (2.4.25-3+deb9u2);
Icinga2 for which everything started;
keytab output:

Keytab name: FILE:/etc/apache2/Apache-Krb.keytab
KVNO Timestamp Principal
---- ------------------- --------- --------------------------------------------------
4 01.01.1970 07 :00:00 HTTP/[email protected] (des-cbc-crc)
4 01/01/1970 07:00:00 HTTP/[email protected] (des-cbc-md5)
4 01/01/1970 07:00:00 HTTP/[email protected] (arcfour-hmac)
4 01/01/1970 07:00:00 HTTP/Apache-Krb [email protected] (aes256-cts-hmac-sha1-96)
4 01/01/1970 07:00:00 HTTP/[email protected] (aes128-cts- hmac-sha1-96)
4 01/01/1970 07:00:00 HTTP/[email protected] (des-cbc-crc)
4 01/01/1970 07:00:00 HTTP/[email protected] (des-cbc-md5)
4 01/01/1970 07:00:00 HTTP/[email protected] CORP.DOMAIN.RU (arcfour-hmac)
4 01/01/1970 07:00:00 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
4 01/01/1970 07 :00:00 HTTP/[email protected] (aes128-cts-hmac-sha1-96)

Rows duplicated due to multiple SPN records
Apache config:
Alias ​​/icingaweb2 "/usr/share/icingaweb2/public"
AuthType Kerberos
AuthName "PAM authentication"
Krb5Keytab /etc/apache2/Apache-Krb.keytab
KrbAuthRealms CORP.DOMAIN.RU
KrbMethodK5Passwd on
Require pam-account apache2-icingaweb2
Options
SymLinksIfOverrideMatch
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
RewriteEngine on
RewriteBase /icingaweb2/
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC, L]
RewriteRule ^.*$ index.php [NC,L]
DirectoryIndex error_norewrite.html
ErrorDocument 404 /error_norewrite.html

I go to the page 192.168.0.1/icingaweb2, or corp.domain.ru/icingaweb2 and get the Apache authorization window. I can’t go further than the authorization window and I get a 401 error. I go to the server itself under the domain account [email protected] and there are no problems with authorization.
Tell me which way to drip, where I messed up, what I'm doing wrong.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
G
Gleb2017-10-26 12:58:44
How to organize multi-threaded access to third-party APIs? 2Reply
V
Valery Petrov2017-10-30 12:59:56
Yii2. Error after moving to hosting.? 1Reply
O
OneOlOf2020-03-17 03:23:55
How to redirect to a 404 error page? 1Reply
S
seredaes2017-11-08 00:52:17
How to setup apache access in ubuntu? 2Reply
V
Viktor Yanyshev2017-11-09 17:48:50
What could be wrong with the rights? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question