V
V
Viktor Yanyshev2016-12-21 16:09:58
ubuntu
Viktor Yanyshev, 2016-12-21 16:09:58

Transparent authorization on the site, only by Log+Pass but not without Log+Pass?

There was a need to make authorization on the internal website of the company without entering a login and password. Apache2.4+Ubuntu 16.04 has been brought into the domain. Installed kerboros module for Apache. Everything seems to be working, when going to the address of the corporate site, it asks for a Login and Password (several different users from AD with different groups of rights were entered) and the entrance to the site is successful. But if you turn off the login and password request, then there are only 401 errors on the page.
Kerberos:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LOCAL.DOMAIN.RU
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 default_keytab_name = /etc/krb5.keytab

[realms]
 LOCAL.DOMAIN.RU = {
  kdc = name.local.domain.ru:88
  kdc = name.local.domain.ru:88
  admin_server = name.local.domain.ru:749
  default_domain = local.domain.ru
 }

[domain_realm]
 .local.domain.ru = LOCAL.DOMAIN.RU
 local.domain.ru = LOCAL.DOMAIN.RU

[appdefaults]
 pam = {
   debug = false
   tisket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

.htaccess:
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms LOCAL.DOMAIN.RU
KrbServiceName HTTP/[email protected]
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate On
KrbSaveCredentials On
KrbMethodK5Passwd Off
KrbLocalUserMapping On
KrbVerifyKDC Off
Require valid-user

Apache error log:
[Wed Dec 21 15:54:28.289060 2016] [authz_core:debug] [pid 14524] mod_authz_core.c(809): [client 127.0.0.1:54494] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://*********.dev/
[Wed Dec 21 15:54:28.289146 2016] [authz_core:debug] [pid 14524] mod_authz_core.c(809): [client 127.0.0.1:54494] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://*********.dev/
[Wed Dec 21 15:54:28.289157 2016] [auth_kerb:debug] [pid 14524] src/mod_auth_kerb.c(1971): [client 127.0.0.1:54494] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://********.dev/
[Wed Dec 21 15:54:28.632077 2016] [authz_core:debug] [pid 14524] mod_authz_core.c(809): [client 127.0.0.1:54494] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://********.dev/sprav
[Wed Dec 21 15:54:28.632119 2016] [authz_core:debug] [pid 14524] mod_authz_core.c(809): [client 127.0.0.1:54494] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://**********.dev/sprav
[Wed Dec 21 15:54:28.632134 2016] [auth_kerb:debug] [pid 14524] src/mod_auth_kerb.c(1971): [client 127.0.0.1:54494] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://*********.dev/sprav

Answer the question

In order to leave comments, you need to log in

1 answer(s)
S
srdp, 2019-10-22
@srdp

kerberos_mgmt_account_delegation.png

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question