Kerberos working on the command line, not via apache

Forum Moderators: phranque

Message Too Old, No Replies

Kerberos working on the command line, not via apache

bbbaldie

1:38 pm on Jun 4, 2010 (gmt 0)

On a private intranet, I have Kerberos authentication working flawlessly at the command line of a CentOS4 server. However, apache2 seems totally unaware of it. Here's a snip from httpd.conf:

LoadModule auth_kerb_module modules/mod_auth_kerb.so

and here's an .htaccess file on a protected directory:

AuthName "Kerberos Login"
AuthType KerberosV5
Krb5Keytab /var/www/auth_kerb.keytab
KrbAuthRealm MYDOMAIN.COM
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbSaveCredentials off
KrbVerifyKDC off
Require user MYDOMAIN\myusername

I get served up a 401 page, never a challenge for a username/password.

No error log notes, this from access.log:

10.30.150.60 - - [04/Jun/2010:08:08:04 -0500] "GET /test HTTP/1.1" 401 472 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 GTB7.0"

It appears to me that apache is unaware of kerberos, even though the module successfully loads.

Any idea what to try next?

lammert

7:07 am on Jun 5, 2010 (gmt 0)

AuthType KerberosV5

This tag has been superseded with Kerberos now. KerberosV5 should still be possible due to backwards compatibility code, but you may want to change the AuthType to see if that solves the problem.

Furthermore, is the /var/www/auth_kerb.keytab file readable by the user under which the apache process runs effectively?

Require user MYDOMAIN\myusername

You may try require user myusername@MYDOMAIN.COM or require valid-user instead.

bbbaldie

5:01 pm on Jun 7, 2010 (gmt 0)

Thanks for the reply, lammert.

Tried both suggestions, no go. Same result in the access log.

Any more ideas?

bbbaldie

2:59 pm on Jun 8, 2010 (gmt 0)

I'm loading mod_auth_ntlm_winbind.so, could that cause problems with using Kerberos?