如何解决Apache Kerberos身份验证-TGT未转发
我正在尝试使用SSO。我有Windows 10客户端向Windows Server Active Directory进行身份验证。我使用带有mod_auth_kerb.so(5.4-我认为)的Apache(2.4.6)的Linux服务器。答:我在Linux上没有root特权,因此我将主目录下的所有内容都设置到kerberos子目录中。我也有一个Oracle 12.2服务器,我想从cgi连接到数据库。
我可以在Linux上设置httpd以便在8080端口上监听http,在8443端口上监听https。我可以使用HTTP主体从Windows客户端请求cgi-script(在cgi-scripts的环境中将REMOTE_USER正确设置为我的AD帐户),而无需进一步的身份验证。我可以在Linux服务器上发出kinit(要求输入密码)并获得TGT并通过Oracle服务器的身份验证,而无需再次输入密码。但是我无法将TGT从Windows转发到Linux服务器。
我检查了httpd日志文件,并在error_log中发现了以下内容:
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[time] [auth_kerb:debug] [pid] src/mod_auth_kerb.c(1954): [client <IP>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[time] [auth_kerb:debug] [pid] src/mod_auth_kerb.c(1954): [client <IP>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[time] [auth_kerb:debug] [pid] src/mod_auth_kerb.c(1708): [client <IP>] Verifying client data using KRB5 GSS-API
[time] [auth_kerb:debug] [pid] src/mod_auth_kerb.c(1724): [client <IP>] Client didn't delegate us their credential
[time] [auth_kerb:debug] [pid] src/mod_auth_kerb.c(1743): [client <IP>] GSS-API token of length 181 bytes will be sent back
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of Require valid-user : granted
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of <RequireAny>: granted
因此,似乎已授予了授权,但是客户端无法使用GSS-API委派TGT。但是我找不到原因。我在Windows客户端上进行了检查,AD发布的TGT是可转发的。
这是我来自conf.d的kerberos.conf
<Directory /cgi-bin>
Options +Indexes +FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from All
AuthType Kerberos
AuthName "Kerberos Login"
Require valid-user
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.ORG
Krb5KeyTab /home/myuser/kerberos/conf/http_linux_server.keytab
KrbSaveCredentials On
KrbVerifyKDC On
KrbServiceName Any
</Directory>
SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$1
PassEnv KRB5CCNAME KRB5_CONFIG
然后启动了httpd
export KRB5_CONFIG=/home/myuser/kerberos/conf/krb5.conf
export KRB5CACHE=/home/myuser/kerberos
export KRB5CCNAME=FILE:/home/myuser/kerberos/krb5cc_httpd.ccache
httpd -d . -X
krb5.conf看起来像这样:
[logging]
default = FILE:/home/myuser/kerberos/logs/krb5libs.log
kdc = FILE:/home/myuser/kerberos/logs/krb5kdc.log
admin_server = FILE:/home/myuser/kerberos/logs/kadmind.log
[libdefaults]
default_realm = EXAMPLE.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_ccache_name = FILE:/home/myuser/kerberos/krb5cc_httpd.ccache
[realms]
EXAMPLE.ORG = {
kdc = example.org
admin_server = example.org
}
[domain_realm]
.example.org = EXAMPLE.ORG
example.org = EXAMPLE.ORG
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
任何想法都受到高度赞赏!
更新
已下载mod_auth_gssapi 1.6软件包(它适用于Apache> = 2.4)。我将.so文件复制到modules/目录中,将conf.d/kerberos.conf重命名为conf.d/kerberos.conf.dontuse,并将conf.d/gssapi.conf添加为
<Directory /cgi-bin>
Options +Indexes +FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from All
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/home/myuser/kerberos/conf/http_dnv21.keytab
GSSapiImpersonate On
GssapiDelegCcacheDir /home/myuser/kerberos
GssapiPublishErrors On
Require valid-user
</Directory>
SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$1
PassEnv KRB5CCNAME KRB5_CONFIG
我将conf.modules.d/02-kerb.conf重命名为conf.modules.d/02-kerb.conf.dontuse,并将conf.modules.d/02-gssapi.conf添加为
# This file configures the GSSAPI module:
LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
重新启动httpd之后,一切都按预期工作。除了未转发TGT ... :(我在调用cgi脚本时看到了另外两个环境变量:GSS_NAME(与REMOTE_USER相同)和{{1 }}(这似乎是UNIX时间)。
我检查了logs / error_log文件(记录设置为调试)。蚂蚁的结局是这样的:
GSS_SESSION_EXPIRATION恕我直言,这看起来不错。第一个[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[time] [auth_gssapi:debug] [pid] mod_auth_gssapi.c(870): [client <IP>] URI: /cgi-bin/kerberos.pl,no main,no prev
[time] [auth_gssapi:info] [pid] [client <IP>] NO AUTH DATA Client did not send any authentication headers
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[time] [auth_gssapi:debug] [pid] mod_auth_gssapi.c(870): [client <IP>] URI: /cgi-bin/kerberos.pl,no prev
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of Require valid-user : granted
[time] [authz_core:debug] [pid] mod_authz_core.c(809): [client <IP>] AH01626: authorization result of <RequireAny>: granted
被拒绝(401),但是第二个request。
我在granted上检查了我的用户和技术用户,该用户创建了HTTP服务主密码,并为他们设置了委派:
Active Directory还有其他想法吗?也许Active Directory中缺少某些配置?我想念什么?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
