好的...
我的 Apache 服务器已经运行,并且已将 Kerberos 配置为与我们的主域控制器(Windows 2003)集成。
但是,当我尝试访问我的页面时,我收到登录提示...我不应该收到此提示,因为这应该是 SSO...
当我手动输入我的凭据时,它会工作并带我进入页面。但是,我希望使用集成 Windows 身份验证。
我曾经用过这个,但现在不行了... :S
这是我的配置文件。
/etc/apache/apache2.conf
LockFile ${APACHE_LOCK_DIR}/accept.lock
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
DefaultType text/plain
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
Include mods-enabled/*.load
Include mods-enabled/*.conf
Include httpd.conf
Include ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
Include conf.d/
Include sites-enabled/
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
LoadModule auth_pam_module modules/mod_auth_pam.so
/etc/apache2/sites-enabled/000-默认
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /usr/local/nagios/share/vshell
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Kerberos
AuthName "Kerberos Auth"
KrbVerifyKDC off
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms COMPANY.COM
Krb5KeyTab /etc/krb5.keytab
KrbSaveCredentials on
require valid-user
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/local/nagios/sbin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
/etc/krb5.conf
[libdefaults]
default_realm = COMPANY.COM
default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
passwd_check_s_address = false
udp_preference_limit = 1
ccache_type = 3
kdc_timesync = 0
[domain_realm]
pdc-2.company2.com = COMPANY2.COM
.company.com = COMPANY.COM
pdc-1.company.com = COMPANY.COM
company.com = COMPANY.COM
sdc-1.company.com = COMPANY.COM
srv-monitor.company.com = COMPANY.COM
[realms]
COMPANY2.COM = {
kdc = pdc-2.company2.com:88
master_kdc = pdc-2.company2.com:88
kpasswd = pdc-2.company2.com:464
kpasswd_server = pdc-2.company2.com:464
}
COMPANY.COM = {
kdc = pdc-1.company.com:88
master_kdc = pdc-1.company.com:88
kpasswd = pdc-1.company.com:464
kpasswd_server = pdc-1.company.com:464
kdc = sdc-1.company.com:88
master_kdc = sdc-1.company.com:88
kpasswd = sdc-1.company.com:464
kpasswd_server = sdc-1.company.com:464
}
ktutil、rkt /etc/krb5.keytab、l 的输出
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/[email protected]
2 3 HTTP/[email protected]
3 3 HTTP/[email protected]
4 3 HTTP/[email protected]
5 3 HTTP/[email protected]
6 3 HTTP/[email protected]
我错过了什么!!!我离成功只有一步之遥,我能感觉到!我所需要的只是让登录提示消失,并自动传递凭证。
谢谢你的时间。