Apache 的 Kerberos SSO - 部分有效

tag-icon tag-icon apache2 single-sign-on kerberos
Apache 的 Kerberos SSO - 部分有效

好的...

我的 Apache 服务器已经运行,并且已将 Kerberos 配置为与我们的主域控制器(Windows 2003)集成。

但是,当我尝试访问我的页面时,我收到登录提示...我不应该收到此提示,因为这应该是 SSO...

当我手动输入我的凭据时,它会工作并带我进入页面。但是,我希望使用集成 Windows 身份验证。

我曾经用过这个,但现在不行了... :S

这是我的配置文件。

/etc/apache/apache2.conf

LockFile ${APACHE_LOCK_DIR}/accept.lock
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5


<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

<IfModule mpm_worker_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

<IfModule mpm_event_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

DefaultType text/plain
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
Include mods-enabled/*.load
Include mods-enabled/*.conf
Include httpd.conf
Include ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
Include conf.d/
Include sites-enabled/
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
LoadModule auth_pam_module modules/mod_auth_pam.so

/etc/apache2/sites-enabled/000-默认

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /usr/local/nagios/share/vshell
        <Directory />
                Options FollowSymLinks
                AllowOverride None


AuthType Kerberos
AuthName "Kerberos Auth"
KrbVerifyKDC off
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms COMPANY.COM
Krb5KeyTab /etc/krb5.keytab
KrbSaveCredentials on
require valid-user

        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/local/nagios/sbin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

/etc/krb5.conf

[libdefaults]
 default_realm = COMPANY.COM
 default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_keytab_name = FILE:/etc/krb5.keytab
 dns_lookup_realm = true
 dns_lookup_kdc = true
 passwd_check_s_address = false
udp_preference_limit = 1
 ccache_type = 3
 kdc_timesync = 0
[domain_realm]
 pdc-2.company2.com = COMPANY2.COM
 .company.com = COMPANY.COM
 pdc-1.company.com = COMPANY.COM
 company.com = COMPANY.COM
 sdc-1.company.com = COMPANY.COM
 srv-monitor.company.com = COMPANY.COM
[realms]
COMPANY2.COM = {
 kdc = pdc-2.company2.com:88
 master_kdc = pdc-2.company2.com:88
 kpasswd = pdc-2.company2.com:464
 kpasswd_server = pdc-2.company2.com:464
}
COMPANY.COM = {
 kdc = pdc-1.company.com:88
 master_kdc = pdc-1.company.com:88
 kpasswd = pdc-1.company.com:464
 kpasswd_server = pdc-1.company.com:464
 kdc = sdc-1.company.com:88
 master_kdc = sdc-1.company.com:88
 kpasswd = sdc-1.company.com:464
 kpasswd_server = sdc-1.company.com:464
}

ktutil、rkt /etc/krb5.keytab、l 的输出

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/[email protected]
   2    3 HTTP/[email protected]
   3    3 HTTP/[email protected]
   4    3             HTTP/[email protected]
   5    3             HTTP/[email protected]
   6    3             HTTP/[email protected]

我错过了什么!!!我离成功只有一步之遥,我能感觉到!我所需要的只是让登录提示消失,并自动传递凭证。

谢谢你的时间。

相关内容