我完全不知道为什么它就停止工作了,以下是我检查的结果:
httpd-错误日志:
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN>
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1446): [client 10.105.5.131] GSS-API token of length 22 bytes will be sent back
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN>
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1125): [client 10.105.5.131] GSS-API major_status:00090000, minor_status:00000000
-
sudo kinit -t /etc/krb5.keytab HTTP/<FQDN>
运行良好,无错误
sudo klist:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: HTTP/<FQDN>@<LOCAL.DOMAIN>
Issued Expires Principal
Jun 11 17:21:58 2015 Jun 12 00:01:57 2015 krbtgt/<LOCAL.DOMAIN>@<LOCAL.DOMAIN>
krb5配置文件
[libdefaults]
ticket_lifetime = 24000
default_realm = <LOCAL.DOMAIN>
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
rdns = false
[realms]
KC.KPLUS = {
kdc = <dc.ip>:88
admin_server = <dc.ip>:88
default_domain = <LOCAL.DOMAIN>
}
[domain_realm]
.<local.domain> = <LOCAL.DOMAIN>
<local.domain> = <LOCAL.DOMAIN>
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
.htaccess
AddHandler cgi-script .cgi .pl
Options +ExecCGI
DirectoryIndex index.pl
AuthName "<LOCAL.DOMAIN>"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealm <LOCAL.DOMAIN>
KrbMethodNegotiate on
KrbServiceName HTTP/<FQDN>@<LOCAL.DOMAIN>
KrbMethodK5Passwd off
KrbSaveCredentials on
KrbVerifyKDC off
Require valid-user
检查了客户端的流量,显然它启动了协商,同意了 KRB5 机制并发送了票证。结果收到 401。
我不知道这里出了什么问题,任何想法都将不胜感激。
答案1
当密钥表中列出的 SPN 与客户端(浏览器)提供的主体名称不匹配时,就会发生这种情况。
这可能取决于所使用的浏览器(某些浏览器从 URL 中获取名称,另一些浏览器则对其连接的 IP 地址进行反向查找)。
对此的常见解决方案是将 KrbServiceName 设置为 Any:
KrbServiceName Any
这将放宽检查,允许使用服务器密钥表中的任何密钥。
答案2
如果您使用的是 Debian,您最近是否从 wheezy 更新到了 jessie?我遇到了类似的问题,apache 2.2 (wheezy) 模块的一些 ldap 指令 (AuthzLDAPAuthoritative) 在 apache 2.4 (jessie) 模块中被删除了 (从 2.2 升级到 2.4)也许同样的事情也发生在 Kerberos 上。