Apache 中的 Kerberos 不起作用

tag-icon tag-icon apache-2.4 kerberos
Apache 中的 Kerberos 不起作用

我目前正在尝试在我们的 Apache 上配置 Kerberos,但不幸的是我无法继续。Apache 上的网站 (Typo3) 可通过 sub.domain.com 进行内部和外部访问,本地域为 intern.local

我创建了这样的 keytab 文件:

ktpass -princ HTTP/[email protected] -mapuser [email protected] -pass P@55w0rd -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\temp\kerbkey.keytab

krb5.conf 文件如下所示:

[libdefaults]
        default_realm = INTERN.LOCAL

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        INTERN.LOCAL = {
                kdc = dc01.intern.local
                admin_server = dc01.intern.local
                default_domain = intern.local
        }

[domain_realm]
        .sub.domain.com = INTERN.LOCAL
        sub.domain.com = INTERN.LOCAL
        intern.local = INTERN.LOCAL
        .intern.local = INTERN.LOCAL

Apache vhost 如下所示:

<VirtualHost *:443>
    ServerName sub.domain.com
    ServerAdmin [email protected]
    DocumentRoot /var/www/page

    <Directory /var/www/page>
     AllowOverride All
    </Directory>

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/wildcart-zert.crt
    SSLCertificateKeyFile /etc/apache2/ssl/wildcart-key.key

<IfModule !mod_auth_gssapi.c>
    LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_gssapi.so
</IfModule>

LimitRequestFieldSize 32768
  <Location "/">
 AuthName [email protected]
 AuthType GSSAPI
 GssapiBasicAuth On
 GssapiCredStore keytab:/etc/apache2/krb5/kerbkey.keytab
 Require valid-user
  </Location>

    ErrorLog ${APACHE_LOG_DIR}/page-ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/page-ssl_access.log combined
</VirtualHost>

现在的问题是,如果我像这样激活 vhost 配置,那么当我调用页面时https://sub.domain.com,我总是会弹出浏览器窗口要求输入用户名和密码。无论我在这里输入什么,我都无法进入网页,只会收到错误:

Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Apache/2.4.41 (Ubuntu) Server at sub.domain.com Port 443

apache 错误日志显示以下条目:

[auth_gssapi:error] [pid 1632875] [client x.x.x.x:65394] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)]

答案1

apache 错误日志显示以下条目:

错误的登录凭证:

[auth_gssapi:error] [pid 945597] [client x.x.x.x:60415] GSS ERROR In Basic Auth: gss_acquire_cred_with_password() failed: [Unspecified GSS failure.  Minor code may provide more information (Preauthentication failed)]

正确的登录凭证:

[auth_gssapi:error] [pid 945593] [client x.x.x.x:63197] GSS ERROR gss_init_sec_context(): [Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)]

答案2

Chrome 浏览器需要将 URL 放在本地互联网列表中:控制面板->互联网选项->安全->本地互联网->站点。

由于你没有提到浏览器,希望它能帮助你

相关内容