RHEL8 和 GSSAPI Kerberos 通过 Apache 进行身份验证的问题

RHEL8 和 GSSAPI Kerberos 通过 Apache 进行身份验证的问题

我正在尝试在当前正在运行的计算机上运行 apache 虚拟主机Red Hat Enterprise Linux release 8.5 (Ootpa),并使用新的 GSSAPI 模块(mod_auth_kerb 的替代品)进行 Kerberos 身份验证。

我还配置了 LDAP 指令,以便通过 LDAP 对我的用户进行身份验证mod_ldap

我的krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY.DOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MY.DOMAIN = {
  kdc = ADserver.my.domain
  a_server = ADserver.my.domain
  default_domain = my.domain
 }

[domain_realm]
 .kerberos.server = MY.DOMAIN
 .my.domain = MY.DOMAIN

[appdefaults]
 pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
 }

我创建了一个用户,并为其分配了一个密钥表。我的用户名是usersso

SPN 信息:

C:\Users\me>setspn -L usersso
Registered ServicePrincipalNames for CN=UserSso,OU=Users,DC=MY,DC=DOMAIN:
        HTTP/myserver.my.domain

C:\Users\me>setspn -Q HTTP/myserver.my.domain
Checking domain DC=MY,DC=DOMAIN
CN=UserSso,OU=Users,DC=MY,DC=DOMAIN
        HTTP/myserver.my.domain

Existing SPN found!

我将密钥表发送到我的 Apache 服务器:

[root@myserver conf.d]# klist -ek /etc/httpd/usersso.keytab
Keytab name: FILE:/etc/httpd/usersso.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 HTTP/[email protected] (aes256-cts-hmac-sha1-96)

Keytab 测试:

[root@myserver httpd]# kinit -V -kt /etc/httpd/usersso.keytab -p HTTP/[email protected]
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/[email protected]
Using keytab: /etc/httpd/usersso.keytab
Authenticated to Kerberos v5

[root@myserver httpd]# klist -Af
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]

Valid starting       Expires              Service principal
16/06/2022 13:03:23  16/06/2022 23:03:23  krbtgt/[email protected]
        renew until 17/06/2022 13:03:23, Flags: FPRIA

Keytab 看起来还不错。

然后现在我的虚拟主机配置:

<VirtualHost 192.168.168.168:80>
    ServerName              myserver.my.domain

    ErrorLog             /var/log/httpd/myserver.my.domain_error.log
    TransferLog          /var/log/httpd/myserver.my.domain_access.log
    LogLevel             debug

    <Location />
      AuthType GSSAPI
      AuthName "GSSAPI Single Sign On Login"
      GssapiBasicAuth On
      GssapiBasicAuthMech krb5
      GssapiAllowedMech krb5
      GssapiCredStore keytab:/etc/httpd/usersso.keytab
      GssapiLocalName On
      BrowserMatch Windows gssapi-no-negotiate

      AuthLDAPURL ldap://ldapserver:10400/ou=users,o=enterprise,dc=city,dc=fr?uid?sub?(objectclass=person)
      AuthLDAPGroupAttribute member
      AuthLDAPBindDN "cn=apache,ou=users,o=enterprise,dc=city,dc=fr"
      AuthLDAPBindPassword "XXXX"
      AuthzSendForbiddenOnFailure On

      Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr
    </Location>

# tag::TLSClient[]
    SSLProxyEngine on
    SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLProxyCipherSuite HIGH:!aNULL:!MD5
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    SSLProxyVerifyDepth 10
    SSLOCSPEnable off
# end::TLSClient[]

    ProxyPass               / https://anotherserver:443/
    ProxyPassReverse        / https://anotherserver:443/

</VirtualHost>

当我尝试访问我的虚拟主机时,我并没有被直接发送到anotherserver,但我的 Google Chrome 浏览器上出现了一个身份验证窗口提示(这意味着 Kerberos 身份验证无法正常工作)

Access_log 说:

10.10.10.10(me) - - [16/Jun/2022:11:53:21 +0200] "GET / HTTP/1.1" 401 381

错误日志显示:

[Thu Jun 16 12:49:42.867213 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867231 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867256 2022] [auth_gssapi:debug] [pid 8154:tid 139726585538304] mod_auth_gssapi.c(901): [client 10.10.10.10:62252] URI: /, no main, no prev
[Thu Jun 16 12:49:42.867273 2022] [auth_gssapi:info] [pid 8154:tid 139726585538304] [client 10.10.10.10:62252] NO AUTH DATA Client did not send any authentication headers

最后,如果我通过提示凭据 chrome 浏览器输入我的凭据,我将成功通过 LDAP 组的身份验证,并且可以访问我的,anotherserver但由于 Kerberos GSSAPI 的 SSO 不起作用,我仍然必须手动输入我的凭据.. :(

curL result :WWW-authenticate : Negotiate响应标头存在:

curl -k -L http://myserver.my.domain/ -v
*   Trying 192.168.168.168:80...
* TCP_NODELAY set
* Connected to myserver.my.domain (192.168.168.168) port 80 (#0)
> GET / HTTP/1.1
> Host: myserver.my.domain
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Thu, 16 Jun 2022 10:57:31 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="GSSAPI Single Sign On Login"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host myserver.my.domain left intact

有人能帮我解决这个问题吗?

谢谢 !

编辑 :

我终于找到了解决方案!

  • BrowserMatch Windows gssapi-no-negotiate从 Apache conf 中删除了“”,
  • 并停止+禁用该gssproxy服务,因为我仍然无法在 RHEL8.6 中使用
  • 然后不要忘记将Environment=GSS_USE_PROXY其改为 0,以避免"gss_localname() input error"在 apache 错误日志中出现。

相关内容