Re: Error with Kerberos in Apache (Apache Users)

Help-me,

My new erros, i dont have any idea now. What is problem.

Erros:

[Wed May 10 16:44:38.642059 2017] [auth_kerb:error] [pid 13249] [client 10.251.14.140:47141] failed to verify krb5 credentials: Server not found in Kerberos database, referer: http://10.1.1.76/

#######################################################

/etc/krb5.conf

[libdefaults]

default_realm = REDE.COM.BR

dns_lookup_realm = false

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

REDE.COM.BR = {

kdc = REDE.COM.BR

admin_server = REDE.COM.BR

}

[domain_realm]

.rede.com.br=REDE.COM.BR

rede.com.br=REDE.COM.BR

######################################################

klist -k /etc/httpd/conf.d/krb5.keytab

Keytab name: FILE:/etc/httpd/conf.d/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

14 host/delorean2.rede.com.br@xxxxxxxxxxx

14 host/delorean2.rrede.com.br@xxxxxxxxxxx

14 host/DELOREAN2@xxxxxxxxxxx

14 DELOREAN2$@REDE.COM.BR

########################################################

cat /etc/httpd/conf.d/proxy.conf

ProxyPreserveHost Off

ProxyPass / http://localhost:631/

ProxyPassReverse / http://localhost:631/

AuthName "Login"

AuthType Kerberos

KrbMethodNegotiate on

KrbMethodK5Passwd on

KrbAuthRealms REDE.COM.BR

Krb5Keytab /etc/httpd/conf.d/krb5.keytab

KrbLocalUserMapping on

Require valid-user

AuthLDAPUrl ldap://rede.com.br/ou=usuarios,dc=rede,dc=com,dc=br?sAMAccountName

AuthLDAPBindDN cn=UsrLDAP,cn=Users,dc=rede,dc=com,dc=br

AuthLDAPBindPassword XXXXXX

LDAPReferrals Off

</Location>

2017-05-09 9:53 GMT-03:00 Luiz Guilherme Nunes Fernandes <narutospinal@xxxxxxxxx>:

Well, i try my first test and work, if i authentic with Ldap protocols without kerberos work, but i try add kerberos, show erros messages in log. Any idea?

No errors in apachectl configtest

###############################################
cat /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = REDE.COM.BR
dns_lookup_realm = false
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
REDE.COM.BR = {
kdc = REDE.COM.BR
admin_server = REDE.COM.BR
}

[domain_realm]
.rede.com.br=REDE.COM.BR
rede.com.br=REDE.COM.BR

###############################################

kinit root
Password for root@xxxxxxxxxxx:

klist
Ticket cache: KEYRING:persistent:0:0
Default principal: root@xxxxxxxxxxx

Valid starting Expires Service principal
05/09/2017 09:45:36 05/09/2017 19:45:36 krbtgt/REDE.COM.BR@xxxxxxxx.BR
renew until 05/16/2017 09:45:34

###############################################
cat /etc/httpd/conf.d/proxy.conf
<VirtualHost *:80>
ProxyPreserveHost Off
ProxyPass / http://localhost:631/
ProxyPassReverse / http://localhost:631/

LogLevel debug

<Location />

AuthType Kerberos
KrbMethodNegotiate On
AuthName "REDE.COM.BR Domain Login"
KrbMethodK5Passwd On
KrbAuthRealms REDE.COM.BR
Krb5KeyTab /etc/httpd/conf.d/httpd.keytab
KrbLocalUserMapping on
require valid-user

# AuthName "Informe usuario da rede"
# AuthType Basic
# AuthBasicProvider ldap
AuthLDAPUrl ldap://rede.com.br/ou=usuarios,dc=rede,dc=com,dc=br?sAMAccountName
AuthLDAPBindDN cn=users,dc=rede,dc=com,dc=br
AuthLDAPBindPassword XXXXXX
Require valid-user
LDAPReferrals Off
</Location>
#</Directory>

</VirtualHost>

###############################################

[root@delorean1 conf.d]# tail -f /var/log/httpd/error_log
[Mon May 08 17:48:42.320886 2017] [auth_kerb:error] [pid 19879] [client 10.251.14.140:55636] failed to verify krb5 credentials: Server not found in Kerberos database, referer: http://10.1.1.75/
[Mon May 08 17:48:42.320898 2017] [auth_kerb:debug] [pid 19879] src/mod_auth_kerb.c(1127): [client 10.251.14.140:55636] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: http://10.1.1.75/
[Mon May 08 17:48:55.301656 2017] [authz_core:debug] [pid 19881] mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://10.1.1.75/
[Mon May 08 17:48:55.301702 2017] [authz_core:debug] [pid 19881] mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://10.1.1.75/
[Mon May 08 17:48:55.301710 2017] [authz_core:debug] [pid 19881] mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://10.1.1.75/
[Mon May 08 17:48:55.301736 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(1954): [client 10.251.14.140:55638] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://10.1.1.75/
[Mon May 08 17:48:55.302037 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(1048): [client 10.251.14.140:55638] Using HTTP/10.1.1.75@ as server principal for password verification, referer: http://10.1.1.75/
[Mon May 08 17:48:55.302062 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(752): [client 10.251.14.140:55638] Trying to get TGT for user REDE.COM.BRroot@xxxxxxxxxxx, referer: http://10.1.1.75/
[Mon May 08 17:48:55.306313 2017] [auth_kerb:error] [pid 19881] [client 10.251.14.140:55638] krb5_get_init_creds_password() failed: Client not found in Kerberos database, referer: http://10.1.1.75/
[Mon May 08 17:48:55.306348 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(1127): [client 10.251.14.140:55638] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: http://10.1.1.75/
--
<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>

< Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao Pai, senão por mim >
(João 14:6)

Att.
♪ ♫ Luiz Guilherme Nunes Fernandes ♫ ♪

<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>

<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>

< Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao Pai, senão por mim >

(João 14:6)

Att.
♪ ♫ Luiz Guilherme Nunes Fernandes ♫ ♪

<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>