Matthew Devine wrote:
So I'm trying to build an Environment for Apache that will authenticate with mod_auth_kerb. Basically I have a Windows 2003 Active Directory server acting as my KDC and Apache running in a Windows machine that's part of the domain. When I try to connect to the site, it appears like it does all the correct authentication but Apache is giving me an access error and I haven't been able to track down why yet. I posted this in the mod_auth_kerb mailing list but I wasn't sure if this was actually a mod_auth_kerb error as I'm not getting an error message from the module but a general error from Apache itself. Any help would be greatly appreciated. Apache Error Log [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1322): [client 192.168.1.140] Verifying client data using KRB5 GSS-API [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1338): [client 192.168.1.140] Verification returned code 0 [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1356): [client 192.168.1.140] GSS-API token of length 161 bytes will be sent back [Thu Oct 23 15:36:27 2008] [error] [client 192.168.1.140] access to /private failed, reason: require directives present and no Authoritative handler. Matt
Just a shot in the dark really, but going from the message above : Are you not missing an authz handler ?The "require" directive (like "require valid-user") is related to the Authorization phase, which normally follows the Authentication phase. If you have a "require" without an authorization handler, the message above would be logical.
Maybe more painstakingly detailed :The Authentication that you do with Kerberos works fine, and it delivers a validated user-id. That's nice to have. Now by saying "require blabla", you are *also* (in addition) putting a "security constraint" on the access to that Directory/Location. That should be verified by an Authorization handler, which checks if that user-id you got before is there, or if it is one of a list, or if that user is member of a group, etc.. But you don't have such a handler configured maybe, so Apache complains that you say "require" without anything to verify it.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|