Seems like you were right, while looking through my conf file I didn't have mod_authz_user uncommented. Put that in and got rid of that error. Granted now I'm getting another error but that's on the mod_auth_kerb side. Thanks Andre. Matt -----Original Message----- From: André Warnier [mailto:aw@xxxxxxxxxx] Sent: Friday, October 24, 2008 2:38 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: Authorization Failed: require directives present and no Authoritative handler Matthew Devine wrote: > So I'm trying to build an Environment for Apache that will authenticate with > mod_auth_kerb. Basically I have a Windows 2003 Active Directory server > acting as my KDC and Apache running in a Windows machine that's part of the > domain. When I try to connect to the site, it appears like it does all the > correct authentication but Apache is giving me an access error and I haven't > been able to track down why yet. > > I posted this in the mod_auth_kerb mailing list but I wasn't sure if this > was actually a mod_auth_kerb error as I'm not getting an error message from > the module but a general error from Apache itself. Any help would be > greatly appreciated. > > Apache Error Log > [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1322): [client > 192.168.1.140] Verifying client data using KRB5 GSS-API > [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1338): [client > 192.168.1.140] Verification returned code 0 > [Thu Oct 23 15:36:27 2008] [debug] mod_auth_kerb.c(1356): [client > 192.168.1.140] GSS-API token of length 161 bytes will be sent back > [Thu Oct 23 15:36:27 2008] [error] [client 192.168.1.140] access to /private > failed, reason: require directives present and no Authoritative handler. > > Matt > Just a shot in the dark really, but going from the message above : Are you not missing an authz handler ? The "require" directive (like "require valid-user") is related to the Authorization phase, which normally follows the Authentication phase. If you have a "require" without an authorization handler, the message above would be logical. Maybe more painstakingly detailed : The Authentication that you do with Kerberos works fine, and it delivers a validated user-id. That's nice to have. Now by saying "require blabla", you are *also* (in addition) putting a "security constraint" on the access to that Directory/Location. That should be verified by an Authorization handler, which checks if that user-id you got before is there, or if it is one of a list, or if that user is member of a group, etc.. But you don't have such a handler configured maybe, so Apache complains that you say "require" without anything to verify it. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|