2

I'm attempting to get Apache on Ubuntu 12.04 to authenticate users via Kerberos SSO to a Windows 2008 Active Directory server. Here are a few things that make my situation different:

  1. I don't have administrative access to the Windows Server (nor will I ever have access). I also cannot have any changes to the server made on my behalf.

  2. I've joined Ubuntu server to the Active Directory using PBIS open.

  3. Users can log into the Ubuntu server using their AD credentials. kinit also works fine for each user.

  4. Since I can't change AD (except for adding new machines and SPNs), I cannot add a service account for Apache on Ubuntu.

  5. Since I can't add I service account, I have to use the machine keytab (/etc/krb5.keytab), or at least use the machine password in another keytab. Right now I'm using the machine keytab and giving Apache readonly access (bad idea, I know).

  6. I've already added the SPN using net ads keytab add HTTP -U

  7. Since I'm using Ubuntu 12.04, the only encoding types that get added during "net ads keytab add" are arcfour-hmac, des-cbc-crc, and des-cbc-md5. PBIS adds the AES encoding types to the host and cifs principals when it joins the domain, but I have yet to get "net ads keytab add" to do this.

  8. ktpass and setspn are out of the question because of #1 above.

  9. I've configured (for Kerberos SSO) and tested both IE 8 Firefox.

  10. I'm using the following configuration in my Apache site config:

    <Location /secured>
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms DOMAIN.COM
    Krb5KeyTab /etc/krb5.keytab
    KrbLocalUserMapping On
    require valid-user
    </Location>
    

When Firefox tries to connect get the following in Apache's error.log (LogLevel debug):

[Wed Oct 23 13:48:31 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 23 13:48:31 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured
[Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(994): [client 192.168.0.2] Using HTTP/apache_server.DOMAIN.com@DOMAIN.COM as server principal for password verification
[Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(698): [client 192.168.0.2] Trying to get TGT for user username@DOMAIN.COM
[Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(609): [client 192.168.0.2] Trying to verify authenticity of KDC using principal HTTP/apache_server.DOMAIN.com@DOMAIN.COM
[Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(652): [client 192.168.0.2] krb5_rd_req() failed when verifying KDC
[Wed Oct 23 13:48:37 2013] [error] [client 192.168.0.2] failed to verify krb5 credentials: Decrypt integrity check failed
[Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(1073): [client 192.168.0.2] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)
[Wed Oct 23 13:48:37 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured

When IE 8 tries to connect I get:

[Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 23 14:03:30 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured
[Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1240): [client 192.168.0.2] Acquiring creds for HTTP@apache_server
[Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1385): [client 192.168.0.2] Verifying client data using KRB5 GSS-API
[Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1401): [client 192.168.0.2] Client didn't delegate us their credential
[Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1420): [client 192.168.0.2] GSS-API token of length 9 bytes will be sent back
[Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1101): [client 192.168.0.2] GSS-API major_status:000d0000, minor_status:000186a5
[Wed Oct 23 14:03:30 2013] [error] [client 192.168.0.2] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, )
[Wed Oct 23 14:03:30 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured

Let me know if you'd like additional log and config files--the initial question is getting long enough.

watkipet
  • 242
  • 2
  • 3
  • 10

2 Answers2

1

I don't have extended experience setting up kerberos delegation in Apache, but I'm pretty sure the service name defined in apache needs to match the service name in the keytab file.

Set the service name explicitly like this:

<Location /secured>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/krb5.keytab
KrbLocalUserMapping On
KrbServiceName HTTP/apache_server.DOMAIN.com
require valid-user
</Location>

The machines account in AD will need to have the HTTP/apache_server.DOMAIN.com SPN set, but it sounds like you already have this in place

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
1

The answer above is right as far as it goes, but unfortunately you have to use the service name that is in the keytab

    sudo ktutil list 

AD SPN's, as far as I understand them, are aliases such that when the client asks for HTTP/apache_server.com, it actually gets the kerberos service ticket for host/apache_server.com.

Kerberos on the unix side knows nothing about these aliases, so you have to say explictly what is in the keytab.

One thing that might help is getting the latest version of mod_auth_kerb that supports the use of the Any keyword

KrbServiceName Any

This means the module will search the keytab and use all the keys it finds until one of them that works.