Evening,
I am attempting to get apache authenticating with IPA but not sure why
its rejecting the keytab. I have even recreated the keytab a number of
times but this isn't making any difference. To make sure the problem
isn't anywhere else, I briefly used a httpasswd file and it worked fine,
so confident it has to do with apache IPA integration. Does anybody
notice anything wrong with the setup below?
[Tue Jul 24 17:13:55.754808 2018] [auth_gssapi:debug] [pid 27797]
mod_auth_gssapi.c(857): [client 192.168.20.221:46106
<
http://192.168.20.221:46106/>] URI: /git/, no main, no prev
[Tue Jul 24 17:13:55.809525 2018] [auth_gssapi:error] [pid 27797]
[client 192.168.20.221:46106 <
http://192.168.20.221:46106/>] GSS ERROR
gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS
failure. Minor code may provide more information (Keytab
FILE:/etc/httpd/conf.d/httpd.keytab is nonexistent or empty)]
[Tue Jul 24 17:13:55.811160 2018] [ssl:debug] [pid 27797]
ssl_engine_io.c(993): [client 192.168.20.221:46106
<
http://192.168.20.221:46106/>] AH02001: Connection closed to child 3
with standard shutdown (server gitolite4.eng.example.com:443
<
http://gitolite4.eng.example.com:443/>)
Full log here:
https://pastebin.com/v3KKVs6W
However, the keytab looks fine.
Keytab name: FILE:/etc/httpd/conf.d/httpd.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
<mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (aes256-cts-hmac-sha1-96)
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
<mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (aes128-cts-hmac-sha1-96)
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
<mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (des3-cbc-sha1)
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
<mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (arcfour-hmac)
[root@gitolite4 ~]#
Also, I have confirmed this isn't selinux related
[root@gitolite4 ~]# getenforce
Permissive
This is the version of apache module that I am using.
[root@gitolite4 ~]# rpm -qa | grep gssapi
mod_auth_gssapi-1.5.1-5.el7.x86_64
python-gssapi-1.2.0-3.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
[root@gitolite4 ~]#
This is the configuration that I am using:
<Location /git>
LimitXMLRequestBody 0
LimitRequestBody 0
AuthType GSSAPI
AuthName "Linux Account"
GssapiConnectionBound On
GssapiBasicAuth On
GssapiNegotiateOnce On
GssapiLocalName on
AuthzSendForbiddenOnFailure On
GssapiCredStore keytab:/etc/httpd/conf.d/httpd.keytab
GssapiSignalPersistentAuth On
GssapiSSLonly On
Require expr %{REMOTE_USER} =~ /(a)eng.example.com
<
http://eng.example.com/>$/
</Location>