I got FreeIPA up and running but am having trouble getting it working with apache, I tried both mod_auth_mellon and mod_auth_gssapi. My goal is to have something that 1) attempts kerberos 2) falls back to user/pass auth.
For mod_auth_gssapi, I am able to get get SSO working with my local Firefox, but the fallback HTTPBasic auth fails. Opening a private firefox window (to break kerberos) and entering my username/pass I get the following Apache log error: GSS ERROR gss_init_sec_context(): [Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
Apache config is: <Location /> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/http.keytab GssapiBasicAuth On GssapiBasicAuthMech krb5
Require valid-user </Location>
Okay, so I moved to mod_auth_mellon (SAML auth via Keycloak via FreeIPA). With this one I got username/pass auth working, but kerberos does not work. I followed the instructions here: https://jdennis.fedorapeople.org/doc/mellon-install/mellon-install-guide.htm...
Keycloak reports the below message when I *require* kerberos auth (over username/passwd): Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)
So I think something might be wrong with my keytab file. Lots of posts around the internet are about Windows AD and say to enable AES encryption for that service, but I do not see such an option in FreeIPA.
So am I missing something with the encryption settings ?
Here is my keytab creation command: ipa-getkeytab -s freeipa.example.com -p HTTP/keycloak.example.com -k /tmp/client1.keytab
And here is the result:
[root@freeipa ~]# klist -e -k /tmp/client1.keytab Keytab name: FILE:/tmp/client1.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/keycloak.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 HTTP/keycloak.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
freeipa-users@lists.fedorahosted.org