1
我真的很想解決這個問題,所以我希望你能幫助我。我GOOGLE了幾個小時,但似乎無法得到正確的配置。CentOS 7 Apache HTTPD Kerberos Windows AD問題
我在CentOS 7上使用Kerberos身份驗證設置Apache,以便我可以在Windows AD環境中實現SSO。根據我的理解,這是可能的,我應該能夠通過Internet Explorer訪問時實現真正的SSO。目前我有以下配置,當通過Internet Explorer訪問網站時會生成500內部服務器錯誤,但在使用Firefox時奇怪地起作用(儘管我必須在提示中輸入憑據)。
我首先生成一個服務主體並使用以下命令在Windows中導出keytab。
ktpass -princ HTTP/[email protected] -mapuser EXAMPLE\http-user -crypto ALL -ptype KRB5_NT_PRINCIPAL -mapop set -pass password -out D:\krb5.keytab
在將keytab複製到/etc/httpd/conf/krb5.keytab下的CentOS服務器之後,我配置了以下虛擬主機。
<VirtualHost *:80>
ServerName server.shc.local
DocumentRoot /var/www/html/test
LogLevel debug
ErrorLog /var/log/httpd/test-error.log
CustomLog /var/log/httpd/test-custom.log combined
<Location />
Options Indexes
AuthType Kerberos
KrbServiceName "HTTP/[email protected]"
AuthName "Welcome to the KRB5 Test"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbVerifyKDC off
KrbAuthRealms SHC.LOCAL
Krb5KeyTab /etc/httpd/conf/krb5.keytab
require valid-user
</Location>
</VirtualHost>
當我通過互聯網瀏覽器訪問該網站,我得到一個500內部服務器錯誤和日誌看起來是這樣的:
[Mon Jun 27 19:14:07.552584 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552637 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552690 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21545] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:14:07.552747 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1295): [client 192.168.214.202:21545] Acquiring creds for HTTP/[email protected]
[Mon Jun 27 19:14:07.555237 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1155): [client 192.168.214.202:21545] GSS-API major_status:000d0000, minor_status:0000000d
[Mon Jun 27 19:14:07.555250 2016] [auth_kerb:error] [pid 2832] [client 192.168.214.202:21545] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied)
,然後當我通過Firefox瀏覽正常訪問的網站,我得到提示進入憑據,但後來我成功通過身份驗證。日誌是這樣的:
[Mon Jun 27 19:16:49.936807 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936849 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936888 2016] [auth_kerb:debug] [pid 2828] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21577] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:16:50.042925 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042960 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042982 2016] [auth_kerb:debug] [pid 2829] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21578] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
沒有人有任何的想法是什麼,我需要做的就是無縫訪問SSO通過Internet Explorer網站時工作。
嗨。您是否真的嘗試過winbind(samba的一部分),配置和開展工作可能會更容易,特別是如果您有權訪問AD環境。它是什麼窗口設置?您還需要確保兩臺機器時鐘同步,否則krb auth會給您帶來問題。 – user3788685