ich verzweifle gerade beim konfigurieren meines Apache Servers für Kerberos SSO.
Auf dem Debian Server funktioniert die AD Anbindung und authentifizierung mittels kinit/klist einwandfrei.
Code: Alles auswählen
kinit -k -t /etc/http.keytab HTTP/DOMAIN.LOCAL
klist
Code: Alles auswählen
<Directory "/var/www/html/test/">
Options Indexes FollowSymLinks
AllowOverride None
AuthType Kerberos
AuthName "Kerberos authenticated intranet"
KrbAuthRealms DOMAIN.LOCAL
KrbServiceName HTTP/server.domain.local
Krb5Keytab /etc/http.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</Directory>
Code: Alles auswählen
[Wed Apr 19 11:00:24.524622 2017] [so:warn] [pid 1331] AH01574: module auth_kerb_module is already loaded, skipping
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_curl.dll' - /usr/lib/php/20151012/php_curl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20131226/ssh2.soo' - /usr/lib/php5/20131226/ssh2.soo: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_soap.dll' - /usr/lib/php/20151012/php_soap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
[Wed Apr 19 11:00:24.592470 2017] [mpm_prefork:notice] [pid 1332] AH00163: Apache/2.4.10 (Debian) mod_auth_kerb/5.4 SVN/1.8.10 OpenSSL/1.0.1t configured -- resuming normal operations
[Wed Apr 19 11:00:24.592517 2017] [core:notice] [pid 1332] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 19 11:00:27.504178 2017] [core:trace5] [pid 1335] protocol.c(647): [client IP:64387] Request received from client: GET /test/ HTTP/1.1
[Wed Apr 19 11:00:27.504347 2017] [mod_shib:debug] [pid 1335] mod_shib.cpp(320): [client IP:64387] get_request_config created per-request structure
[Wed Apr 19 11:00:27.504541 2017] [http:trace4] [pid 1335] http_request.c(301): [client IP:64387] Headers received from client:
[Wed Apr 19 11:00:27.504558 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
[Wed Apr 19 11:00:27.504566 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Accept-Language: de-DE
[Wed Apr 19 11:00:27.504572 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; InfoPath.3)
[Wed Apr 19 11:00:27.504579 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Accept-Encoding: gzip, deflate
[Wed Apr 19 11:00:27.504585 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Host: server.domain.local
[Wed Apr 19 11:00:27.504591 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Connection: Keep-Alive
[Wed Apr 19 11:00:27.506345 2017] [mod_shib:debug] [pid 1335] mod_shib.cpp(1584): [client IP:64387] shib_base_check_authz found uninitialized request object
[Wed Apr 19 11:00:27.506371 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 19 11:00:27.506379 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 19 11:00:27.506427 2017] [auth_kerb:debug] [pid 1335] src/mod_auth_kerb.c(1971): [client IP:64387] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Apr 19 11:00:27.506445 2017] [core:trace3] [pid 1335] request.c(119): [client IP:64387] auth phase 'check user' gave status 401: /test/
[Wed Apr 19 11:00:27.506521 2017] [http:trace3] [pid 1335] http_filters.c(1087): [client IP:64387] Response sent with status 401, headers:
[Wed Apr 19 11:00:27.506532 2017] [http:trace5] [pid 1335] http_filters.c(1094): [client IP:64387] Date: Wed, 19 Apr 2017 09:00:27 GMT
[Wed Apr 19 11:00:27.506538 2017] [http:trace5] [pid 1335] http_filters.c(1097): [client IP:64387] Server: Apache/2.4.10 (Debian)
[Wed Apr 19 11:00:27.506546 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] WWW-Authenticate: Negotiate
[Wed Apr 19 11:00:27.506574 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] WWW-Authenticate: Basic realm=\\"Kerberos authenticated intranet\\"
[Wed Apr 19 11:00:27.506582 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Content-Length: 476
[Wed Apr 19 11:00:27.506588 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Keep-Alive: timeout=5, max=100
[Wed Apr 19 11:00:27.506594 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Connection: Keep-Alive
[Wed Apr 19 11:00:27.506600 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Content-Type: text/html; charset=iso-8859-1
[Wed Apr 19 11:00:27.506635 2017] [core:trace6] [pid 1335] core_filters.c(527): [client IP:64387] core_output_filter: flushing because of FLUSH bucket
[Wed Apr 19 11:00:27.509152 2017] [core:trace5] [pid 1335] protocol.c(647): [client IP:64387] Request received from client: GET /test/ HTTP/1.1
[Wed Apr 19 11:00:27.509211 2017] [mod_shib:debug] [pid 1335] mod_shib.cpp(320): [client IP:64387] get_request_config created per-request structure
[Wed Apr 19 11:00:27.509242 2017] [http:trace4] [pid 1335] http_request.c(301): [client IP:64387] Headers received from client:
[Wed Apr 19 11:00:27.509250 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
[Wed Apr 19 11:00:27.509258 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Accept-Language: de-DE
[Wed Apr 19 11:00:27.509264 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; InfoPath.3)
[Wed Apr 19 11:00:27.509271 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Accept-Encoding: gzip, deflate
[Wed Apr 19 11:00:27.509277 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Host: server.domain.local
[Wed Apr 19 11:00:27.509283 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Connection: Keep-Alive
[Wed Apr 19 11:00:27.509295 2017] [http:trace4] [pid 1335] http_request.c(305): [client IP:64387] Authorization: Negotiate YIIIggYGKwYBBQUCoIIIdjCCCHKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCDwEggg4YIIINAYJKoZIhvcSAQICAQBugggjMIIIH6ADAgEFoQMCAQ6iBwMFACAAAACjggadYYIGmTCCBpWgAwIBBaEZGxdNQUlOLVRBVUJFUi1LUkVJUy5MT0NBTKIwMC6gAwIBAqEnMCUbBEhUVFAbHWJlYXN0Lm1haW4tdGF1YmVyLWtyZWlzLmxvY2Fso4IGPzCCBjugAwIBF6EDAgEEooIGLQSCBimzn11ISpwtAtDeaG0neBfaP/Y6xcmmN2MaAb84bxlZatnnALWytYn4WugCppqdbWJYaAofK0qst0BsVkdZrBjQ+EXxeizSZhcdHm3Ndo8x3lHQ3KCNnziWOiAGeGyvB2suzkZfYlSU36jbNzFkc00ELQNYMVQ6pBVgH5yyzJqYm3agIzwuCQxq0FLJdQCtFKpxdZ1dM89oBVQPXhvtkEkDDpgFRdL6I6BUq6sWQqNa9Dr+SQWfL0e6aTFghW9aOvacQwny6wz2jhHGZPimgjPiQqdt+QKX0Gux4bTHx2R7VE9GhOkLt09hRkVECdS8m8ue93slflCp1rix1jscKkzxLmOJ7o6YYxqmwiYj83s8lqvMVjnQpXJ6FqgSRbkBe7MQMqFFQtuAe2JVl3g+v6WaaD4qCjmwfV7UhR+7/oHzvLD5ykVSROam5DO4Ba+E4X+KoxJTVkS+Xoz3Drqe11RvR7/8pqiGeWvkHikpSeLHWuzRlD3EEegCa7D4zi3LL8egbc1HUf3gY6CTAUgVrgfiC1IKGaYcJ3hMC8wFssWaB4w7e0ns+ztarLvM8RYIXJORUzsIAo4Us13Awn/cYzKrZYKZEnP9KvIgaDetXaqoxf9JVulf9f4/Nh7xYQqiemNdqFRQWD71lVNjHruP8jyCjjvM+xV/lRlPRkjPOIefsQZHOEWOM0UuXT90iTVIetJ9P5/++M9egjWRkXoAwMOjKnu51EXp97WL8954EHmAbN62GaBaiMj9kOBp6LCQEhEnbbGw7vyrt9KOFG7Aiep8oyeHyg9M6P2tVctQfn5QVWawGcJ6Lg6aSWhqK+bBmXvDsTktOMU9x2feKXsiDZ8Ed3C5mnTWVXZitN9QnufO8JSm3eestrnYmDx0JNC/qxgghQd5Y+n9yq5AgTR7jCAA1e9YCoEe0XGhKC0cQFhUPLilh94PhmL5WSiosGdG5bLEYttbQKNtENp3rwl7w8QUMX2p9RJQrY6gxqYeLXe2NK/Rm9+MTm5ypaR1I/204g/R6bXSPkahQHhZfFOfDSXjceA0gq7G4Nhllh7KSJ+wtga4MmmgZ6PnX1lZuMaRrYSpMWZQ3e3nsFzuXzOVDVkIaKLwv5mE6RpxJHcy3cpx3w5+ESiKge2v9YDSPoaKJ7wmvj7Hv/HCmPxNefUw+OKdk+UaN3+rj3TlNM8EyiXURFeUPywaFISYxR7Qs99P7EnNN1ro8q9ZarPjOT/FFDUJ4GBLQPQQxor6QxXND9nWPK9qk1bpmhtW4qQby9u3jWQlD6/JzKe6IGEd0MCgWrZ3sHmV9Oe6qmtPoduoDERrZD5jd4dHMvC6JawnpTVljlwqyHp3dxdkoCID22RnnlvN48SSLZLO4D1q8BOFgY7R/blS/w/PPS2IZBOD9UK8ueaEVo7ktZVJJKwyVOZFgkU+6X9ZykxcOb/p1IZuQ0J8Ib9BHCBSugZWy/n+W/J8xXiQLepVA3gSLsvgJMjbSdcZNHiXVOXvgqFNp9eihCifVsjGmnNgbgdQx7MSOlTYUeX8NSzUNc3cqxHU1HSUziNjDgbcWv3odxyS98wriHiEKjRUUsL3+uy+ZXJhh8SjrTjJZv5VdHqnda4nciWnuGLZAiCHiTpXn51BS37AynlIOt015fvSdylmYvEeVTBDVxhdrYMdETSgfzvlt/fDOqWk4D4WUj8Xcdk3kBvplJDnQhqWt5qKLbbWNzB4BL0xuniWKYD1vnO1QmJOfw952tz18fbXYwcIy2vwHQ/5FFu5zaXDNqaeak6OgLeaVE1NSFFFRc/myFd9b7scD74a91KkTCka1cVo2D4LwFjF4HlcFAIaYfT9ISgG6yZW8hs2NwxcHsWShYHcdxfekvZ/jUyWSDpJ1ZEPeoSl+1F/hE9vr7Ab5aW6L+LOF5aWJKt8A8wgYRGqRtged7MlmbgrLl+Odst4huEmRgTP4Udm/zRTwgF2UieA1s3Lo7cCC2MxbDdFszeSrUt/dZHA26vXU6Rw/yOCjqUb0Vi9Cmb7LWa0MNdUbXCPz/LCgnD6o2U1G+VkKpulA1MWwR0Sl7gu0ztJ0g/ru7O9zaYQrtUWaDRhU3nuxl3mionShqSCAWcwggFjoAMCAReiggFaBIIBVlQlvWtDegOyQRi4U1Tophia66MQUudU0RZ7btHSkYzgmxq9iNsxAxVmmsOD+oVJpkUgedsvmCZEZmRGuzP4U62SU/d3dKvme0h19GY/Omc0+lI6GW0OinGhiOlX68Tl3uK1Y2tJkeHs8YD0InR5QzrFp4Pr1LrScPCh/5yWj4sYqKiqjSwEyYjyIPwnmxoyYPMta3aVn1HYV05aZgo+J+Kmi80IPXJN09qP+hJH5P+Q+/m+YO+ljS/i022oJ7pFfbgGrcXBTHHStXhuHqwMYYBYAzUAcE1AHfinIDOIcysJIDIXtvezOkeoqmwbA5zibFB7BiBKLnB1RPDpMOO7bqfnF8nGSxw0aXApuUluyW1n5lWRag3W1FfCJ3bZfHbaLo9TI2E2FoO14Gtha7OMV8HFIdEtCn2d1Fkuzt5Qotw5qkPeXE19UQPgXHiJgagACPwwH8IvTg==
[Wed Apr 19 11:00:27.510507 2017] [mod_shib:debug] [pid 1335] mod_shib.cpp(1584): [client IP:64387] shib_base_check_authz found uninitialized request object
[Wed Apr 19 11:00:27.510530 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 19 11:00:27.510538 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 19 11:00:27.510553 2017] [auth_kerb:debug] [pid 1335] src/mod_auth_kerb.c(1971): [client IP:64387] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Apr 19 11:00:27.510596 2017] [auth_kerb:debug] [pid 1335] src/mod_auth_kerb.c(1299): [client IP:64387] Acquiring creds for HTTP/server.domain.local
[Wed Apr 19 11:00:27.516789 2017] [auth_kerb:debug] [pid 1335] src/mod_auth_kerb.c(1722): [client IP:64387] Verifying client data using KRB5 GSS-API
[Wed Apr 19 11:00:27.518711 2017] [auth_kerb:debug] [pid 1335] src/mod_auth_kerb.c(1738): [client IP:64387] Client didn't delegate us their credential
[Wed Apr 19 11:00:27.518740 2017] [auth_kerb:debug] [pid 1335] src/mod_auth_kerb.c(1757): [client IP:64387] GSS-API token of length 181 bytes will be sent back
[Wed Apr 19 11:00:27.519670 2017] [mod_shib:debug] [pid 1335] mod_shib.cpp(867): [client IP:64387] shib_auth_checker entered in pid (1335)
[Wed Apr 19 11:00:27.519832 2017] [mod_shib:debug] [pid 1335] mod_shib.cpp(437): [client IP:64387] htaccess: denying shib-access/valid-user rule, no active session
[Wed Apr 19 11:00:27.519851 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 19 11:00:27.519859 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 19 11:00:27.519866 2017] [authz_core:error] [pid 1335] [client IP:64387] AH01629: authorization failure (no authenticated user): /test/
[Wed Apr 19 11:00:27.519874 2017] [core:trace3] [pid 1335] request.c(119): [client IP:64387] auth phase 'check authorization' gave status 401: /test/
[Wed Apr 19 11:00:27.519921 2017] [http:trace3] [pid 1335] http_filters.c(1087): [client IP:64387] Response sent with status 401, headers:
[Wed Apr 19 11:00:27.519943 2017] [http:trace5] [pid 1335] http_filters.c(1094): [client IP:64387] Date: Wed, 19 Apr 2017 09:00:27 GMT
[Wed Apr 19 11:00:27.519950 2017] [http:trace5] [pid 1335] http_filters.c(1097): [client IP:64387] Server: Apache/2.4.10 (Debian)
[Wed Apr 19 11:00:27.519965 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] WWW-Authenticate: Negotiate oYGyMIGvoAMKAQChCwYJKoZIhvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqtl7TYeCmPnhfMQAfk8wK1ERy+5v6jJzUAohq0+CyGqQsm+FVMEm+aS+M53D5oWbITqToSiWpGehAdBq3B74Iuu2T+qYVXMQsfLHpMev18unK+wzQj/q4zU8LYp2FJRkumE63QsNRVEkiZw==
[Wed Apr 19 11:00:27.519974 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Content-Length: 476
[Wed Apr 19 11:00:27.519980 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Keep-Alive: timeout=5, max=99
[Wed Apr 19 11:00:27.519986 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Connection: Keep-Alive
[Wed Apr 19 11:00:27.519991 2017] [http:trace4] [pid 1335] http_filters.c(916): [client IP:64387] Content-Type: text/html; charset=iso-8859-1
[Wed Apr 19 11:00:27.520017 2017] [core:trace6] [pid 1335] core_filters.c(527): [client IP:64387] core_output_filter: flushing because of FLUSH bucket
[Wed Apr 19 11:00:27.538728 2017] [core:trace6] [pid 1335] core_filters.c(527): [client IP:64387] core_output_filter: flushing because of FLUSH bucket
Code: Alles auswählen
[Wed Apr 19 11:00:27.506345 2017] [mod_shib:debug] [pid 1335] mod_shib.cpp(1584): [client IP:64387] shib_base_check_authz found uninitialized request object
[Wed Apr 19 11:00:27.506371 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 19 11:00:27.506379 2017] [authz_core:debug] [pid 1335] mod_authz_core.c(809): [client IP:64387] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 19 11:00:27.506427 2017] [auth_kerb:debug] [pid 1335] src/mod_auth_kerb.c(1971): [client IP:64387] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Habe viele Varianten der Apache Conf versucht, leider ohne Erfolg..
Bin mit meinem Latein echt am Ende... Jemand noch eine Idee?
Danke,
Gruß