RHEL8 y GSSAPI Kerberos se autentican a través de un problema de Apache

tag-icon tag-icon linux apache-2.4 kerberos rhel8 gssapi
RHEL8 y GSSAPI Kerberos se autentican a través de un problema de Apache

Estoy intentando ejecutar un host virtual Apache, en una máquina que actualmente ejecuta Red Hat Enterprise Linux release 8.5 (Ootpa), con autenticación Kerberos usando el nuevo módulo GSSAPI (reemplazo de mod_auth_kerb).

También configuré directivas LDAP para autenticar a mis usuarios a través de un LDAP gracias a mod_ldap.

Mi krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY.DOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MY.DOMAIN = {
  kdc = ADserver.my.domain
  a_server = ADserver.my.domain
  default_domain = my.domain
 }

[domain_realm]
 .kerberos.server = MY.DOMAIN
 .my.domain = MY.DOMAIN

[appdefaults]
 pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
 }

Creé un usuario al que se le asigna una tabla de claves. Mi usuario se llama " usersso"

Información SPN:

C:\Users\me>setspn -L usersso
Registered ServicePrincipalNames for CN=UserSso,OU=Users,DC=MY,DC=DOMAIN:
        HTTP/myserver.my.domain

C:\Users\me>setspn -Q HTTP/myserver.my.domain
Checking domain DC=MY,DC=DOMAIN
CN=UserSso,OU=Users,DC=MY,DC=DOMAIN
        HTTP/myserver.my.domain

Existing SPN found!

Envié mi tabla de claves a mi servidor Apache:

[root@myserver conf.d]# klist -ek /etc/httpd/usersso.keytab
Keytab name: FILE:/etc/httpd/usersso.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 HTTP/[email protected] (aes256-cts-hmac-sha1-96)

Pruebas de tabla de claves:

[root@myserver httpd]# kinit -V -kt /etc/httpd/usersso.keytab -p HTTP/[email protected]
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/[email protected]
Using keytab: /etc/httpd/usersso.keytab
Authenticated to Kerberos v5

[root@myserver httpd]# klist -Af
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]

Valid starting       Expires              Service principal
16/06/2022 13:03:23  16/06/2022 23:03:23  krbtgt/[email protected]
        renew until 17/06/2022 13:03:23, Flags: FPRIA

Keytab parece estar bien.

Entonces ahora mi configuración de virtualhost:

<VirtualHost 192.168.168.168:80>
    ServerName              myserver.my.domain

    ErrorLog             /var/log/httpd/myserver.my.domain_error.log
    TransferLog          /var/log/httpd/myserver.my.domain_access.log
    LogLevel             debug

    <Location />
      AuthType GSSAPI
      AuthName "GSSAPI Single Sign On Login"
      GssapiBasicAuth On
      GssapiBasicAuthMech krb5
      GssapiAllowedMech krb5
      GssapiCredStore keytab:/etc/httpd/usersso.keytab
      GssapiLocalName On
      BrowserMatch Windows gssapi-no-negotiate

      AuthLDAPURL ldap://ldapserver:10400/ou=users,o=enterprise,dc=city,dc=fr?uid?sub?(objectclass=person)
      AuthLDAPGroupAttribute member
      AuthLDAPBindDN "cn=apache,ou=users,o=enterprise,dc=city,dc=fr"
      AuthLDAPBindPassword "XXXX"
      AuthzSendForbiddenOnFailure On

      Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr
    </Location>

# tag::TLSClient[]
    SSLProxyEngine on
    SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLProxyCipherSuite HIGH:!aNULL:!MD5
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    SSLProxyVerifyDepth 10
    SSLOCSPEnable off
# end::TLSClient[]

    ProxyPass               / https://anotherserver:443/
    ProxyPassReverse        / https://anotherserver:443/

</VirtualHost>

Cuando intento acceder a mi host virtual, no se me envía directamente, anotherserverpero aparece una ventana de autenticación que aparece en mi navegador Google Chrome (lo que significa que la autenticación Kerberos no funciona correctamente)

Access_log dice:

10.10.10.10(me) - - [16/Jun/2022:11:53:21 +0200] "GET / HTTP/1.1" 401 381

El registro de errores dice:

[Thu Jun 16 12:49:42.867213 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of Require ldap-group cn=group_to_authenticate_users,ou=Groupe,ou=Profil,o=enterprise,dc=city,dc=fr: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867231 2022] [authz_core:debug] [pid 8154:tid 139726585538304] mod_authz_core.c(820): [client 10.10.10.10:62252] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 12:49:42.867256 2022] [auth_gssapi:debug] [pid 8154:tid 139726585538304] mod_auth_gssapi.c(901): [client 10.10.10.10:62252] URI: /, no main, no prev
[Thu Jun 16 12:49:42.867273 2022] [auth_gssapi:info] [pid 8154:tid 139726585538304] [client 10.10.10.10:62252] NO AUTH DATA Client did not send any authentication headers

Y finalmente, si ingreso mis credenciales a través del navegador Chrome de credenciales, me autentico exitosamente con mi grupo LDAP y puedo acceder a mi, anotherserverpero el SSO gracias a Kerberos GSSAPI no funciona, todavía tengo que ingresar mis credenciales manualmente. .. :(

Resultado curL: el WWW-authenticate : Negotiateencabezado de respuesta está presente:

curl -k -L http://myserver.my.domain/ -v
*   Trying 192.168.168.168:80...
* TCP_NODELAY set
* Connected to myserver.my.domain (192.168.168.168) port 80 (#0)
> GET / HTTP/1.1
> Host: myserver.my.domain
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Thu, 16 Jun 2022 10:57:31 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="GSSAPI Single Sign On Login"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host myserver.my.domain left intact

¿Alguien puede ayudarme con este problema?

Gracias !

EDITAR :

¡Finalmente encontré la solución!

  • Eliminé " BrowserMatch Windows gssapi-no-negotiate" de mi configuración de Apache,
  • Y detener+deshabilitar el gssproxyservicio porque todavía no puedo trabajar con RHEL8.6
  • Y luego no olvide cambiar Environment=GSS_USE_PROXYa 0 para evitar "gss_localname() input error"los registros de errores de Apache.

información relacionada