kerberos 5.0 and apache 1.3.34 - Kerberos

This is a discussion on kerberos 5.0 and apache 1.3.34 - Kerberos ; Hello, I have apache 1.3.34 running on a ubuntu linux box. I want my webserver to authenticate users through kerberos. my kerberos, i think is correctly set up. I can use kinit and klist. my questions are: 1) What exactly ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: kerberos 5.0 and apache 1.3.34

  1. kerberos 5.0 and apache 1.3.34

    Hello,
    I have apache 1.3.34 running on a ubuntu linux box. I want my webserver
    to authenticate users through kerberos.

    my kerberos, i think is correctly set up. I can use kinit and klist.

    my questions are:

    1) What exactly do i need to change in the httpd.conf file?
    my website resides under /var/www and i want all the contents under
    /var/www to be protected.

    2) I got the libapache_mod_auth_kerb package through synaptics(ubuntu)
    and apache loads it just fine. BUT, when go on a different machine and
    try to access the website, i can see the dialog box with user name and
    password open, but when i enter my credentials, the box just keeps on
    popping up and does not seem to authenticate.

    what am i doing wrong?

    your help will be appreciated. thanks


  2. Re: kerberos 5.0 and apache 1.3.34

    >>>>> "AA" == abbas attarwala writes:

    AA> Hello, I have apache 1.3.34 running on a ubuntu linux box. I want
    AA> my webserver to authenticate users through kerberos.

    AA> my kerberos, i think is correctly set up. I can use kinit and
    AA> klist.

    AA> my questions are:

    AA> 1) What exactly do i need to change in the httpd.conf file? my
    AA> website resides under /var/www and i want all the contents under
    AA> /var/www to be protected.

    AA> 2) I got the libapache_mod_auth_kerb package through
    AA> synaptics(ubuntu) and apache loads it just fine. BUT, when go on a
    AA> different machine and try to access the website, i can see the
    AA> dialog box with user name and password open, but when i enter my
    AA> credentials, the box just keeps on popping up and does not seem to
    AA> authenticate.

    AA> what am i doing wrong?

    Since you haven't debugged enough to find out why it's doing that, there
    are too many possiblities to cover. Look at the KDC log, the Apache error
    log, the DNS and HTTP traffic. Find out what it's doing before trying to
    fix it.

    At least, you must have an HTTP/@REALM principal and its key in the
    keytab referenced below, and that file readable by the Apache process.


    AuthType Kerberos
    AuthName "Our Secure Space"
    KrbMethodNegotiate on
    KrbServiceName HTTP
    Krb5Keytab /path/to/my/keytab
    require valid-user


    --
    Richard Silverman
    res@qoxp.net


  3. Re: kerberos 5.0 and apache 1.3.34

    Thanks richard,

    My kerberos authentication i think is working now

    i say 'i think' because when i check my http header response this is
    what i am getting:

    WWW-Authenticate: Basic realm="Kerberos Login"

    It is saying Basic, when I have configured my httpd.conf file for
    kerberos authentication!

    why is this???

    thanks again


    Richard E. Silverman wrote:
    > >>>>> "AA" == abbas attarwala writes:

    >
    > AA> Hello, I have apache 1.3.34 running on a ubuntu linux box. I want
    > AA> my webserver to authenticate users through kerberos.
    >
    > AA> my kerberos, i think is correctly set up. I can use kinit and
    > AA> klist.
    >
    > AA> my questions are:
    >
    > AA> 1) What exactly do i need to change in the httpd.conf file? my
    > AA> website resides under /var/www and i want all the contents under
    > AA> /var/www to be protected.
    >
    > AA> 2) I got the libapache_mod_auth_kerb package through
    > AA> synaptics(ubuntu) and apache loads it just fine. BUT, when go on a
    > AA> different machine and try to access the website, i can see the
    > AA> dialog box with user name and password open, but when i enter my
    > AA> credentials, the box just keeps on popping up and does not seem to
    > AA> authenticate.
    >
    > AA> what am i doing wrong?
    >
    > Since you haven't debugged enough to find out why it's doing that, there
    > are too many possiblities to cover. Look at the KDC log, the Apache error
    > log, the DNS and HTTP traffic. Find out what it's doing before trying to
    > fix it.
    >
    > At least, you must have an HTTP/@REALM principal and its key in the
    > keytab referenced below, and that file readable by the Apache process.
    >
    >
    > AuthType Kerberos
    > AuthName "Our Secure Space"
    > KrbMethodNegotiate on
    > KrbServiceName HTTP
    > Krb5Keytab /path/to/my/keytab
    > require valid-user
    >

    >
    > --
    > Richard Silverman
    > res@qoxp.net



  4. Re: kerberos 5.0 and apache 1.3.34

    On Friday 17 March 2006 22:18, abbas.attarwala@gmail.com wrote:
    > Thanks richard,
    >
    > My kerberos authentication i think is working now
    >
    > i say 'i think' because when i check my http header response this is
    > what i am getting:
    >
    > WWW-Authenticate: Basic realm="Kerberos Login"
    >
    > It is saying Basic, when I have configured my httpd.conf file for
    > kerberos authentication!


    If you are using mod_auth_kerb -

    You have set

    KrbMethodK5Passwd off

    as described in


    ?


    Achim

    BTW: the mod_auth_kerb mailinglist is
    modauthkerb-help@lists.sourceforge.net
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: kerberos 5.0 and apache 1.3.34

    at the moment, i have't set (KrbMethodK5Passwd) it to anything, and the
    default any way is ON.

    So am i suppose to set it OFF or keep it ON??

    thanks


    Achim Grolms wrote:
    > On Friday 17 March 2006 22:18, abbas.attarwala@gmail.com wrote:
    > > Thanks richard,
    > >
    > > My kerberos authentication i think is working now
    > >
    > > i say 'i think' because when i check my http header response this is
    > > what i am getting:
    > >
    > > WWW-Authenticate: Basic realm="Kerberos Login"
    > >
    > > It is saying Basic, when I have configured my httpd.conf file for
    > > kerberos authentication!

    >
    > If you are using mod_auth_kerb -
    >
    > You have set
    >
    > KrbMethodK5Passwd off
    >
    > as described in
    >
    >
    > ?
    >
    >
    > Achim
    >
    > BTW: the mod_auth_kerb mailinglist is
    > modauthkerb-help@lists.sourceforge.net
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos



  6. Re: kerberos 5.0 and apache 1.3.34

    this is my httpd.conf file.


    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate off
    KrbAuthoritative on
    KrbVerifyKDC off
    KrbAuthRealm MYDOMAIN.COM
    Krb5Keytab /etc/apache/apache.keypad
    KrbSaveCredentials off
    require valid-user



  7. Re: kerberos 5.0 and apache 1.3.34

    I really need SPNEGO Kerberos authentication with mod_auth_kerb.

    I have followed the excellent tutorial on how to set this at
    http://www.grolmsnet.de/kerbtut/

    but still, the HTTP header file has

    WWW-Authenticate negotiate
    WWW-Authenticate Basic realm="Kerberos Login"

    and asks the user to enter his username and password.

    my httpd.conf file is:

    LoadModule auth_kerb_module /usr/lib/apache/1.3/mod_auth_kerb.so

    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate off
    KrbAuthoritative on
    KrbVerifyKDC off
    KrbAuthRealm MYDOMAIN.COM
    Krb5Keytab /etc/apache/apache.keypad
    KrbSaveCredentials off
    require valid-user


    I believe I need to set:
    KrbMethodNegotiate on
    KrbMethodK5Passwd off

    and place my webserver in the intranet zone in IE.

    Please let me know, so that when i go to work tomorrow i can implement
    these changes.
    thanks.


+ Reply to Thread