Здравствуйте.
Пытаюсь в Centaurus настроить аутентификацию в apache через kerberos.
Пользователь operator1 входит непосредственно на сервер, аутентифицируется через Kerberos.
Через FireFox пытается зайти на
http://server01.scantronic/tsd При обращении к закрытому каталогу браузер получает 500 ошибку.
В error_log httpd2 пишется: [crit] [client 10.0.1.201] configuration error: couldn't check access. Check your 'Require' directive: /tsd
.htaccess каталога /tsd:
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealms SCANTRONIC
KrbMethodNegotiate on
KrbDelegateBasic on
KrbMethodK5Passwd off
KrbSaveCredentials on
Require valid-user
krb5.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
[libdefaults]
default_realm = SCANTRONIC
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable=true
forward=true
[domain_realm]
.scantronic = SCANTRONIC
scantronic = SCANTRONIC
[dbdefaults]
ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,dc=scantronic"
[dbmodules]
scantronic = {
db_library = kldap
ldap_kdc_dn = cn=kdc,ou=kdcroot,dc=scantronic
ldap_kadmind_dn = cn=kadmin,ou=kdcroot,dc=scantronic
ldap_service_password_file = /var/lib/kerberos/krb5kdc/scantronic.ldapkey
ldap_servers = ldap://localhost/
ldap_conns_per_server = 5
}
[realms]
SCANTRONIC = {
database_module = scantronic
}
mod_auth_kerb установлен и загружен
в логе kerberos
May 17 00:31:01 server01.scantronic krb5kdc[25618](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.201: ISSUE: authtime 1337200261, etypes {rep=23 tkt=23 ses=16}, operator1@SCANTRONIC for krbtgt/SCANTRONIC@SCANTRONIC
May 17 00:31:01 server01.scantronic krb5kdc[25618](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.201: ISSUE: authtime 1337200261, etypes {rep=23 tkt=23 ses=16}, operator1@SCANTRONIC for krbtgt/SCANTRONIC@SCANTRONIC
May 17 00:31:31 server01.scantronic krb5kdc[25618](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.201: ISSUE: authtime 1337200261, etypes {rep=16 tkt=23 ses=23}, operator1@SCANTRONIC for HTTP/server01.scantronic@SCANTRONIC
May 17 00:31:31 server01.scantronic krb5kdc[25618](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.201: ISSUE: authtime 1337200261, etypes {rep=16 tkt=23 ses=23}, operator1@SCANTRONIC for HTTP/server01.scantronic@SCANTRONIC
May 17 00:31:31 server01.scantronic krb5kdc[25618](info): TGS_REQ (1 etypes {23}) 10.0.1.201: ISSUE: authtime 1337200261, etypes {rep=16 tkt=23 ses=23}, operator1@SCANTRONIC for krbtgt/SCANTRONIC@SCANTRONIC
May 17 00:31:31 server01.scantronic krb5kdc[25618](info): TGS_REQ (1 etypes {23}) 10.0.1.201: ISSUE: authtime 1337200261, etypes {rep=16 tkt=23 ses=23}, operator1@SCANTRONIC for krbtgt/SCANTRONIC@SCANTRONIC
В логе FireFox
2000300256[7f646b713040]: using REQ_DELEGATE
2000300256[7f646b713040]: service = server01.scantronic
2000300256[7f646b713040]: using negotiate-gss
2000300256[7f646b713040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
2000300256[7f646b713040]: entering nsAuthGSSAPI::Init()
2000300256[7f646b713040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
2000300256[7f646b713040]: entering nsAuthGSSAPI::GetNextToken()
2000300256[7f646b713040]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
2000300256[7f646b713040]: Sending a token of length 1145
в error_log httpd2:
[Wed May 16 23:57:44 2012] [notice] Apache/2.2.21 (Unix) mod_auth_kerb/5.3 PHP5/5.3.10 with Suhosin-Patch mod_ssl/2.2.21 OpenSSL/1.0.0e configured -- resuming normal operations
[Wed May 16 23:57:44 2012] [info] Server built: Sep 20 2011 17:08:00
[Wed May 16 23:57:44 2012] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
[Wed May 16 23:58:37 2012] [crit] [client 10.0.1.201] configuration error: couldn't check access. Check your 'Require' directive: /tsd
[Thu May 17 00:31:31 2012] [crit] [client 10.0.1.201] configuration error: couldn't check access. Check your 'Require' directive: /tsd/index.php
klist от operator1 выдает
Valid starting Expires Service principal
05/17/12 00:15:41 05/18/12 00:15:41 krbtgt/SCANTRONIC@SCANTRONIC
05/17/12 00:15:48 05/18/12 00:15:41 HTTP/server01.scantronic@SCANTRONIC
С уважением Денис Ельцов
