linux - CentOS 7 Apache HTTPD Kerberos Windows AD 问题

Question

我真的很想为这个问题发疯，所以我希望你能帮助我。我在谷歌上搜索了几个小时，但似乎无法获得正确的配置。

我正在使用 Kerberos 身份验证在 CentOS 7 上设置 Apache，以便我可以在 Windows AD 环境中实现 SSO。根据我的理解，这是可能的，并且在通过 Internet Explorer 访问时我应该能够实现真正的 SSO。目前我有以下配置，当通过 Internet Explorer 访问该站点时会生成 500 内部服务器错误，但在使用 Firefox 时会奇怪地工作(尽管我必须在提示中输入凭据)。

我首先生成一个服务主体并使用以下命令在 Windows 中导出 key 表。

ktpass -princ HTTP/server.example.local@EXAMPLE.LOCAL -mapuser EXAMPLE\http-user -crypto ALL -ptype KRB5_NT_PRINCIPAL -mapop set -pass password -out D:\krb5.keytab

将 key 表复制到 /etc/httpd/conf/krb5.keytab 下的 CentOS 服务器 后，我配置了以下虚拟主机。

<VirtualHost *:80>
    ServerName server.shc.local
    DocumentRoot /var/www/html/test

    LogLevel debug
    ErrorLog /var/log/httpd/test-error.log
    CustomLog /var/log/httpd/test-custom.log combined

<Location />
    Options Indexes
    AuthType Kerberos
    KrbServiceName "HTTP/server.example.local@EXAMPLE.LOCAL"
    AuthName "Welcome to the KRB5 Test"
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbVerifyKDC off
    KrbAuthRealms SHC.LOCAL
    Krb5KeyTab /etc/httpd/conf/krb5.keytab
    require valid-user
</Location>

</VirtualHost>

当我通过 Internet Explorer 访问网站时，我收到 500 Internal Server Error 并且日志如下所示:

[Mon Jun 27 19:14:07.552584 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552637 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552690 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21545] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:14:07.552747 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1295): [client 192.168.214.202:21545] Acquiring creds for HTTP/server.example.local@EXAMPLE.LOCAL
[Mon Jun 27 19:14:07.555237 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1155): [client 192.168.214.202:21545] GSS-API major_status:000d0000, minor_status:0000000d
[Mon Jun 27 19:14:07.555250 2016] [auth_kerb:error] [pid 2832] [client 192.168.214.202:21545] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Permission denied)

然后，当我通过 Firefox 访问该站点时，系统提示我输入凭据，但随后我成功通过了身份验证。日志如下所示:

[Mon Jun 27 19:16:49.936807 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936849 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936888 2016] [auth_kerb:debug] [pid 2828] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21577] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:16:50.042925 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042960 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042982 2016] [auth_kerb:debug] [pid 2829] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21578] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

有谁知道我需要做什么才能在通过 Internet Explorer 访问网站时实现无缝 SSO 工作。

Answer 1

好的，我终于解决了这个问题。我不得不禁用 SELinux!我不敢相信这么简单，但我所做的只是禁用 SElinux，重新启动服务器，然后身份验证开始工作。我希望这可以让其他人摆脱我一直以来的头痛!