Appliance 1.7.0 Kerberos ERROR

MathiasG · April 25, 2024, 7:00am

CMK version: 2.2.0p25
OS version: Appliance 1.7.0

Error message: Apache can not load Kerberos library
Hello,

with firmware 1.7 the Kerberos Apache Module is no longer included. What is necessary for SSO via Kerbos as described by you

Is there a replacement?

OMD [SITENAME]: ~$ omd start
Temporary filesystem already mounted
Starting agent-receiver...OK
Starting mkeventd (builtin: syslog-udp,syslog-tcp,smptrap) ...OK
Starting liveproxyd...oK
Starting mknotifyd...oK
Starting rrdcached...OK
Starting cmc...OK
Starting apache...apache2: Syntax error on line 236 of /omd/sites/SITENAME/ete/ apache/apache.conf: Syntax error on line 5 of /omd/sites/SITENAME/ete/apache/co nf.d/auth.conf: Cannot load /usr/lib/apache2/modules/mod_auth_kerb.so into serve
1: /ust/lib/apache2/modules/mod_auth_kerb.so: cannot open shared object file: No such file or directory
......... ERROR
Starting ded...OK
Starting redis...OK
Starting xinetd...oK
Initializing Crontab... OK

Greetings
Mathias

chauhan_sudhir · April 25, 2024, 8:24am

Atleast libapache2-mod-auth-kerb shows up in the package list: https://download.checkmk.com/appliance/1.7.0/ChangedPackages
Did you also reinstalled the existing Checkmk version with the Debian 12 compatible version?

Will it be possible that you can open a ticket with us?

MathiasG · April 25, 2024, 8:37am

Hi,

yes it show under Removed Packages

We are still considering whether we still need Kerberos or whether we should take a different route. If we still need it, we will open a ticket.

Question will the checkmk company support Kerberos in the future or is it discontinued.

Cheers,
Mathias

chauhan_sudhir · April 25, 2024, 3:36pm

We are checking this internally and will keep you posted.

robin.gierse · April 26, 2024, 1:59pm

The Debian project dropped libapache2-mod-auth-kerb starting with Debian 11. For instructions how to replace libapache2-mod-auth-kerb with mod-auth-libapache2-mod-auth-gssapi see this short article: Replace Deprecated Apache Kerberos Module with GSSAPI on Debian 11 (Bullseye). libapache2-mod-auth-gssapi is present in the appliance, so you should be all set.

Please note though, that none of this is supported, and if the package ever were dropped from the appliance for whatever reason, there would be nothing you could do about it.
We suggest everyone look into the built-in SAML support in Checkmk itself.

chauhan_sudhir · April 26, 2024, 5:05pm

Just to add to my colleagues comment, you can use the SAML configuraion in the Checkmk Web UI.