Hello!
I understand there is documentation for SSO/Kerberos authentication and Check MK 1.6 using libapache-mod-auth-kerb, however that module has been deprecated in CentOS 8. The replacement module seems to be mod_auth_gssapi.
I have used mod_auth_gssapi successfully in a test location on the Apache server also handling CheckMK, but I cannot seem to make the module work with CheckMK 1.6.0p22. Any advice would be greatly appreciated.
The error I see in the Apache debug logs is:
[Wed Mar 31 01:41:09.427210 2021] [auth_gssapi:debug] [pid 104903:tid 139701075248896] mod_auth_gssapi.c(727): [client 10.10.10.10:2583] GSSapiImpersonate not On, skipping impersonation.
Here’s the config snippet I am using for auth.conf:
Define SITE SiteA
<IfModule !mod_auth_gssapi.c>
LoadModule auth_gssapi_module /usr/lib64/httpd/modules/mod_auth_gssapi.so
</IfModule>
<Location /${SITE}>
Order allow,deny
Allow from all
AuthType GSSAPI
AuthName "{CMK} GSSAPI Login"
GssapiCredStore keytab:/omd/sites/${SITE}/etc/apache/conf.d/check_mk.keytab
GssapiCredStore client_keytab:/omd/sites/${SITE}/etc/apache/conf.d/check_mk.keytab
GSSapiImpersonate On
GssapiDelegCcacheDir /var/run/httpd/clientcaches
# Use Kerberos auth only in case there is no Check_MK authentication
# cookie provided by the user
Require expr %{HTTP_COOKIE} =~ /auth_/
Require expr %{REQUEST_URI} = "/${SITE}/check_mk/register_agent.py"
Require expr %{QUERY_STRING} =~ /(_secret=|auth_|register_agent)/
Require valid-user
# When Kerberos auth fails, show the login page to the user
ErrorDocument 401 /${SITE}/check_mk/login.py
</Location>
# These files are accessible unauthenticated (login page and needed resources)
<LocationMatch /${SITE}/(omd/|check_mk/(images/.*\.png|login\.py|.*\.(css|js)))>
Order allow,deny
Allow from all
Satisfy any
</LocationMatch>