Kerberos SSO funktioniert nicht

TriJan112 · May 4, 2022, 2:44pm

** 2.0.0p6**
Ubuntu 20.04.4 LTS

Moin zusammen,

leider finde ich keine Abhilfe in alten Posts.

Ich habe nach der Anleitung Single Sign-On mit Kerberos versucht einen Web SSO via Kerberos einzurichten.

Leider klappt das nicht. Meine /COE/etc/apache/conf.d/auth.conf sieht so aus :

Define SITE COE
Define REALM DOMAIN.IT

<IfModule !mod_auth_kerb.c>
  LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
</IfModule>

<Location /COE>
  Order allow,deny
  Allow from all

  AuthType Kerberos
  AuthName "Checkmk Kerberos Login"
  KrbServiceName HTTP
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbLocalUserMapping on
  KrbSaveCredentials on

  # Use Kerberos auth only in case there is no Check_MK authentication
  # cookie provided by the user
  Require expr %{HTTP_COOKIE} =~ /auth_/
  Require expr %{REQUEST_URI} = "/${SITE}/check_mk/register_agent.py"
  Require expr %{QUERY_STRING} =~ /(_secret=|auth_|register_agent)/
  Require valid-user

  # Environment specific: Path to the keytab and the realm
  Krb5Keytab /etc/sssd/key.keytab
  KrbAuthRealm ${REALM}

  # When Kerberos auth fails, show the login page to the user
  ErrorDocument 401 /${SITE}/check_mk/login.py
</Location>

# These files are accessible unauthenticated (login page and needed ressources)
<LocationMatch /${SITE}/(omd/|check_mk/(images/.*\.png|login\.py|.*\.(css|js)))>
  Order allow,deny
  Allow from all
  Satisfy any
</LocationMatch>

Muss ich am Client in der Windwos AD noch etwas ändern, damit das SSO funktioniert ?

Leider komme ich nicht dazu mich vernünftig in Linux einzuarbeiten. Danke für eure Antworten.
Grüße, Jan

mschlenker · May 6, 2022, 9:01am

Zunächst: Um die Apache-Auth-Provider nutzen zu können, muss auf die Site per HTTPS zugegriffen werden. Ist das bereits erledigt? Durch die Verwendung zweier Apaches (der exponierte arbeitet als Reverse Proxy für den Site-Apache) sind da einige Feinheiten zu beachten: Weboberfläche mit HTTPS absichern

Weiterhin: Das Kerberos-Moduls ist schon etwas älter, was eben bedeutet, dass nicht jede Konstellation klappen wird. Immerhin bietet es es brauchbares Logging zum Debuggen, also bitte mal das Loglevel hochdrehen und hier im Thread relevante Zeilen aus den Apache-Logdateien posten.

Wenn sich daraus relevante Erkenntnisse für den Artikel im Handbuch ergeben, tragen wir die auch gerne nach. Ich pinge den Kollegen, der den Artikel zuletzt überarbeitet hat, auf jeden Fall an.

Viele Grüße, Mattias (KNW-Team bei tribe29)

TriJan112 · May 6, 2022, 9:20am

Moin mschlenker,

der zugriff läuft über HTTPS jap. Via HTACCESS wird auch immer auf HTTPS umgeleitet.

Das Apache Log habe ich mal auf Debug gestellt.

/var/log/apache2/access.log

172.22.112.9 - - [06/May/2022:11:02:22 +0200] “GET /COE/_auth/ HTTP/1.1” 301 579 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36”
172.22.112.9 - - [06/May/2022:11:03:14 +0200] “-” 408 0 “-” “-”

OMD Site var/log/apache/access_log

172.22.112.9 - - [06/May/2022:11:17:31 +0200] “GET /COE/_auth/themes/modern-dark/images/favicon.ico HTTP/1.1” 200 1801 “https://sg-mone-11/COE/_auth/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0”

- - [06/May/2022:11:18:01 +0200] “GET /COE/check_mk/run_cron.py HTTP/1.1” 200 3 “-” “curl/7.68.0”
- - [06/May/2022:11:19:01 +0200] “GET /COE/check_mk/run_cron.py HTTP/1.1” 200 3 “-” “curl/7.68.0”

mschlenker · May 6, 2022, 9:27am

grep -ni kerb var/log/apache/error_log

müsste hier die besseren Informationen liefern.

TriJan112 · May 9, 2022, 6:50am

Okay, Dankeschön.
Bezogen auf die Site

grep -ni kerb var/log/apache/error_log
7:[Mon May 09 00:00:02.123675 2022] [mpm_prefork:notice] [pid 169551] AH00163: Apache/2.4.41 (Ubuntu) mod_wsgi/4.7.0 Python/3.8 mod_fcgid/2.3.9 mod_auth_kerb/5.4 configured -- resuming normal operations

Global

22:[Mon May 09 00:03:37.155534 2022] [mpm_event:notice] [pid 3634387:tid 140707948694592] AH00489: Apache/2.4.41 (Ubuntu) mod_auth_kerb/5.4 OpenSSL/1.1.1f configured -- resuming normal operations

_shorty · May 9, 2022, 9:56am

Hallo,
ich komme auch mit dem SSO nicht weiter (mein log sieht nämlich gleich “leer” aus wie bei @triejan112). In welcher Datei muss man denn das debugging hochstellen?
Auf einer normalen Testseite des Apache auf dem System funktioniert beim mir z.B. SSO perfekt - nur bei CheckMK nicht

mike1098 · May 9, 2022, 11:54am

Hallo,

Es ist zwar schon ein paar Jahre her das ich mich mit dem Thema beschäftigt habe, aber ich kann mich auch erinnern dass in den apache logs nichts verwertbares zu Kerberos zu finden war. Um vernünftige debug Meldungen zu bekommen, habe ich seinerzeit den apache im Vordergrund gestartet.

Gruß

Michael

_shorty · May 9, 2022, 12:33pm

also, ich habe das Log entsprechend erweitert bekommen.

omd su [sitename]
nano etc/apache/conf.d/site.conf
add LogLevel trace8
save file
omd restart
tail -f var/log/apache/error.log

danach kann man in der error_log viel mehr erkennen, jedoch nichts das über die Existenz von Kerberos Aufschluss gibt und was hier nicht funktioniert.



[Mon May 09 14:33:58.176183 2022] [rewrite:trace2] [pid 108292] mod_rewrite.c(483): [client 127.0.0.1:50100] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c3e3d0a0/initial] init rewrite engine with requested uri /checkmk/check_mk/login.py, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.176245 2022] [rewrite:trace3] [pid 108292] mod_rewrite.c(483): [client 127.0.0.1:50100] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c3e3d0a0/initial] applying pattern '^/checkmk(/?|/check_mk)$' to uri '/checkmk/check_mk/login.py', referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.176282 2022] [rewrite:trace3] [pid 108292] mod_rewrite.c(483): [client 127.0.0.1:50100] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c3e3d0a0/initial] applying pattern '^/checkmk(/?|/check_mk)$' to uri '/checkmk/check_mk/login.py', referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.176294 2022] [rewrite:trace3] [pid 108292] mod_rewrite.c(483): [client 127.0.0.1:50100] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c3e3d0a0/initial] applying pattern '^/checkmk(/?|/check_mk)$' to uri '/checkmk/check_mk/login.py', referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.176305 2022] [rewrite:trace1] [pid 108292] mod_rewrite.c(483): [client 127.0.0.1:50100] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c3e3d0a0/initial] pass through /checkmk/check_mk/login.py, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.176381 2022] [core:trace3] [pid 108292] request.c(320): [client 127.0.0.1:50100] request authorized without authentication by access_checker hook and 'Satisfy any': /checkmk/check_mk/login.py, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193021 2022] [http:trace3] [pid 108292] http_filters.c(1125): [client 127.0.0.1:50100] Response sent with status 200, headers:, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193049 2022] [http:trace5] [pid 108292] http_filters.c(1134): [client 127.0.0.1:50100]   Date: Mon, 09 May 2022 12:33:58 GMT, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193055 2022] [http:trace5] [pid 108292] http_filters.c(1137): [client 127.0.0.1:50100]   Server: Apache, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193059 2022] [http:trace4] [pid 108292] http_filters.c(955): [client 127.0.0.1:50100]   Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/upload ; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193064 2022] [http:trace4] [pid 108292] http_filters.c(955): [client 127.0.0.1:50100]   X-Content-Type-Options: nosniff, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193068 2022] [http:trace4] [pid 108292] http_filters.c(955): [client 127.0.0.1:50100]   Cache-Control: no-cache, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193071 2022] [http:trace4] [pid 108292] http_filters.c(955): [client 127.0.0.1:50100]   Content-Length: 1959, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193075 2022] [http:trace4] [pid 108292] http_filters.c(955): [client 127.0.0.1:50100]   Connection: close, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:33:58.193078 2022] [http:trace4] [pid 108292] http_filters.c(955): [client 127.0.0.1:50100]   Content-Type: text/html; charset=utf-8, referer: http://checkmk.test.lab/checkmk
[Mon May 09 14:34:01.482222 2022] [rewrite:trace2] [pid 108173] mod_rewrite.c(483): [client 127.0.0.1:50102] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c40060a0/initial] init rewrite engine with requested uri /checkmk/check_mk/run_cron.py
[Mon May 09 14:34:01.482255 2022] [rewrite:trace3] [pid 108173] mod_rewrite.c(483): [client 127.0.0.1:50102] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c40060a0/initial] applying pattern '^/checkmk(/?|/check_mk)$' to uri '/checkmk/check_mk/run_cron.py'
[Mon May 09 14:34:01.482266 2022] [rewrite:trace3] [pid 108173] mod_rewrite.c(483): [client 127.0.0.1:50102] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c40060a0/initial] applying pattern '^/checkmk(/?|/check_mk)$' to uri '/checkmk/check_mk/run_cron.py'
[Mon May 09 14:34:01.482271 2022] [rewrite:trace3] [pid 108173] mod_rewrite.c(483): [client 127.0.0.1:50102] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c40060a0/initial] applying pattern '^/checkmk(/?|/check_mk)$' to uri '/checkmk/check_mk/run_cron.py'
[Mon May 09 14:34:01.482286 2022] [rewrite:trace1] [pid 108173] mod_rewrite.c(483): [client 127.0.0.1:50102] 127.0.0.1 - - [127.0.0.1/sid#7f45c42d44a0][rid#7f45c40060a0/initial] pass through /checkmk/check_mk/run_cron.py
[Mon May 09 14:34:01.482321 2022] [core:trace3] [pid 108173] request.c(320): [client 127.0.0.1:50102] request authorized without authentication by access_checker hook and 'Satisfy any': /checkmk/check_mk/run_cron.py
[Mon May 09 14:34:01.594297 2022] [http:trace3] [pid 108173] http_filters.c(1125): [client 127.0.0.1:50102] Response sent with status 200, headers:
[Mon May 09 14:34:01.595607 2022] [http:trace5] [pid 108173] http_filters.c(1134): [client 127.0.0.1:50102]   Date: Mon, 09 May 2022 12:34:01 GMT
[Mon May 09 14:34:01.595667 2022] [http:trace5] [pid 108173] http_filters.c(1137): [client 127.0.0.1:50102]   Server: Apache
[Mon May 09 14:34:01.595691 2022] [http:trace4] [pid 108173] http_filters.c(955): [client 127.0.0.1:50102]   Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/upload ; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:
[Mon May 09 14:34:01.595711 2022] [http:trace4] [pid 108173] http_filters.c(955): [client 127.0.0.1:50102]   X-Content-Type-Options: nosniff
[Mon May 09 14:34:01.595726 2022] [http:trace4] [pid 108173] http_filters.c(955): [client 127.0.0.1:50102]   Cache-Control: no-cache
[Mon May 09 14:34:01.595742 2022] [http:trace4] [pid 108173] http_filters.c(955): [client 127.0.0.1:50102]   Content-Length: 3
[Mon May 09 14:34:01.595766 2022] [http:trace4] [pid 108173] http_filters.c(955): [client 127.0.0.1:50102]   Content-Type: text/html; charset=utf-8

Hat jemand eine Idee?

TriJan112 · May 11, 2022, 5:58am

Hallo Michael,

für mich als Linux Noob: Was meinst du mit Apache im Vordergrund starten ?

Danke & Gruß

TriJan112 · May 11, 2022, 6:45am

grep -ni kerb var/log/apache/error_log
7:[Wed May 11 00:00:04.225752 2022] [mpm_prefork:notice] [pid 3051] AH00163: Apache/2.4.41 (Ubuntu) mod_wsgi/4.7.0 Python/3.8 mod_fcgid/2.3.9 mod_auth_kerb/5.4 configured -- resuming normal operations
7171:[Wed May 11 08:02:37.142048 2022] [auth_kerb:debug] [pid 2469760] src/mod_auth_kerb.c(1963): [client 127.0.0.1:45542] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
7183:[Wed May 11 08:02:37.156603 2022] [http:trace4] [pid 2469760] http_filters.c(955): [client 127.0.0.1:45542]   WWW-Authenticate: Basic realm=\\"Checkmk Kerberos Login\\"
7201:[Wed May 11 08:02:37.168596 2022] [auth_kerb:debug] [pid 2517634] src/mod_auth_kerb.c(1963): [client 127.0.0.1:45546] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/_auth/
7220:[Wed May 11 08:02:37.173603 2022] [auth_kerb:debug] [pid 2469760] src/mod_auth_kerb.c(1963): [client 127.0.0.1:45548] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/_auth/
7232:[Wed May 11 08:02:37.182047 2022] [http:trace4] [pid 2517634] http_filters.c(955): [client 127.0.0.1:45546]   WWW-Authenticate: Basic realm=\\"Checkmk Kerberos Login\\", referer: https://sg-mone-11/COE/_auth/
7243:[Wed May 11 08:02:37.186334 2022] [http:trace4] [pid 2469760] http_filters.c(955): [client 127.0.0.1:45548]   WWW-Authenticate: Basic realm=\\"Checkmk Kerberos Login\\", referer: https://sg-mone-11/COE/_auth/
7261:[Wed May 11 08:02:37.191863 2022] [auth_kerb:debug] [pid 2517634] src/mod_auth_kerb.c(1963): [client 127.0.0.1:45556] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/_auth/
7273:[Wed May 11 08:02:37.204864 2022] [http:trace4] [pid 2517634] http_filters.c(955): [client 127.0.0.1:45556]   WWW-Authenticate: Basic realm=\\"Checkmk Kerberos Login\\", referer: https://sg-mone-11/COE/_auth/
7291:[Wed May 11 08:02:37.211668 2022] [auth_kerb:debug] [pid 2469760] src/mod_auth_kerb.c(1963): [client 127.0.0.1:45560] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/_auth/
7303:[Wed May 11 08:02:37.224887 2022] [http:trace4] [pid 2469760] http_filters.c(955): [client 127.0.0.1:45560]   WWW-Authenticate: Basic realm=\\"Checkmk Kerberos Login\\", referer: https://sg-mone-11/COE/_auth/
8861:[Wed May 11 08:42:30.491197 2022] [mpm_prefork:notice] [pid 3233252] AH00163: Apache/2.4.41 (Ubuntu) mod_wsgi/4.7.0 Python/3.8 mod_fcgid/2.3.9 mod_auth_kerb/5.4 configured -- resuming normal operations
9063:[Wed May 11 08:42:39.491199 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:44284] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9094:[Wed May 11 08:42:39.522775 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:44294] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/_auth/
9115:[Wed May 11 08:42:39.533243 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:44302] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/_auth/
9157:[Wed May 11 08:42:39.559299 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:44308] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/_auth/
9202:[Wed May 11 08:43:03.445219 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:48486] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9233:[Wed May 11 08:43:03.481376 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:48510] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/
9254:[Wed May 11 08:43:03.488819 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:48516] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/
9295:[Wed May 11 08:43:03.511884 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:48534] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/
9326:[Wed May 11 08:43:16.705453 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:52964] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9357:[Wed May 11 08:43:16.746383 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:52974] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9378:[Wed May 11 08:43:16.759036 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:52978] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9419:[Wed May 11 08:43:16.788151 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:52986] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9450:[Wed May 11 08:43:18.382215 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53444] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9481:[Wed May 11 08:43:18.426460 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53494] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9502:[Wed May 11 08:43:18.431707 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53498] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9543:[Wed May 11 08:43:18.455338 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53520] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9574:[Wed May 11 08:43:18.622189 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53638] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9605:[Wed May 11 08:43:18.647398 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53642] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9626:[Wed May 11 08:43:18.653023 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53644] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9667:[Wed May 11 08:43:18.680404 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53646] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9698:[Wed May 11 08:43:18.860394 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53662] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9729:[Wed May 11 08:43:18.888257 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53664] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9750:[Wed May 11 08:43:18.894101 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53666] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9791:[Wed May 11 08:43:18.921479 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53670] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9822:[Wed May 11 08:43:19.077074 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53796] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9853:[Wed May 11 08:43:19.106487 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53828] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9874:[Wed May 11 08:43:19.113141 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53844] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9916:[Wed May 11 08:43:19.140313 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:53866] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9947:[Wed May 11 08:43:19.278198 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54018] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
9978:[Wed May 11 08:43:19.307894 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54048] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
9999:[Wed May 11 08:43:19.313924 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54052] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10040:[Wed May 11 08:43:19.336144 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54090] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10071:[Wed May 11 08:43:19.489700 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54176] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10102:[Wed May 11 08:43:19.514292 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54178] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10123:[Wed May 11 08:43:19.520859 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54180] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10164:[Wed May 11 08:43:19.543268 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54190] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10195:[Wed May 11 08:43:19.688274 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54292] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10226:[Wed May 11 08:43:19.722705 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54328] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10247:[Wed May 11 08:43:19.728208 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54338] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10288:[Wed May 11 08:43:19.749767 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54364] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10319:[Wed May 11 08:43:19.877898 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54498] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10350:[Wed May 11 08:43:19.915406 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54552] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10371:[Wed May 11 08:43:19.925750 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54562] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10412:[Wed May 11 08:43:19.954002 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54592] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10443:[Wed May 11 08:43:20.071933 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54700] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10474:[Wed May 11 08:43:20.107015 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54736] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10495:[Wed May 11 08:43:20.114457 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54750] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10536:[Wed May 11 08:43:20.139279 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54774] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10567:[Wed May 11 08:43:20.272909 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54906] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10598:[Wed May 11 08:43:20.298208 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54932] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10619:[Wed May 11 08:43:20.310678 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54942] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10660:[Wed May 11 08:43:20.332452 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:54966] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10691:[Wed May 11 08:43:20.487546 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55096] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10722:[Wed May 11 08:43:20.513847 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55110] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10743:[Wed May 11 08:43:20.519344 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55120] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10784:[Wed May 11 08:43:20.546897 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55160] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10816:[Wed May 11 08:43:20.754353 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55374] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10847:[Wed May 11 08:43:20.784455 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55388] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10868:[Wed May 11 08:43:20.792318 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55410] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10909:[Wed May 11 08:43:20.814488 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55422] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10940:[Wed May 11 08:43:21.279525 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55868] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
10971:[Wed May 11 08:43:21.309061 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55898] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
10992:[Wed May 11 08:43:21.316682 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55910] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
11033:[Wed May 11 08:43:21.341553 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55936] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
11064:[Wed May 11 08:43:21.363584 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:55956] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
11095:[Wed May 11 08:43:22.000255 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:56524] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
11126:[Wed May 11 08:43:22.025104 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:56534] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
11147:[Wed May 11 08:43:22.031627 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:56536] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
11188:[Wed May 11 08:43:22.052572 2022] [auth_kerb:debug] [pid 3233256] src/mod_auth_kerb.c(1963): [client 127.0.0.1:56540] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://sg-mone-11/COE/auth_/register_agent
11219:[Wed May 11 08:43:25.045408 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:56780] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

mschlenker · May 11, 2022, 7:51am

9326:[Wed May 11 08:43:16.705453 2022] [auth_kerb:debug] [pid 3234469] src/mod_auth_kerb.c(1963): [client 127.0.0.1:52964] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Da klappt schonmal die Übergabe des Nutzernamens nicht. Stimmen die Rechte der /etc/sss/key.keytab (Site-User darf lesen)? Ist die Domäne/Realm korrekt?

TriJan112 · May 11, 2022, 8:10am

Moin mschlenker,

Die rechte auf dem Keyfile sind 640 damit sollte der User ja lesen können ?
Unter Define REALM in der auth.conf habe ich in Großbuchstaben die korrekte Domain eingetragen.

TriJan112 · May 11, 2022, 10:44am

[libdefaults]
default_realm = DOMAIN.IT
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true
dns_canonicalize_hostname = true

    [realms]
    DOMAIN.IT = {
    kdc = SG-DC-01.DOMAIN.IT
    master_kdc = SG-DC-01.DOMAIN.IT
    admin_server = SG-DC-01.DOMAIN.IT
    default_domain = DOMAIN.IT
    }

    [domain_realm]
    .DOMAIN.IT= DOMAIN.IT
    DOMAIN.IT = DOMAIN.IT

[login]
krb4_convert = true
krb4_get_tickets = false

mike1098 · May 11, 2022, 12:58pm

Den apache process auf dem system stoppen und mit option -X -f und vermutlich -d auf der Kommando Zeile als root starten.

Siehe man page:

 -X     Run apache2 in debug mode. Only one worker will be started and the server will not detach from the console.

-f config
              Uses  the  directives  in  the  file  config  on  startup.  If  config  does  not  begin  with  a  /,  then  it  is taken to be a path relative to the ServerRoot. The default is
              /etc/apache2/apache2.conf.

 -d serverroot
              Set the initial value for the ServerRoot directive to serverroot. This can be overridden by the ServerRoot directive in the configuration file.

-e level
              Sets the LogLevel to level during server startup. This is useful for temporarily increasing the verbosity of the error messages to find problems during startup.

frirex · May 12, 2022, 7:25am

Wir habe den Login so gelöst: Vielleicht hilft es.

[OMDHOST]# cat /opt/omd/sites/SITENAME/etc/apache/conf.dsite.conf
# General configuration for this site
#
LoadModule auth_gssapi_module            /usr/lib64/httpd/modules/mod_auth_gssapi.so
LoadModule session_module                /usr/lib64/httpd/modules/mod_session.so
LoadModule session_cookie_module         /usr/lib64/httpd/modules/mod_session_cookie.so

<Location "/SITENAME">
  # put your extra site configs here

        LogLevel Warn
#       LogLevel Warn auth_gssapi_module:trace6 authz_core:trace6 session_module:trace6 session_cookie_module:trace6

## ---BEGIN--- KERBEROS - Authentication via mod_auth_gssapi
        AuthType GSSAPI
        AuthName "SITENAME SSO"
        GssapiBasicAuth On
        GssapiAllowedMech krb5
#       GssapiAllowedMech ntlmssp
        GssapiBasicAuthMech krb5
#       GssapiNegotiateOnce On
#       GssapiImpersonate Off

        GssapiCredStore keytab:/etc/httpd/ssl/SPNSITE.keytab
        GssapiCredStore client_keytab:/etc/httpd/ssl/SPNSITE.keytab
#       Constraint Delegation
        GssapiUseS4U2Proxy On
        GssapiDelegCcacheDir /opt/omd/sites/SITENAME/var/tmp/
        GssapiDelegCcacheUnique On

# ausgeschalten da zum lokalen Backend auf 127.0.0.1 http gesprochen wird und dort erst authentifiziert wird
        GssapiSSLonly Off
        GssapiLocalName On
        GssapiConnectionBound On
        GssapiSignalPersistentAuth On

#       use cookies with mod_session to avoid constant and costly re-authentication attempts
        GssapiUseSessions On
        Session On
        SessionCookieName gssapi_session path=/;httponly;secure;
#       SessionMaxAge 1800
        #echo -n "Das ist irgendein kurzer Text."  | openssl enc -e -a
        GssapiSessionKey key:RGFzIGlzdCBpcmdlbmRlaW4ga3VyemVyIFRleHQu
## ---END----- KERBEROS - Authentication

        Require valid-user
</Location>

system · May 12, 2023, 7:26am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.