Rest-API with Kerberos

a_checker · April 19, 2022, 10:05am

CMK version: 2.0.0p20
OS version: Centos 7

Is somebody using the REST-API with Kerberos? I am not getting access the the API.

Error message: Unauthorized

curl --insecure -v -X 'GET' --header "Authorization: Bearer username password" 'https://kerberos-user:kerberos-password@demucvm-checkmk-test1.interhyp-infralinuxdmz.de/test/check_mk/api/1.0/domain-types/host_config/collections/all'
* About to connect() to demucvm-checkmk-test1.interhyp-infralinuxdmz.de port 443 (#0)
*   Trying 10.13.2.13...
* Connected to demucvm-checkmk-test1.interhyp-infralinuxdmz.de (10.13.2.13) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=demucvm-checkmk-test1.interhyp-infralinuxdmz.de,OU=Digital Products & Technology,O=Interhyp AG,postalCode=80807,STREET=DomagkstraÃŸe 34,L=Munich,C=DE
*       start date: Apr 17 01:00:34 2022 GMT
*       expire date: Jul 16 01:01:02 2022 GMT
*       common name: demucvm-checkmk-test1.interhyp-infralinuxdmz.de
*       issuer: CN=InterhypVaultCA01,OU=Digital Products & Technology,L=Munich,C=DE
> GET /test/check_mk/api/1.0/domain-types/host_config/collections/all HTTP/1.1
> User-Agent: curl/7.29.0
> Host: demucvm-checkmk-test1.interhyp-infralinuxdmz.de
> Accept: */*
> Authorization: Bearer checkmk_techuser_ds JOJFCTYYIFPMRAJXRAMM
> 
< HTTP/1.1 401 Unauthorized
< Date: Tue, 19 Apr 2022 10:00:40 GMT
< Server: Apache
< Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/upload ; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:
< X-Content-Type-Options: nosniff
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Kerberos Login"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host demucvm-checkmk-test1.interhyp-infralinuxdmz.de left intact

a_checker · April 21, 2022, 7:55am

I could solve it:
etc/apache/conf.d/auth.conf
<Location “//check_mk/api”>
Order Deny,Allow
Allow from all
Satisfy any

system · April 21, 2023, 7:56am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.