Hi List,
My goal in sending this email is to get some direction on where to start looking to solve my problem. Thank you all in advance for reading through this and providing any guidance!
I'm working on moving to new servers, upgrading from CentOS 6.7 to CentOS 7.5. In this move, we are also upgrading from Apache/2.2.15 to Apache/ 2.4.33. Our servers are all sitting behind a load balancer end point.
====System specifics==== CentOS Linux release 7.5.1804 (Core) Server version: Apache/2.4.33 (Unix) Server built: Jul 3 2018 11:33:42
On all of our CentOS 6.7 machines, kerberos works. On all of our 7.5 machines, it fails.
I am looking, at this point, for direction on where to start looking. Here is some relevant information:
====Output from apache error log====
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [headers:debug] mod_headers.c(900): AH01503: headers: ap_headers_error_filter() [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] src/mod_auth_kerb.c(1400): Verifying client data using KRB5 GSS-API [auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn't delegate us their credential [auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. [auth_kerb:debug] src/mod_auth_kerb.c(1116): GSS-API major_status:00010000, minor_status:00000000 [auth_kerb:error] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error) [headers:debug] mod_headers.c(900): AH01503: headers: ap_headers_error_filter() [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: granted, referer: https://six.***********.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: granted, referer: https://six.***********.com/sso [headers:debug] mod_headers.c(900): AH01503: headers: ap_headers_error_filter() [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: granted, referer: https://six.***********.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***********.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: granted, referer: https://six.***********.com/sso
====apache vhost files====
==site specific==
<VirtualHost *:80>
Define vhost_name siteName Define vhost_home /path/to/site/home
Include conf/vhosts.d/template.inc
</VirtualHost>
==conf/vhosts.d/template.inc contains==
<Directory "${vhost_home}/sso"> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbAuthoritative off KrbAuthRealms [list of realms removed for security] Krb5Keytab "/etc/krb5.keytab" KrbServiceName Any require valid-user ErrorDocument 401 "<html><meta http-equiv="refresh" content="0;url=/login/anonlogin.php"></html>" </Directory>
====And some output from kinit and klist====
$ sudo kinit -V -t /etc/krb5.keytab HTTP/six.***********.com@EXT.**********.COM
keytab specified, forcing -k Using default cache: /tmp/krb5cc_0 Using principal: HTTP/six.***********.com@EXT.**********.COM Using keytab: /etc/krb5.keytab kinit: Client 'HTTP/six.***********.com@EXT.**********.COM Kerberos database while getting initial credentials
$ sudo klist -etk Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 09/27/2018 10:22:17 HTTP/one.***********.com@aaa.**********.COM (arcfour-hmac) 3 09/27/2018 10:22:17 HTTP/two.***********.com@aaa.**********.COM (arcfour-hmac) 3 09/27/2018 10:22:17 HTTP/three.***********.com@aaa.**********.COM (arcfour-hmac) 3 09/27/2018 10:22:17 HTTP/four.***********.com@aaa.**********.COM (arcfour-hmac) 3 09/27/2018 10:22:17 HTTP/five.***********.com@aaa.**********.COM (arcfour-hmac) 3 09/27/2018 10:22:17 HTTP/six.***********.com@aaa.**********.COM (arcfour-hmac)