Hello all.
We have a CentOS 7 system integrated with Active Directory. Achieved using
realmd, SSSD and krb5-workstation together with a ktpass-generated keytab.
Apache's mod_auth_kerb allows users to authenticate via their AD accounts, and
authorise with "require user" directive. But so far we fail to authorise via
AD group membership. i.e. adding AuthLDAPUrl and "require ldap-group"
directives to httpd.conf results in access being denied. Using ldapsearch
with GSSAPI (or password entry) works as expected.
After looking at debug logs and tcpdump output, I (possibly incorrectly) put
the issue down to being unsure how to get krb5_aname_to_localname to function
appropriately with the KrbLocalUserMapping directive of apache's
mod_auth_kerb.
It does do some transformation, converting to lowercase. However the realm
part is not stripped off. Example output from apache error_log:
[Thu Jan 25 11:53:33.969841 2018] [auth_kerb:debug] [pid 2176]
src/mod_auth_kerb.c(1855): [client 192.168.254.170:65016]
kerb_authenticate_a_name_to_local_name Test12 at X.Y.Z -> test12 at x.y.z
(All other examples I found have output of format:
... Test12 at X.Y.Z -> Test12 )
I have tried experimenting with auth_to_local tags in the [realms] sections of
/etc/krb5.conf, but could see no evidence of the rules being invoked. i.e.
Same output in the apache error log regardless.
This then appears to get passed on for use in subsequent ldap authorisations
(apache mod_authnz_ldap). This does not work for us as we need to authorise
against stripped user names (Active Directory sAMAccount or similar; our
userPrincipalName is a different format: Test12 at Q.Y.Z, so can't workaround
using that).
I previously posted a similar messages to kerberos at mit.edu but got no
feedback. Hopefully this list might be more appropriate.
Grateful for any advice,
Ewae.