Skip to content

GSSAPI and multiple domains in the same forest #246

New issue
New issue
Closed
Closed
GSSAPI and multiple domains in the same forest#246
@nestle2377

Description

@nestle2377
nestle2377
opened on Mar 2, 2021

I've an apache 2.4 on redhat with gssapi mod.

the active directory has multiple domain in the same forest and I've problem to authenticate, I would like to know if is possible to use the gssapi in this scenario.

I've 3 domain in the same forest, the keytab file is made on the PRIMO domain like is possible to see with kutil:

ktutil:  read_kt server.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
3 HTTP/server1.intranet.servizi@PRIMO.GROUP

this is my krb5.conf (I haven't configure it by my self, I've it from the AD group):

 [libdefaults]
default_realm = PRIMO.GROUP
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts rc4-hmac
default_tkt_enctypes = aes256-cts rc4-hmac
permitted_enctypes = aes256-cts rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
 
[realms]
PRIMO.GROUP = {
kdc = sisvrdc01.PRIMO.group
admin_server = sisvrdc01.primo.group
kdc = sisvrdc02.primo.group
kdc = sisnodc01.primo.group
kdc = sisnodc02.primo.group
}
 
[domain_realm]
[capaths]
SECONDO.GROUP = {
PRIMO.GROUP = KRONOS.GROUP
}

this is my config inside apache:

AuthType GSSAPI
   AuthName "GSSAPI Single Sign On Login"
   AuthzSendForbiddenOnFailure On
   GssapiBasicAuth On
   GssapiBasicAuthMech krb5
   #GssapiAllowedMech krb5
   GssapiUseSessions On
   GssapiNegotiateOnce On
   GssapiLocalName On
   GssapiSessionKey key:<RANDOM>
   Session On
   SessionCookieName gssapi_session path=/dominio;domain=red.it;httponly;secure;   
   GssapiCredStore keytab:/var/www/html/rf002/conf/server.keytab

   Require valid-user

when the user enter in the domain with windows it uses SECONDO.GROUP domain.
so, the keytab is made on PRIMO.GROUP but the user is on SECONDO.GROUP, the two domain are inside the same forest.

the autentication doesn't works and even with the basic I've this error:
[Fri Feb 26 11:50:22.892191 2021] [auth_gssapi:error] [pid 84426:tid 140162875389696] [client 10.211.30.219:63189] GSS ERROR In Basic Auth: gss_acquire_cred_with_password() failed: [Unspecified GSS failure. Minor code may provide more information (Client 'ES06326@PRIMO.GROUP' not found in Kerberos database)]

is there a way to use the gssapi with multiple domains in the same forest with the keytab generated on a domain that is not the domain where the user is present?

thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions