Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic login works only first time #248

Open
nestle2377 opened this issue Mar 11, 2021 · 0 comments
Open

Basic login works only first time #248

nestle2377 opened this issue Mar 11, 2021 · 0 comments

Comments

@nestle2377
Copy link

Hi, I'm implementing the mod_auth_gssapi and it works fine. I've a strange behaviour with chrome and basic login (when the client is not on domain).
when the pop-up appears If I insert the correct credential the first time I'm succesfully logged in. If I type a wrong credential the pop-up appears again but now even I insert the correct credential I can't enter.

on the logs when this happen I've this entry:

[Thu Mar 11 10:09:29.699735 2021] [auth_gssapi:debug] [pid 79110:tid 140125019256576] mod_auth_gssapi.c(870): [client 10.211.30.219:56612] URI: /dominio/sigma/app/, no main, no prev
 [Thu Mar 11 10:09:29.815996 2021] [auth_gssapi:error] [pid 79110:tid 140125019256576] [client 10.211.30.219:56612] GSS ERROR gss_init_sec_context(): [Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)]

is strange that says that has no support for encryption type since it works in the first attempt.

this is my configuration:

    AuthType GSSAPI
    AuthName "GSSAPI Single Sign On Login"
    GssapiBasicAuth On
    KrbServiceName Any
    GssapiUseSessions On
   GssapiSessionKey key:<RANDOM>
    Session On
    SessionCookieName gssapi_session path=/dominio;domain=intranet.servizi;httponly;secure;
    GssapiCredStore keytab:/var/www/html/rf002/conf/sa_RF002-KRB-Svil.keytab
    Require valid-user

my krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SISTEMI.GROUP
 dns_lookup_kdc = true
 dns_lookup_realm = false
 ticket_lifetime = 86400
 renew_lifetime = 604800
 forwardable = true
 proxiable = true
 default_ccache_name = KEYRING:persistent:%{uid}
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 udp_preference_limit = 1
 kdc_timeout = 3000

[realms]
SISTEMI.GROUP = {
 kdc = sisvrdc01.sistemi.group
 admin_server = sisvrdc01.sistemi.group
 kdc = sisvrdc02.sistemi.group
 kdc = sisnodc01.sistemi.group
 kdc = sisnodc02.sistemi.group
}

[domain_realm]

[capaths]
SEDI-DIREZIONI.GROUP = {
 SISTEMI.GROUP = KRONOS.GROUP
}

and my keytab:

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/rf002svil.intranet.servizi@SISTEMI.GROUP (aes256-cts-hmac-sha1-96)

any idea?

thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nestle2377