我试图在我的apache上设置一个简单的文件目录共享,这是kerberized来处理KDC票证,
当我尝试通过工作站上的Chrome浏览器访问共享文件时,我在Apacche错误日志中收到这些错误,
Fri Dec 08 16:59:50.390610 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1598): [client 192.168.2.136:58703] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Dec 08 16:59:50.390657 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1230): [client 192.168.2.136:58703] Acquiring creds for HTTP/web01.CORP.local@CORP.LOCAL
[Fri Dec 08 16:59:50.392259 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1352): [client 192.168.2.136:58703] Verifying client data using KRB5 GSS-API
[Fri Dec 08 16:59:50.392296 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1368): [client 192.168.2.136:58703] Client didn't delegate us their credential
[Fri Dec 08 16:59:50.392305 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1396): [client 192.168.2.136:58703] **Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.**
[Fri Dec 08 16:59:50.392312 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1091): [client 192.168.2.136:58703] GSS-API **major_status:00070000, minor_status:00000000**
[Fri Dec 08 16:59:50.392328 2017] [auth_kerb:error] [pid 8140] [client 192.168.2.136:58703] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)*
----------
我的公司AD上有一个Windows 10工作站,我的Apache在Centos 7上,httpd-2.4.10
我使用mksutil为我的Apache服务器创建了一个服务帐户,并将生成的keytab复制到Apache服务器上,/ etc / httpd /
到目前为止测试:
- 测试从Apache服务器到域的基本连接
[root@web01 /etc/httpd]# kinit first.last
Password for first.last@CORP.LOCAL:
[root@web01 /etc/httpd]#
- 检查是否在AD上生成了名为'web01.httpd'的公用事业帐户,并在那里,也通过KLIST进行检查
[root@web01 /etc/httpd]# klist -kte /etc/httpd/httpd.keytab
Keytab name: FILE:/etc/httpd/httpd.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 12/08/17 10:16:28 web01.httpd@CORP.LOCAL (arcfour-hmac)
2 12/08/17 10:16:28 web01.httpd@CORP.LOCAL (aes128-cts-hmac-sha1-96)
2 12/08/17 10:16:28 web01.httpd@CORP.LOCAL (aes256-cts-hmac-sha1-96)
2 12/08/17 10:16:28 HTTP/web01.CORP.local@CORP.LOCAL (arcfour-hmac)
2 12/08/17 10:16:28 HTTP/web01.CORP.local@CORP.LOCAL (aes128-cts-hmac-sha1-96)
2 12/08/17 10:16:28 HTTP/web01.CORP.local@CORP.LOCAL (aes256-cts-hmac-sha1-96)
3. check if KVNO shows a number,
[root@web01 /etc/httpd]# kvno HTTP/web01.CORP.local
kvno HTTP/web01.corp.local@CORP.LOCAL
HTTP/web01.corp.local@CORP.LOCAL: kvno = 2
4. checked my Apache config,
LoadModule auth_kerb_module /usr/lib64/httpd/modules/mod_auth_kerb.so
ServerName webfiles
ServerAlias webfiles.corp.local
DocumentRoot /opt/webfiles
LogLevel Debug
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
ServerName webfiles
ServerAlias webfiles.corp.local
DocumentRoot /opt/webfiles
LogLevel Debug
ErrorLog /var/log/httpd/webfiles_error
CustomLog /var/log/httpd/webfiles_access common
SSLEngine On
SSLCertificateKeyFile /etc/pki/tls/private/web01.CORP.local.pem
SSLCertificateFile /etc/pki/tls/certs/web01.CORP.local.pem
SSLCertificateChainFile /etc/pki/ca-trust/source/anchors/CORP_intermediate_ca.crt
AuthzSendForbiddenOnFailure On
Options +Indexes
AllowOverride None
Order allow,deny
Allow from all
AuthName "kerb access"
AuthType Kerberos
KrbAuthRealms CORP.LOCAL
KrbServiceName HTTP/web01.corp.local@CORP.LOCAL
Krb5KeyTab /etc/httpd/httpd.keytab
KrbMethodK5Passwd off
KrbLocalUserMapping on
KrbSaveCredentials on
SSLRequireSSL
#AuthGroupFile /etc/httpd/conf/httpd-access-groups
Require valid-user
5. checked the /etc/krb5.conf for proper domain info, it looks good,
[libdefaults]
default_realm = CORP.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
kdc_timesync = true
ccache_type = 4
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
verify_ap_req_nofail = true
[realms]
CORP.LOCAL = {
kdc = CORP.local
admin_server = dom01.corp.local
}
[domain_realm]
CORP.local = CORP.LOCAL
.CORP.local = CORP.LOCAL
.dr.CORP.local = CORP.LOCAL
.test.local = CORP.LOCAL
.dmz.local = CORP.LOCAL
.prod.local = CORP.LOCAL
不知道在哪里看,我的工作站Internet选项 - 本地站点 - 配置为对我的域进行身份验证,
仍然收到NTLM错误消息