trying to install on Apache 2.4
Brought to you by:
kouril
Menu
▾
▴
#22 trying to install on Apache 2.4
I've installed mod_auth_kerb on Apache 2.4, but it doesn't seem to be working... the Apache error log is showing a 401 status code, but is still returning the page! If anyone can point me in the right direction, I would be very grateful.
Here is my mod_auth_kerb Apache config:
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/opt/quest/vas/HTTP.keytab
KrbAuthRealms UEA.AC.UK
Require valid-user
</Location>
Here are the commands and output of the mod_auth_kerb build process:
# in mod-auth-kerb/src
patch ./mod_auth_kerb.c ../../mod_auth_kerb-5.4-apache24.patch
patching file ./mod_auth_kerb.c
[root@ueacisr6test:mod_auth_kerb-5.4] ./configure --with-krb5=/usr --with-krb4=no --with-apache=/usr/local/apache
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether make sets $(MAKE)... yes
checking for main in -lresolv... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking for size_t... yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking for krb5_init_context in -lkrb5... yes
checking for krb5_cc_new_unique in -lkrb5... yes
checking whether we are using Heimdal... no
checking whether the GSSAPI libraries support SPNEGO... yes
checking for apxs... /usr/local/apache/bin/apxs
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[root@ueacisr6test:mod_auth_kerb-5.4] make
./apxs.sh "-I. -Ispnegokrb5 -I/usr/include " "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" "" "/usr/local/apache/bin/apxs" "-c" "src/mod_auth_kerb.c"
/usr/local/apache/build/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -g -O2 -pthread -I/usr/local/apache/include -I/usr/local/apache/include -I/usr/local/apache/include -I. -Ispnegokrb5 -I/usr/include -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo
src/mod_auth_kerb.c: In function 'authenticate_user_krb5pwd':
src/mod_auth_kerb.c:1040: warning: passing argument 8 of 'verify_krb5_user' discards qualifiers from pointer target type
src/mod_auth_kerb.c:688: note: expected 'char *' but argument is of type 'const char *'
src/mod_auth_kerb.c: In function 'have_rcache_type':
src/mod_auth_kerb.c:1747: warning: implicit declaration of function 'krb5_rc_resolve_full'
src/mod_auth_kerb.c:1751: warning: implicit declaration of function 'krb5_rc_destroy'
/usr/local/apache/build/libtool --silent --mode=link gcc -std=gnu99 -o src/mod_auth_kerb.la -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -rpath /usr/local/apache/modules -module -avoid-version src/mod_auth_kerb.lo
[root@ueacisr6test:mod_auth_kerb-5.4] make install
./apxs.sh "-I. -Ispnegokrb5 -I/usr/include " "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" "" "/usr/local/apache/bin/apxs" "-c -i" "src/mod_auth_kerb.c"
/usr/local/apache/build/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -g -O2 -pthread -I/usr/local/apache/include -I/usr/local/apache/include -I/usr/local/apache/include -I. -Ispnegokrb5 -I/usr/include -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo
src/mod_auth_kerb.c: In function 'authenticate_user_krb5pwd':
src/mod_auth_kerb.c:1040: warning: passing argument 8 of 'verify_krb5_user' discards qualifiers from pointer target type
src/mod_auth_kerb.c:688: note: expected 'char *' but argument is of type 'const char *'
src/mod_auth_kerb.c: In function 'have_rcache_type':
src/mod_auth_kerb.c:1747: warning: implicit declaration of function 'krb5_rc_resolve_full'
src/mod_auth_kerb.c:1751: warning: implicit declaration of function 'krb5_rc_destroy'
/usr/local/apache/build/libtool --silent --mode=link gcc -std=gnu99 -o src/mod_auth_kerb.la -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -rpath /usr/local/apache/modules -module -avoid-version src/mod_auth_kerb.lo
/usr/local/apache/build/instdso.sh SH_LIBTOOL='/usr/local/apache/build/libtool' src/mod_auth_kerb.la /usr/local/apache/modules
/usr/local/apache/build/libtool --mode=install install src/mod_auth_kerb.la /usr/local/apache/modules/
libtool: install: install src/.libs/mod_auth_kerb.so /usr/local/apache/modules/mod_auth_kerb.so
libtool: install: install src/.libs/mod_auth_kerb.lai /usr/local/apache/modules/mod_auth_kerb.la
libtool: install: install src/.libs/mod_auth_kerb.a /usr/local/apache/modules/mod_auth_kerb.a
libtool: install: chmod 644 /usr/local/apache/modules/mod_auth_kerb.a
libtool: install: ranlib /usr/local/apache/modules/mod_auth_kerb.a
libtool: finish: PATH="/sbin:/bin:/usr/sbin:/usr/bin:/opt/quest/bin:/sbin" ldconfig -n /usr/local/apache/modules
----------------------------------------------------------------------
Libraries have been installed in:
/usr/local/apache/modules
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,-rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/apache/modules/mod_auth_kerb.so
Investigating this a bit further, if I disable negotiation (so only popup authentication box is used), then I think things work correctly. However if negotiation is used the results seem odd and slightly unpredictable:
1) For an authorised user in a browser (Chrome) which should manage to SSO in using a kerberos ticket I see a 401 status logged in the access log, but the page returned
2) For an authenticated, but unauthorized user in Chrome they get a 500 Server Error, rather than an authorzation denied message.
3) For an unauthorized user (not sure if authentication occured) in Internet Explorer get blank page.