No key table entry found matching #308

lyrixx · 2024-06-25T16:57:50Z

lyrixx
Jun 25, 2024

Hello,

I'm migration a legacy system from mod_kerberos to this module.

And when I try to authenticate, it fails from time to time:

>/home/gregoire clear ; for i in `seq 0 40` ; do curl -su 'gpineau:foobar'  http://foobar:8080/build/2.4956d9f2.js -I | grep HTTP ; done

HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized

In the log, I can read, only when it fails:

[Tue Jun 25 18:51:17.496746 2024] [auth_gssapi:error] [pid 103358] [client 127.0.0.1:40726] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [No credentials were supplied, or the credentials were unavailable or inaccessible (No key table entry found matching HTTP/prod-01-isy.prod.com@)]

When it success, there are nothing useful.

Apache Conf

<VirtualHost *:80>
   DocumentRoot /home/foobar/htdocs/isyapp.foobar.fr/current/public
   ServerName isyapp.foobar.fr

   <Directory "/home/foobar/htdocs/isyapp.foobar.fr/current/public">
      <If "%{THE_REQUEST} =~ m# /apiex/?#i">
         AuthType None
         AllowOverride None
         Order Allow,deny
         Allow from All
      </If>
      <Else>
         Options Indexes FollowSymLinks MultiViews

         # Help:
         # * https://docs.active-directory-wp.com/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html
         # * https://github.com/gssapi/mod_auth_gssapi

         AuthType GSSAPI
         AuthName "Kerberos authenticated intranet"
         GssapiCredStore keytab:/etc/kerberos.keytab

         # Only allow krb5 and ignore ntlmssp and iakerb
         GssapiAllowedMech krb5

         # We want to fallback to Basic Auth (linux user)
         GssapiBasicAuth On

         # Resolve remote's user into REMOTE_USER variable. Proper setting of [realms].auth_to_local in /etc/krb5.conf is required
         GssapiLocalName On
         GssapiNegotiateOnce On

         GssapiAcceptorName HTTP@isyapp.foobar.fr

         GssapiUseSessions On
         Session On
         SessionCookieName gssapi_session path=/;httponly;

         Require valid-user
      </Else>

      <IfModule mod_rewrite.c>
         Options -MultiViews
         RewriteEngine On
         RewriteCond %{REQUEST_FILENAME} !-f
         RewriteRule ^(.*)$ index.php [QSA,L]
      </IfModule>
   </Directory>

   LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
   CustomLog ${APACHE_LOG_DIR}/isyapp.foobar.fr.access.log combined
   ErrorLog  ${APACHE_LOG_DIR}/isyapp.foobar.fr.error.log
</VirtualHost>

/etc/krb5.conf

[libdefaults]
    default_realm = CER02.INTRA

    # The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

/etc/kerberos.keytab

root@p-02-webisy:/etc/apache2# ktutil
ktutil:  r
read_kt  read_st  rkt      rst
ktutil:  read_kt /etc/kerberos.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3        HTTP/isy.foobar.fr@CER02.INTRA
   2    4     HTTP/isyapp.foobar.fr@CER02.INTRA

To be honest, I really don't know kerberos or GSS API, but I tried many things...

I'm not sure, if it's the root issue, but I was not able to migrate the following config option

   KrbAuthRealms CER02.INTRA

Answered by simo5

Jun 25, 2024

Your configuration says the server name is:

ServerName isyapp.foobar.fr
...
GssapiAcceptorName HTTP@isyapp.foobar.fr

And yet some client is trying to access it as HTTP/prod-01-isy.prod.com@

In your keytab you have no entry for that last name, yet if it is a krb principal alias in the KDC it could be made to work by adding the ignore_acceptor_hostname option in krb5.conf, see: man krb5.conf for details

If prod-01-isy.prod.com is not a principal alias in your KDC, then you have to fix your clients to not do canonicalization (which is insecure anyway).
Modern Linux clients set canonicalization off by default, I do not know what other OSs do exactly but I think both Windows and Mac should av…

View full answer

simo5 · 2024-06-25T18:00:04Z

simo5
Jun 25, 2024
Maintainer

Your configuration says the server name is:

ServerName isyapp.foobar.fr
...
GssapiAcceptorName HTTP@isyapp.foobar.fr

And yet some client is trying to access it as HTTP/prod-01-isy.prod.com@

In your keytab you have no entry for that last name, yet if it is a krb principal alias in the KDC it could be made to work by adding the ignore_acceptor_hostname option in krb5.conf, see: man krb5.conf for details

If prod-01-isy.prod.com is not a principal alias in your KDC, then you have to fix your clients to not do canonicalization (which is insecure anyway).
Modern Linux clients set canonicalization off by default, I do not know what other OSs do exactly but I think both Windows and Mac should avoid it by default.
See the option dns_canonicalize_hostname in krb5.conf (https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) <- this needs to be done on the clients not the server.

There isn't a direct replacement for KrbAuthRealms, if you have Realm Trusts and you want to allow users only from one specific realm I guess the only good option is to use GssapiLocalName to require user mapping and then trust those users, see the docs for the implications of using that option.
You already set this option, so I think you can just ignore that old setting from mod_auth_kerb.

1 reply

hecht-a Jun 27, 2024

Hello,

thanks, this solution worked 🎊

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

No key table entry found matching #308

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

No key table entry found matching #308

Uh oh!

lyrixx Jun 25, 2024

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

simo5 Jun 25, 2024 Maintainer

Uh oh!

hecht-a Jun 27, 2024

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

lyrixx
Jun 25, 2024

Replies: 1 comment 1 reply

simo5
Jun 25, 2024
Maintainer