I got FreeIPA up and running but am having trouble getting it working with apache, I tried both mod_auth_mellon and mod_auth_gssapi. My goal is to have something that 1) attempts kerberos 2) falls back to user/pass auth.
For mod_auth_gssapi, I am able to get get SSO working with my local Firefox, but the fallback HTTPBasic auth fails. Opening a private firefox window (to break kerberos) and entering my username/pass I get the following Apache log error: GSS ERROR gss_init_sec_context(): [Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type) Apache config is: <Location /> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/http.keytab GssapiBasicAuth On GssapiBasicAuthMech krb5 Require valid-user </Location> Okay, so I moved to mod_auth_mellon (SAML auth via Keycloak via FreeIPA). With this one I got username/pass auth working, but kerberos does not work. I followed the instructions here: https://jdennis.fedorapeople.org/doc/mellon-install/mellon-install-guide.html Keycloak reports the below message when I *require* kerberos auth (over username/passwd): Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96) So I think something might be wrong with my keytab file. Lots of posts around the internet are about Windows AD and say to enable AES encryption for that service, but I do not see such an option in FreeIPA. So am I missing something with the encryption settings ? Here is my keytab creation command: ipa-getkeytab -s freeipa.example.com -p HTTP/keycloak.example.com -k /tmp/client1.keytab And here is the result: [root@freeipa ~]# klist -e -k /tmp/client1.keytab Keytab name: FILE:/tmp/client1.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/[email protected] (aes256-cts-hmac-sha1-96) 1 HTTP/[email protected] (aes128-cts-hmac-sha1-96) _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
