On Mon, 2016-04-04 at 14:29 +0200, Andreas Ladanyi wrote: > Hi Simo, > > On Thu, 2016-03-24 at 14:12 +0100, Andreas Ladanyi wrote: > >> The login should also (like on the old system) be possible from a client > >> outside the kerberos realm, so a username/password popup should appear. > > If the basic auth header is received the browser will either show a > > popup, or just send credentials if it had them previously cached. > is this the HTTP 401 message from the server to the browser ? > > > >> I thought this is possible because the GssapiBasicAuth is On. > > GssapiBasicAuth On enables Basic Auth fallback indeed, but this option > > is supported only starting with version 1.2.0, what version do you use ? > i use version 1.3.1 > > > >> So how i could debug/solve this issue ? > > Check with developer tools if the browser is receiving a basic auth > > header, if not check the apache error logs after raising debug level to > > see if mod_auth_gssapi is logging any error. > > > > Keep in mind that browsers will attempt negotiate auth in preference. > > i used the Live HTTP header addon for firefox and get this response from > the Apache server: > > HTTP/1.1 200 OK > Date: Mon, 04 Apr 2016 09:04:48 GMT > Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.3.1 > PHP/5.4.16 > X-Powered-By: PHP/5.4.16 > Set-Cookie: PHPSESSID=1he24b9k0igddspei4vnpt7sd6; path=/; HttpOnly > Set-Cookie: MANTIS_secure_session=0; path=/; httponly > Cache-Control: no-store, no-cache, must-revalidate > Last-Modified: Mon, 04 Apr 2016 09:04:48 GMT > x-content-type-options: nosniff > Expires: Mon, 04 Apr 2016 09:04:48 GMT > X-Frame-Options: DENY > X-Content-Security-Policy: allow 'self'; options inline-script > eval-script; frame-ancestors 'none' > Content-Encoding: gzip > Vary: Accept-Encoding > Content-Length: 1470 > Keep-Alive: timeout=5, max=100 > Connection: Keep-Alive > Content-Type: text/html; charset=utf-8 > > > I cant see a HTTP 401 server message in the firefox log. So the apache > doesnt know (????) that 401 should be send to the browser so the > username/password popup doesnt appear ? > > > I cant see 401 messages in error_log/access_log from apache.
Sound like your Apache server is not configured to apply authentication modules to the location you are asking for ? A 200 OK message means either that authentication was successful, or was not needed. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
