[users@httpd] Error with Kerberos in Apache

2017-05-09 Thread Luiz Guilherme Nunes Fernandes 
Well, i try my first test and work,  if i authentic with Ldap protocols
without kerberos work, but i try add kerberos, show erros messages in log.
Any idea?

No errors in apachectl configtest


###
cat /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REDE.COM.BR
 dns_lookup_realm = false
 dns_lookup_kdc = true
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 REDE.COM.BR = {
 kdc = REDE.COM.BR
 admin_server = REDE.COM.BR
 }

[domain_realm]
 .rede.com.br=REDE.COM.BR
 rede.com.br=REDE.COM.BR

###

kinit root
Password for r...@rede.com.br:

klist
Ticket cache: KEYRING:persistent:0:0
Default principal: r...@rede.com.br

Valid starting   Expires  Service principal
05/09/2017 09:45:36  05/09/2017 19:45:36  krbtgt/rede.com...@rede.com.br
renew until 05/16/2017 09:45:34

###
 cat /etc/httpd/conf.d/proxy.conf

ProxyPreserveHost Off
ProxyPass / http://localhost:631/
ProxyPassReverse / http://localhost:631/


LogLevel debug



 AuthType Kerberos
 KrbMethodNegotiate On
 AuthName "REDE.COM.BR Domain Login"
 KrbMethodK5Passwd On
 KrbAuthRealms REDE.COM.BR
 Krb5KeyTab /etc/httpd/conf.d/httpd.keytab
 KrbLocalUserMapping on
 require valid-user

#   AuthName "Informe usuario da rede"
#   AuthType Basic
#   AuthBasicProvider ldap
   AuthLDAPUrl ldap://
rede.com.br/ou=usuarios,dc=rede,dc=com,dc=br?sAMAccountName
   AuthLDAPBindDN cn=users,dc=rede,dc=com,dc=br
   AuthLDAPBindPassword XX
   Require valid-user
   LDAPReferrals Off
   
#




###

[root@delorean1 conf.d]# tail -f /var/log/httpd/error_log
[Mon May 08 17:48:42.320886 2017] [auth_kerb:error] [pid 19879] [client
10.251.14.140:55636] failed to verify krb5 credentials: Server not found in
Kerberos database, referer: http://10.1.1.75/
[Mon May 08 17:48:42.320898 2017] [auth_kerb:debug] [pid 19879]
src/mod_auth_kerb.c(1127): [client 10.251.14.140:55636]
kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL),
referer: http://10.1.1.75/
[Mon May 08 17:48:55.301656 2017] [authz_core:debug] [pid 19881]
mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet), referer:
http://10.1.1.75/
[Mon May 08 17:48:55.301702 2017] [authz_core:debug] [pid 19881]
mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet), referer:
http://10.1.1.75/
[Mon May 08 17:48:55.301710 2017] [authz_core:debug] [pid 19881]
mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization
result of : denied (no authenticated user yet), referer:
http://10.1.1.75/
[Mon May 08 17:48:55.301736 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(1954): [client 10.251.14.140:55638]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos,
referer: http://10.1.1.75/
[Mon May 08 17:48:55.302037 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(1048): [client 10.251.14.140:55638] Using
HTTP/10.1.1.75@ as server principal for password verification, referer:
http://10.1.1.75/
[Mon May 08 17:48:55.302062 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(752): [client 10.251.14.140:55638] Trying to get TGT
for user rede.com.brr...@rede.com.br, referer: http://10.1.1.75/
[Mon May 08 17:48:55.306313 2017] [auth_kerb:error] [pid 19881] [client
10.251.14.140:55638] krb5_get_init_creds_password() failed: Client not
found in Kerberos database, referer: http://10.1.1.75/
[Mon May 08 17:48:55.306348 2017] [auth_kerb:debug] [pid 19881]
src/mod_auth_kerb.c(1127): [client 10.251.14.140:55638]
kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL),
referer: http://10.1.1.75/
-- 
<<<--->>>

< Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao
Pai, senão por mim >
 (João 14:6)

Att.
♪ ♫  Luiz Guilherme Nunes
Fernandes  ♫ ♪

<<<--->>>

Re: [users@httpd] Problem running cgi-bin scripts

2017-05-09 Thread Mike Brown 
On Tue, May 09, 2017 at 04:58:41AM -0500, Mike Brown wrote:
> On Tue, May 09, 2017 at 10:30:09AM +0100, Nick Kew wrote:
> > On Tue, 9 May 2017 03:30:25 -0500
> > Mike Brown  wrote:
> > 
> > 
> > > [Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client
> > > 192.168.1.1:55099] AH01215: (2)No such file or directory: exec of
> > > '/home/httpd/cgi-bin/dvbpass.cgi'
> > 
> > At a guess, the script itself won't run.  Do you need to update
> > a path in a shebang line, for instance?
> 
> Doh!  I totally forgot that perl is in an off-the-wall place under Solaris.
> I was busy wrapping my head around the wp-login issue, that the path
> totally slipped my mind.  I though that it was causing my script not to run.
> I was chasing the wrong error first.
> 
> > > 2017] [:error] [pid 23782] [client 192.36.27.6:16800] script
> > > '/WebDisk/http/htdocs/vidiot/wp-login.php' not found or unable to stat
> > 
> > 192.36.* is not conventionally local NAT!
> > Could it be some random probe?
> 
> The above error was showing up at the same time that the cgi-bin script
> would not run.  Now that the script is running, that error is gone.
> Something in the httpd code?
> 
> Thanks for pointing me in the right direction.  As they say, a fresh set of
> eyes.

The wp-login.php error is no longer there, even with the bad path.  Really
weird.

All is well now.

MB
-- 
e-mail: vid...@vidiot.com | vid...@vidiot.net/~\ The ASCII
6082066...@email.uscc.net (140 char limit)   \ / Ribbon Campaign
Visit - URL: http://vidiot.com/   X  Against
 http://vidiot.net/  / \ HTML Email
"You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock
Sherlock - The Abominable Bride - 1/01/16

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem running cgi-bin scripts

2017-05-09 Thread Mike Brown 
On Tue, May 09, 2017 at 10:30:09AM +0100, Nick Kew wrote:
> On Tue, 9 May 2017 03:30:25 -0500
> Mike Brown  wrote:
> 
> 
> > [Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client
> > 192.168.1.1:55099] AH01215: (2)No such file or directory: exec of
> > '/home/httpd/cgi-bin/dvbpass.cgi'
> 
> At a guess, the script itself won't run.  Do you need to update
> a path in a shebang line, for instance?

Doh!  I totally forgot that perl is in an off-the-wall place under Solaris.
I was busy wrapping my head around the wp-login issue, that the path
totally slipped my mind.  I though that it was causing my script not to run.
I was chasing the wrong error first.

> > 2017] [:error] [pid 23782] [client 192.36.27.6:16800] script
> > '/WebDisk/http/htdocs/vidiot/wp-login.php' not found or unable to stat
> 
> 192.36.* is not conventionally local NAT!
> Could it be some random probe?

The above error was showing up at the same time that the cgi-bin script
would not run.  Now that the script is running, that error is gone.
Something in the httpd code?

Thanks for pointing me in the right direction.  As they say, a fresh set of
eyes.

MB
-- 
e-mail: vid...@vidiot.com | vid...@vidiot.net/~\ The ASCII
6082066...@email.uscc.net (140 char limit)   \ / Ribbon Campaign
Visit - URL: http://vidiot.com/   X  Against
 http://vidiot.net/  / \ HTML Email
"You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock
Sherlock - The Abominable Bride - 1/01/16

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4 includes vi .swp files

2017-05-09 Thread Nick Kew 
On Tue, 9 May 2017 10:19:06 +0200
Hajo Locke  wrote:

> Include /etc/apache2/conf.d/

Is this usage suggested or documented anywhere?

If it is then I would be inclined to agree, that's a gotcha
that should be noted in the docs.


> A quick fix could be to include only *.conf files:
> 
> Include /etc/apache2/conf.d/*.conf

As far as I can see, this is precisely what our docs suggest.

> But i wonder if apache should basically tries to include a file 
> "beginning with dot"/"ending with swp" which generelly indicates a 
> temporary/hidden file.

Once you start excluding files by convention (which may be
entirely different and inappropriate on another platform),
it's a minefield.

-- 
Nick Kew

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem running cgi-bin scripts

2017-05-09 Thread Nick Kew 
On Tue, 9 May 2017 03:30:25 -0500
Mike Brown  wrote:


> [Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client
> 192.168.1.1:55099] AH01215: (2)No such file or directory: exec of
> '/home/httpd/cgi-bin/dvbpass.cgi'

At a guess, the script itself won't run.  Do you need to update
a path in a shebang line, for instance?


> 2017] [:error] [pid 23782] [client 192.36.27.6:16800] script
> '/WebDisk/http/htdocs/vidiot/wp-login.php' not found or unable to stat

192.36.* is not conventionally local NAT!
Could it be some random probe?

Clearly you have some non-standard paths, including that one,
somewhere in your configuration.

-- 
Nick Kew

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AuthLDAPInitialBindAsUser etc.

2017-05-09 Thread Dirk van Deun 
> 
> On Mon, May 8, 2017 at 10:37 AM, Dirk van Deun  
> wrote:
> >>
> >> Are you able to recompile?
> >>
> >> untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff
> >>
> >> you would not specify the directive in your case
> >>
> >
> > That fixes it.  If there is no other way around this, it would indeed
> > seem to be a bug.
> 
> 
> I can't really think of any feasible workaround to intercept that and
> replace the password.
> 
> If you're able, can you confirm s/AUTH_USER_NOT_FOUND/AUTH_DENIED/
> works too?  Probably more appropriate.
> 

That is okay: no visible difference for the user.

By the way, do you think there is actually a good use case for
AuthLDAPInitialBindAsUserAllowEmptyPassword ?  It amounts to allowing
users to implement their own passwordless bind, presumably for
servers that are secured not to allow anonymous bind, or else you
would use anonymous bind in the first place...

Dirk van Deun
-- 
Ceterum censeo Redmond delendum

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPass with Location in 2.4.25

2017-05-09 Thread Nick Kew 
On Tue, 9 May 2017 10:08:36 +0200
Michael Haas  wrote:


> With 2.4.25 all requests are routet through the last ProxyPass, the
> Location directive is ignored so the rewrite from the context is not
> happening.
> If i put the last ProxyPass in a Location directive like  "^/(?!service)"> it's again working.
> 
> Is this a intended change?

Interesting.  No, an upgrade between different 2.4.x versions
shouldn't have broken your configuration, unless a security fix
had made it unavoidable (which isn't the case here).  And that
should've been clearly documented as an upgrade note!

Are you sure nothing else changed at the same time as your upgrade?
Did you build from source or install a packaged or third-party version?

-- 
Nick Kew

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Problem running cgi-bin scripts

2017-05-09 Thread Mike Brown 
I've been using Apache 2.2 on an old Solaris box for ages.  I'm finally
bring up a new Linux server and have the latest 2.4 version up and running.
Sort-of.

When I try and run any of the cgi-bin scripts that I have (there is really
only one that I use), I get the following error logged:

[Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client 
192.168.1.1:55099] AH01215: (2)No such file or directory: exec of 
'/home/httpd/cgi-bin/dvbpass.cgi' failed: /home/httpd/cgi-bin/dvbpass.cgi
[Mon May 08 21:17:30.685328 2017] [cgi:error] [pid 23578] [client 
192.168.1.1:55099] End of script output before headers: dvbpass.cgi
[Mon May 08 21:52:06.458293 2017] [:error] [pid 23782] [client 
192.36.27.6:16800] script '/WebDisk/http/htdocs/vidiot/wp-login.php' not found 
or unable to stat

Here are the lines in the config file dealing with cgi-bin:

ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
ScriptAlias /mailman/ "/usr/local/mailman/cgi-bin/"



#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#

AllowOverride None
Options None
Require all granted



AllowOverride None
Options None
Require all granted


I do not have the mail server up and running yet, nor do I have mailman up,
so I do not know if the mailman cgi-bin stuff will also fail.

The wordpress and mariadb packages are not installed.  I even tried looking
for wp-login.php in /etc, /usr and /var, just to make sure that it wasn't
somewhere on the system.

So, I am confused as to why apache is trying to use wp-login.php.  Or,
by chance is this another selinux thing (which I've used before).

Any tips will be appreciated.

Thanks.

MB
-- 
e-mail: vid...@vidiot.com | vid...@vidiot.net/~\ The ASCII
6082066...@email.uscc.net (140 char limit)   \ / Ribbon Campaign
Visit - URL: http://vidiot.com/   X  Against
 http://vidiot.net/  / \ HTML Email
"You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock
Sherlock - The Abominable Bride - 1/01/16

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] apache 2.4 includes vi .swp files

2017-05-09 Thread Hajo Locke 

Hello,

found an interesting difference between include behaviour of apache 2.2 
and 2.4


Have an include in apache2.conf:

Include /etc/apache2/conf.d/

When editing a conf file in this folder by vi, vi creates a new swp file.
lets say i edit a file logging.conf, so vi creates a file .logging.conf.swp

When running "apachectl configtest" at this particular time, apache 2.4 
tries to include the .logging.conf.swp which fails, because 
.logging.conf.swp is binary and invalid.

This prevents apache 2.4 from sucessfully start and leads to downtime.

Apache 2.2 tries not to include this .swp file and restarts 
successfully. Include is the same as above. (Include /etc/apache2/conf.d/)


A quick fix could be to include only *.conf files:

Include /etc/apache2/conf.d/*.conf

But i wonder if apache should basically tries to include a file 
"beginning with dot"/"ending with swp" which generelly indicates a 
temporary/hidden file.

In my opinion include behaviour of apache 2.2 was more practice-oriented.

Thanks,
Hajo

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] ProxyPass with Location in 2.4.25

2017-05-09 Thread Michael Haas 
Hello, we upgraded from 2.4.18 to 2.4.25 and now our configuration
isn't working anymore.

   ProxyPreserveHost On

   
  BalancerMember http://xxx.xx.xx.xx:8080 route=vm_0 ping=5
  BalancerMember http://xxx.xx.xx.xx:8080 route=vm_1 ping=5
   

   
 ProxyPass balancer://ppp/system
stickysession=JSESSIONID|jsessionid scolonpathdelim=On
 ProxyPassReverse balancer://ppp/system
 ProxyPassReverse http://ppp.local/system
 ProxyPassReverse https://ppp.local/system
 ProxyPassReverseCookiePath /system /service
   

   ProxyPass /error !
   ProxyPass /manager !
   ProxyPass / balancer://ppp/ stickysession=JSESSIONID|jsessionid
scolonpathdelim=On
   ProxyPassReverse / balancer://ppp/

With 2.4.25 all requests are routet through the last ProxyPass, the
Location directive is ignored so the rewrite from the context is not
happening.
If i put the last ProxyPass in a Location directive like  it's again working.

Is this a intended change?

Thanks in Advance
Michael