[users@httpd] Error with Kerberos in Apache
Well, i try my first test and work, if i authentic with Ldap protocols without kerberos work, but i try add kerberos, show erros messages in log. Any idea? No errors in apachectl configtest ### cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REDE.COM.BR dns_lookup_realm = false dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} [realms] REDE.COM.BR = { kdc = REDE.COM.BR admin_server = REDE.COM.BR } [domain_realm] .rede.com.br=REDE.COM.BR rede.com.br=REDE.COM.BR ### kinit root Password for r...@rede.com.br: klist Ticket cache: KEYRING:persistent:0:0 Default principal: r...@rede.com.br Valid starting Expires Service principal 05/09/2017 09:45:36 05/09/2017 19:45:36 krbtgt/rede.com...@rede.com.br renew until 05/16/2017 09:45:34 ### cat /etc/httpd/conf.d/proxy.conf ProxyPreserveHost Off ProxyPass / http://localhost:631/ ProxyPassReverse / http://localhost:631/ LogLevel debug AuthType Kerberos KrbMethodNegotiate On AuthName "REDE.COM.BR Domain Login" KrbMethodK5Passwd On KrbAuthRealms REDE.COM.BR Krb5KeyTab /etc/httpd/conf.d/httpd.keytab KrbLocalUserMapping on require valid-user # AuthName "Informe usuario da rede" # AuthType Basic # AuthBasicProvider ldap AuthLDAPUrl ldap:// rede.com.br/ou=usuarios,dc=rede,dc=com,dc=br?sAMAccountName AuthLDAPBindDN cn=users,dc=rede,dc=com,dc=br AuthLDAPBindPassword XX Require valid-user LDAPReferrals Off # ### [root@delorean1 conf.d]# tail -f /var/log/httpd/error_log [Mon May 08 17:48:42.320886 2017] [auth_kerb:error] [pid 19879] [client 10.251.14.140:55636] failed to verify krb5 credentials: Server not found in Kerberos database, referer: http://10.1.1.75/ [Mon May 08 17:48:42.320898 2017] [auth_kerb:debug] [pid 19879] src/mod_auth_kerb.c(1127): [client 10.251.14.140:55636] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: http://10.1.1.75/ [Mon May 08 17:48:55.301656 2017] [authz_core:debug] [pid 19881] mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://10.1.1.75/ [Mon May 08 17:48:55.301702 2017] [authz_core:debug] [pid 19881] mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://10.1.1.75/ [Mon May 08 17:48:55.301710 2017] [authz_core:debug] [pid 19881] mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626: authorization result of : denied (no authenticated user yet), referer: http://10.1.1.75/ [Mon May 08 17:48:55.301736 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(1954): [client 10.251.14.140:55638] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://10.1.1.75/ [Mon May 08 17:48:55.302037 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(1048): [client 10.251.14.140:55638] Using HTTP/10.1.1.75@ as server principal for password verification, referer: http://10.1.1.75/ [Mon May 08 17:48:55.302062 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(752): [client 10.251.14.140:55638] Trying to get TGT for user rede.com.brr...@rede.com.br, referer: http://10.1.1.75/ [Mon May 08 17:48:55.306313 2017] [auth_kerb:error] [pid 19881] [client 10.251.14.140:55638] krb5_get_init_creds_password() failed: Client not found in Kerberos database, referer: http://10.1.1.75/ [Mon May 08 17:48:55.306348 2017] [auth_kerb:debug] [pid 19881] src/mod_auth_kerb.c(1127): [client 10.251.14.140:55638] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: http://10.1.1.75/ -- <<<--->>> < Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao Pai, senão por mim > (João 14:6) Att. ♪ ♫ Luiz Guilherme Nunes Fernandes ♫ ♪ <<<--->>>
Re: [users@httpd] Problem running cgi-bin scripts
On Tue, May 09, 2017 at 04:58:41AM -0500, Mike Brown wrote: > On Tue, May 09, 2017 at 10:30:09AM +0100, Nick Kew wrote: > > On Tue, 9 May 2017 03:30:25 -0500 > > Mike Brownwrote: > > > > > > > [Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client > > > 192.168.1.1:55099] AH01215: (2)No such file or directory: exec of > > > '/home/httpd/cgi-bin/dvbpass.cgi' > > > > At a guess, the script itself won't run. Do you need to update > > a path in a shebang line, for instance? > > Doh! I totally forgot that perl is in an off-the-wall place under Solaris. > I was busy wrapping my head around the wp-login issue, that the path > totally slipped my mind. I though that it was causing my script not to run. > I was chasing the wrong error first. > > > > 2017] [:error] [pid 23782] [client 192.36.27.6:16800] script > > > '/WebDisk/http/htdocs/vidiot/wp-login.php' not found or unable to stat > > > > 192.36.* is not conventionally local NAT! > > Could it be some random probe? > > The above error was showing up at the same time that the cgi-bin script > would not run. Now that the script is running, that error is gone. > Something in the httpd code? > > Thanks for pointing me in the right direction. As they say, a fresh set of > eyes. The wp-login.php error is no longer there, even with the bad path. Really weird. All is well now. MB -- e-mail: vid...@vidiot.com | vid...@vidiot.net/~\ The ASCII 6082066...@email.uscc.net (140 char limit) \ / Ribbon Campaign Visit - URL: http://vidiot.com/ X Against http://vidiot.net/ / \ HTML Email "You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock Sherlock - The Abominable Bride - 1/01/16 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem running cgi-bin scripts
On Tue, May 09, 2017 at 10:30:09AM +0100, Nick Kew wrote: > On Tue, 9 May 2017 03:30:25 -0500 > Mike Brownwrote: > > > > [Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client > > 192.168.1.1:55099] AH01215: (2)No such file or directory: exec of > > '/home/httpd/cgi-bin/dvbpass.cgi' > > At a guess, the script itself won't run. Do you need to update > a path in a shebang line, for instance? Doh! I totally forgot that perl is in an off-the-wall place under Solaris. I was busy wrapping my head around the wp-login issue, that the path totally slipped my mind. I though that it was causing my script not to run. I was chasing the wrong error first. > > 2017] [:error] [pid 23782] [client 192.36.27.6:16800] script > > '/WebDisk/http/htdocs/vidiot/wp-login.php' not found or unable to stat > > 192.36.* is not conventionally local NAT! > Could it be some random probe? The above error was showing up at the same time that the cgi-bin script would not run. Now that the script is running, that error is gone. Something in the httpd code? Thanks for pointing me in the right direction. As they say, a fresh set of eyes. MB -- e-mail: vid...@vidiot.com | vid...@vidiot.net/~\ The ASCII 6082066...@email.uscc.net (140 char limit) \ / Ribbon Campaign Visit - URL: http://vidiot.com/ X Against http://vidiot.net/ / \ HTML Email "You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock Sherlock - The Abominable Bride - 1/01/16 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache 2.4 includes vi .swp files
On Tue, 9 May 2017 10:19:06 +0200 Hajo Lockewrote: > Include /etc/apache2/conf.d/ Is this usage suggested or documented anywhere? If it is then I would be inclined to agree, that's a gotcha that should be noted in the docs. > A quick fix could be to include only *.conf files: > > Include /etc/apache2/conf.d/*.conf As far as I can see, this is precisely what our docs suggest. > But i wonder if apache should basically tries to include a file > "beginning with dot"/"ending with swp" which generelly indicates a > temporary/hidden file. Once you start excluding files by convention (which may be entirely different and inappropriate on another platform), it's a minefield. -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Problem running cgi-bin scripts
On Tue, 9 May 2017 03:30:25 -0500 Mike Brownwrote: > [Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client > 192.168.1.1:55099] AH01215: (2)No such file or directory: exec of > '/home/httpd/cgi-bin/dvbpass.cgi' At a guess, the script itself won't run. Do you need to update a path in a shebang line, for instance? > 2017] [:error] [pid 23782] [client 192.36.27.6:16800] script > '/WebDisk/http/htdocs/vidiot/wp-login.php' not found or unable to stat 192.36.* is not conventionally local NAT! Could it be some random probe? Clearly you have some non-standard paths, including that one, somewhere in your configuration. -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] AuthLDAPInitialBindAsUser etc.
> > On Mon, May 8, 2017 at 10:37 AM, Dirk van Deun> wrote: > >> > >> Are you able to recompile? > >> > >> untested: http://people.apache.org/~covener/patches/2.4.x-bindpw_empty.diff > >> > >> you would not specify the directive in your case > >> > > > > That fixes it. If there is no other way around this, it would indeed > > seem to be a bug. > > > I can't really think of any feasible workaround to intercept that and > replace the password. > > If you're able, can you confirm s/AUTH_USER_NOT_FOUND/AUTH_DENIED/ > works too? Probably more appropriate. > That is okay: no visible difference for the user. By the way, do you think there is actually a good use case for AuthLDAPInitialBindAsUserAllowEmptyPassword ? It amounts to allowing users to implement their own passwordless bind, presumably for servers that are secured not to allow anonymous bind, or else you would use anonymous bind in the first place... Dirk van Deun -- Ceterum censeo Redmond delendum - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPass with Location in 2.4.25
On Tue, 9 May 2017 10:08:36 +0200 Michael Haaswrote: > With 2.4.25 all requests are routet through the last ProxyPass, the > Location directive is ignored so the rewrite from the context is not > happening. > If i put the last ProxyPass in a Location directive like "^/(?!service)"> it's again working. > > Is this a intended change? Interesting. No, an upgrade between different 2.4.x versions shouldn't have broken your configuration, unless a security fix had made it unavoidable (which isn't the case here). And that should've been clearly documented as an upgrade note! Are you sure nothing else changed at the same time as your upgrade? Did you build from source or install a packaged or third-party version? -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Problem running cgi-bin scripts
I've been using Apache 2.2 on an old Solaris box for ages. I'm finally bring up a new Linux server and have the latest 2.4 version up and running. Sort-of. When I try and run any of the cgi-bin scripts that I have (there is really only one that I use), I get the following error logged: [Mon May 08 21:17:30.683456 2017] [cgi:error] [pid 23578] [client 192.168.1.1:55099] AH01215: (2)No such file or directory: exec of '/home/httpd/cgi-bin/dvbpass.cgi' failed: /home/httpd/cgi-bin/dvbpass.cgi [Mon May 08 21:17:30.685328 2017] [cgi:error] [pid 23578] [client 192.168.1.1:55099] End of script output before headers: dvbpass.cgi [Mon May 08 21:52:06.458293 2017] [:error] [pid 23782] [client 192.36.27.6:16800] script '/WebDisk/http/htdocs/vidiot/wp-login.php' not found or unable to stat Here are the lines in the config file dealing with cgi-bin: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/" ScriptAlias /mailman/ "/usr/local/mailman/cgi-bin/" # # "/var/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # AllowOverride None Options None Require all granted AllowOverride None Options None Require all granted I do not have the mail server up and running yet, nor do I have mailman up, so I do not know if the mailman cgi-bin stuff will also fail. The wordpress and mariadb packages are not installed. I even tried looking for wp-login.php in /etc, /usr and /var, just to make sure that it wasn't somewhere on the system. So, I am confused as to why apache is trying to use wp-login.php. Or, by chance is this another selinux thing (which I've used before). Any tips will be appreciated. Thanks. MB -- e-mail: vid...@vidiot.com | vid...@vidiot.net/~\ The ASCII 6082066...@email.uscc.net (140 char limit) \ / Ribbon Campaign Visit - URL: http://vidiot.com/ X Against http://vidiot.net/ / \ HTML Email "You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock Sherlock - The Abominable Bride - 1/01/16 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] apache 2.4 includes vi .swp files
Hello, found an interesting difference between include behaviour of apache 2.2 and 2.4 Have an include in apache2.conf: Include /etc/apache2/conf.d/ When editing a conf file in this folder by vi, vi creates a new swp file. lets say i edit a file logging.conf, so vi creates a file .logging.conf.swp When running "apachectl configtest" at this particular time, apache 2.4 tries to include the .logging.conf.swp which fails, because .logging.conf.swp is binary and invalid. This prevents apache 2.4 from sucessfully start and leads to downtime. Apache 2.2 tries not to include this .swp file and restarts successfully. Include is the same as above. (Include /etc/apache2/conf.d/) A quick fix could be to include only *.conf files: Include /etc/apache2/conf.d/*.conf But i wonder if apache should basically tries to include a file "beginning with dot"/"ending with swp" which generelly indicates a temporary/hidden file. In my opinion include behaviour of apache 2.2 was more practice-oriented. Thanks, Hajo - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] ProxyPass with Location in 2.4.25
Hello, we upgraded from 2.4.18 to 2.4.25 and now our configuration isn't working anymore. ProxyPreserveHost On BalancerMember http://xxx.xx.xx.xx:8080 route=vm_0 ping=5 BalancerMember http://xxx.xx.xx.xx:8080 route=vm_1 ping=5 ProxyPass balancer://ppp/system stickysession=JSESSIONID|jsessionid scolonpathdelim=On ProxyPassReverse balancer://ppp/system ProxyPassReverse http://ppp.local/system ProxyPassReverse https://ppp.local/system ProxyPassReverseCookiePath /system /service ProxyPass /error ! ProxyPass /manager ! ProxyPass / balancer://ppp/ stickysession=JSESSIONID|jsessionid scolonpathdelim=On ProxyPassReverse / balancer://ppp/ With 2.4.25 all requests are routet through the last ProxyPass, the Location directive is ignored so the rewrite from the context is not happening. If i put the last ProxyPass in a Location directive like it's again working. Is this a intended change? Thanks in Advance Michael