simo5
commented
1 year ago Do you have any debug log from the failures?
Open Lud3rik opened 1 year ago
simo5
commented
1 year ago Do you have any debug log from the failures?
Lud3rik
commented
1 year ago I just made a fresh compilation with origin/master to reproduce the issue. I don't see any errors, even with the GssapiPublishErrors On
The only logs I see are info:
[Wed Jun 07 17:15:19.580356 2023] [auth_gssapi:info] [pid 199524:tid 199586] [client 10.xx.xx.xx:15524] NO AUTH DATA Client did not send any authentication headers
[Wed Jun 07 17:17:48.262748 2023] [auth_gssapi:info] [pid 200218:tid 200345] [client 10.xx.xx.xx:29362] NO AUTH DATA Client did not send any authentication headers
[Wed Jun 07 17:17:49.934162 2023] [auth_gssapi:info] [pid 200218:tid 200348] [client 10.xx.xx.xx:29362] NO AUTH DATA Client did not send any authentication headersTested with the below vhost
<VirtualHost *:80>
ServerName app.domain.com
ServerAlias app.domain-priv.com
ServerAdmin webmaster@localhost
ErrorLog /var/log/httpd/logs/app/error.log
CustomLog /etc/httpd/logs/app/access.log combined
LogLevel debug
RewriteEngine On
RewriteRule "^/$" /somewhere/ [R]
ProxyPass /somewhere/ ajp://localhost:8009/somewhere/
ProxyPassReverse /somewhere/ ajp://localhost:8009/somewhere/
<Location /somewhere/home.fl>
AuthType GSSAPI
AuthName "SSO APP"
BrowserMatch Windows gssapi-no-negotiate
Require valid-user
GssapiCredStore keytab:/etc/httpd/conf/httpd-app.keytab
GssapiNegotiateOnce On
GSSapiImpersonate On
GssapiSessionKey file:/var/cache/httpd/session.key
GssapiUseSessions On
GssapiPublishErrors On
Session On
SessionCookieName gssapi_session path=/private;httponly;secure;
</Location>
</VirtualHost>What I see in my browser
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.Works fin with v1.5.0 but not with origin/master
Lud3rik
commented
1 year ago Any news about this strange behaviour?
Hello,
I recently migrated from mod_auth_kerb to mod_auth_gssapi. Indeed, AWS recently decided to remove mod_auth_gssapi from their package manager for Amazon Linux 2023. So I decided to build the module myself to implement it with the master branch from the sources here.
After 3 days of debuging, my SSO was still broken. I got the same message NO AUTH DATA Client did not send any authentication headers...
So I decided to try another tag like v1.5.0 for my SSO, and then the issue was solved.
So here the information about the image I used: al2023-ami-2023.0.20230517.1-kernel-6.1-arm64 [ec2-user@instance]$ cat /etc/amazon-linux-release Amazon Linux release 2023 (Amazon Linux) [ec2-user@instance]$ uname -r 6.1.27-43.48.amzn2023.aarch64 [ec2-user@instance]$ httpd -V Server version: Apache/2.4.56 (Amazon Linux) Server built: Mar 15 2023 00:00:00 Server's Module Magic Number: 20120211:126 Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.40 2022-04-14 Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.40 2022-04-14 Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_PROC_PTHREAD_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/httpd" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_PIDLOG="run/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf"
I think this issue deserve to be reported