HPE Community
Operating System - HP-UX
1820116 Members
3293 Online
109619 Solutions
New Discussion юеВ

Re: CIFS, Apache and Active Directory

 
Jim Gallagher
Occasional Advisor

тАО01-13-2010 11:40 PM

тАО01-13-2010 11:40 PM

CIFS, Apache and Active Directory

I am trying to get Apache to authenticate users against Active Directory. The server in question already has CIFS installed, and the server has been joined to the domain. CIFS works fine, and the security setting in smb.conf is ADS.

I am attempting to use the CIFS Server Administrator's Guide, Chapter 8 (Kerberos Support), Section 3 (HP-UX Kerberos Application Co-existence) as a guide to get both CIFS and Apache to both authenticate against AD. Both Apache and CIFS are the HP supplied packages. Software versions are:

HP-UX 11.23
hpuxwsApache B.2.0.58.00 HP-UX Apache-based Web Server
B8725AA A.02.03 HP CIFS Server
PHSS_34991 1.0 KRB5-Client Version 1.0 Cumulative patch
PHSS_31756 1.0 GSS-API Version 1.0 Cumulative patch
KRB5CLIENT D.1.3.5.07 Kerberos V5 Client Version 1.3.5.07


Here is my /etc/krb5.conf:

[libdefaults]
default_realm = MYREALM.COMPANY.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2
###default_keytab_name = "WRFILE:/etc/krb5.keytab"

[realms]
MYREALM.COMPANY.COM = {
kdc = dc03.myrealm.company.com:88
admin_server = dc03.myrealm.company.com
}
[domain_realm]
.company.com = MYREALM.COMPANY.COM


[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log


Here are the applicable parts of httpd.conf:
LoadModule auth_kerb_module modules/mod_auth_kerb.so


AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbVerifyKDC off
KrbServiceName cifs
Krb5Keytab /etc/krb5.keytab
KrbSaveCredentials off

require valid-user





Apache starts without an error. From an XP client with IE 6, logged into the same AD domain as the CIFS/Apache server belongs to, I make a request for http://myserver.company.com/test. The browser presents me with a login dialog, and I enter my AD credentials. The server returns a page that says:

Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

Authorization: Negotiate YIId3AYGKwYBBQUCoIId0DCCHcygJDAiBgkqhkiC9xIBAgIG

Apache/2.0.58 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_auth_kerb/5.0-rc6 Server at myserver.company.com Port 80


The Apache error_log has this entry:
[Wed Jan 13 23:26:32 2010] [error] [client 192.168.1.50] request failed: error reading the headers


Any help appreciated!

Thanks,
Jim Gallagher
0 Kudos
Reply
4 REPLIES 4
Horia Chirculescu
Honored Contributor

тАО01-14-2010 12:14 AM

тАО01-14-2010 12:14 AM

Re: CIFS, Apache and Active Directory

As usual, in order to understand what it is going on, you must increase the logging level.

Apache uses a directive called LogLevel.

http://httpd.apache.org/docs/2.0/mod/core.html#loglevel

Best regards,
Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
Jim Gallagher
Occasional Advisor

тАО01-14-2010 07:42 AM

тАО01-14-2010 07:42 AM

Re: CIFS, Apache and Active Directory

I did as you suggested, setting LogLevel to debug, but I did not see any additional output to the log files. Also, there are no logs in /var/log, and nothing related in the syslog.
0 Kudos
Reply
Jim Gallagher
Occasional Advisor

тАО01-14-2010 07:54 AM

тАО01-14-2010 07:54 AM

Re: CIFS, Apache and Active Directory

There was an additional LogLevel directive overriding my debug setting. Once I got that out, here are the new messages:

[Thu Jan 14 07:49:29 2010] [info] Digest: generating secret for digest authentication ...
[Thu Jan 14 07:49:29 2010] [info] Digest: done
[Thu Jan 14 07:49:29 2010] [info] LDAP: Built with OpenLDAP LDAP SDK
[Thu Jan 14 07:49:29 2010] [info] LDAP: SSL support unavailable
[Thu Jan 14 07:49:29 2010] [notice] Apache/2.0.58 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_auth_kerb/5.0-rc6 configured -- resuming normal operations
[Thu Jan 14 07:49:29 2010] [info] Server built: Aug 1 2006 19:51:28
[Thu Jan 14 07:49:29 2010] [debug] worker.c(1761): AcceptMutex: sysvsem (default: sysvsem)
[Thu Jan 14 07:49:30 2010] [debug] util_ldap.c(1697): Initialisation of global mutex /opt/hpws/apache/ in child process 24056 successful.
[Thu Jan 14 07:49:42 2010] [debug] src/mod_auth_kerb.c(1322): [client 192.168.1.50] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jan 14 07:49:43 2010] [debug] util_ldap.c(1697): Initialisation of global mutex /opt/hpws/apache/ in child process 24057 successful.
[Thu Jan 14 07:49:48 2010] [error] [client 192.48.21.43] request failed: error reading the headers
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО01-20-2010 05:33 AM

тАО01-20-2010 05:33 AM

Re: CIFS, Apache and Active Directory

I found this on IBM:

http://www-01.ibm.com/support/docview.wss?rs=1083&uid=swg21376396

Maybe there is something wrong with the cookies sent from apache to IE.

Horia.

Best regards from Romania,
Horia.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.