Linux 不适用于sso RHEL APCHE 2.2.15与auth#U kerb#U模块+;广告小姐赢得2012
下午好 SSO不工作(客户端IE 9、FireFox 38) error.httpd.logLinux 不适用于sso RHEL APCHE 2.2.15与auth#U kerb#U模块+;广告小姐赢得2012,linux,apache,single-sign-on,rhel,Linux,Apache,Single Sign On,Rhel,下午好 SSO不工作(客户端IE 9、FireFox 38) error.httpd.log [Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1944): [client 172.20.204.231] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Sun Feb 15 10:06:02 2015] [debug] src/mod_aut
[Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1944): [client 172.20.204.231] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1944): [client 172.20.204.231] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1279): [client 172.20.204.231] Acquiring creds for HTTP/itsm-dev@TEST.DOMAIN.COM.UA
[Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1698): [client 172.20.204.231] Verifying client data using KRB5 GSS-API
[Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1714): [client 172.20.204.231] Client didn't delegate us their credential
[Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1742): [client 172.20.204.231] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Sun Feb 15 10:06:02 2015] [debug] src/mod_auth_kerb.c(1139): [client 172.20.204.231] GSS-API major_status:00070000, minor_status:00000000
[Sun Feb 15 10:06:02 2015] [error] [client 172.20.204.231] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)
export KRB5_TRACE=/dev/stdout
kinit -V -k -t /etc/krb5.keytab -p HTTP/itsmproxy.test.domain.com.ua@test.domain.com.ua
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/itsmproxy.test.domain.com.ua@test.domain.com.ua
Using keytab: /etc/krb5.keytab
[16729] 1424007693.340272: Getting initial credentials for HTTP/itsmproxy.test.domain.com.ua@test.domain.com.ua
[16729] 1424007693.342682: Looked up etypes in keytab: (empty
[16729] 1424007693.342729: Getting initial credentials for HTTP/itsmproxy.test.domain.com.ua@test.domain.com.ua
[16729] 1424007693.342780: Looked up etypes in keytab: (empty
kinit: Keytab contains no suitable keys for HTTP/itsmproxy.test.domain.com.ua@test.domain.com.ua while getting initial credentials
klist -kte /etc/krb5.keytab2
Keytab name: FILE:/etc/krb5.keytab2
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
5 01/01/70 03:00:00 HTTP/itsm-dev@TEST.DOMAIN.COM.UA (arcfour-hmac)
问题出在哪里?在Linux端,您使用的是mod_auth_kerb,它支持Kerberos身份验证,但您的客户端发送NTLMSSP。这是不受支持的
如果您想让NTLMSSP正常工作,最好使用和中的mod_auth_gssapi和gssapi NTLMSSP模块您需要清楚您正在尝试做什么以及问题是什么。目前,您的问题只是一大块日志文本,而不是一个问题。SSO不起作用。为什么不知道。担心的日志条目:警告:收到的令牌似乎是NTLM,Kerberos模块不支持NTLM。检查你的IE配置。尽管kvno说一切都很好:kvno HTTP/itsm-dev@TEST.DOMAIN.COM.UAHTTP/itsm-dev@TEST.DOMAIN.COM.UA:kvno=5此模块需要更新的httpd和krb5,它们不在存储库RHEL 6.4中