mod_auth_gssapi can offer NTLM as a mechanism if the gssntlmssp package is installed. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. Given we do not configure any NTLM backend explicitly better restrict the mechanisms available to just krb5 for now. This will also remove support fo IAkerb which some times causes issues with browsers as well.
Action is to add the following to the apache conf: GssapiAllowedMech krb5
mod_auth_gssapi has another option that solves the issue of basic auth for ntlmssp:
### GssapiBasicAuthMech List of mechanisms against which Basic Auth is attempted. This is useful to restrict the mechanisms that can be used to attaempt password auth. By default no mechanism is set, this means all locally available mechanisms are allowed, unless GssapiAllowedMech is set, in which case those are used. GssapiBasicAuthMech always takes precendence over GssapiAllowedMech. The recognized mechanism names are: krb5, iakerb, ntlmssp Example: GssapiBasicAuthMech krb5
GssapiAllowedMech and GssapiBasicAuthMech have been introduced in mod_auth_gssapi 1.3.0 but F22 has only mod_auth_gssapi 1.1.0:
# systemctl status httpd.service -l * httpd.service - The Apache HTTP Server Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2015-07-17 11:09:59 UTC; 4min 37s ago Process: 5687 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=1/FAILURE) Process: 5723 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Process: 5722 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS) Main PID: 5723 (code=exited, status=1/FAILURE) Jul 17 11:09:58 ipatest.freeipa.local systemd[1]: Starting The Apache HTTP Server... Jul 17 11:09:58 ipatest.freeipa.local ipa-httpd-kdcproxy[5722]: ipa : INFO KDC proxy enabled Jul 17 11:09:58 ipatest.freeipa.local httpd[5723]: AH00526: Syntax error on line 69 of /etc/httpd/conf.d/ipa.conf: Jul 17 11:09:58 ipatest.freeipa.local httpd[5723]: Invalid command 'GssapiAllowedMech', perhaps misspelled or defined by a module not included in the server configuration Jul 17 11:09:59 ipatest.freeipa.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Jul 17 11:09:59 ipatest.freeipa.local systemd[1]: Failed to start The Apache HTTP Server. Jul 17 11:09:59 ipatest.freeipa.local systemd[1]: Unit httpd.service entered failed state. Jul 17 11:09:59 ipatest.freeipa.local systemd[1]: httpd.service failed. # rpm -q mod_auth_gssapi mod_auth_gssapi-1.1.0-3.fc22.x86_64
mod_auth_gssapi 1.3.0 has landed in Fedora 22.
FreeIPA 4.2.1 was released, moving to 4.2.x.
master:
Metadata Update from @simo: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.