stnoonan / spnego-http-auth-nginx-module Goto Github PK
View Code? Open in Web Editor NEWSPNEGO HTTP Authentication Module for nginx
License: Other
spnego-http-auth-nginx-module's People
Contributors
Stargazers
Watchers
Forkers
mike503 solj muhgatus mclap johanmoreau matteoredaelli jeffreykramer ifad pyhalov batcave roguelazer rbarrois planbnet harahauk aperigault aroth-arsoft wherka orgads tkdchen rjsalts xmillies norganna freman gilltots esc0rpi0n mcgrews3 aadidenko ermacaz bmocm nginx-modules mbee ycaihua stan kunalvjti daym lucadelmonte mitshel wisekaa03 checkmarxqa absz1980 vvb16 m000v jonnyirwin tocars phan-pivotal jesus-bustos olevole n3ur0id asmandria eugenmayer dingcc murzindima eburtsev nirko81 laeeth mattwoodyard toyomsk yuanhs darkgenius gszczepanski unsigned- blizni keith6014 a72 lparkes mathieuchateau serkanz altexy qeye vucoda logichard flyguy chaddotson rekgrpth mikhailkobik hektoc k0xak since1886 sigbjorn itglob jackop60506 santosh-d3vpl3x pei-jikui lavih oxpa kvanrobbroeck dariaphoebe bs1980 tftlegal jbostoen vvc-arf letranloc simayosispnego-http-auth-nginx-module's Issues
Browsers fails to use Basic auth fallback with SPDY enabled
This is the configuration I'm using. Note that SPDY is enabled. I'm using nginx 1.8.0
server {
listen 443 ssl spdy;
location / {
auth_gss on;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_realm MYDOMAIN.LOCAL;
}
In Firefox 35 and Chrome 43, basic authentication fails if they are not configured to use kerberos. Using various network inspector addons for Firefox, they all seem to agree that Firefox 35 only sees the "Negotiate" header in the output.
I can work around this bug by putting in my configuration the following directive:
more_set_headers -s 401 "WWW-Authenticate: Basic realm=\"MYDOMAIN.LOCAL\"";
Once I add this the browsers work.
Curiously, curl -kv https://mysite.mydomain.local/ shows the same headers in both configurations, and even running 'diff' against both configurations' outputs shows only the Date header being different. Since my curl isn't compiled with SPDY support, I think this is a SPDY-only bug.
I tried various edits to the header outputting code to try to put both the Basic and Negotiate auth headers on one line, but no browsers actually accepted this output so it was ultimately useless. I am not sure what is actually wrong as a result. I would suspect a off-by-one error or something that only presents itself when using SPDY.
nginx -v
$ nginx -V
nginx version: nginx/1.8.0
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/headers-more-nginx-module --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-auth-pam --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-cache-purge --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-dav-ext-module --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-development-kit --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-echo --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/ngx-fancyindex --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-http-push --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-lua --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-upload-progress --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/nginx-upstream-fair --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/ngx_http_substitutions_filter_module --add-module=/home/aaronopfer/nginx-1.8.0/debian/modules/spnego-http-auth-nginx-module
When kerberos negotiation fails, falls back to a fake basic auth
When I try to access my site with a kerberos-enabled browser and an active kerberos ticket, all works well (transparent authentication).
When I connect from a kerberos-unaware browser, I receive an authentication prompt (looks like auth_basic). I can enter any login/pass and get through.
Here is the relevant part of my nginx.conf:
server {
listen *;
server_name localhost;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
location / {
auth_gss on;
auth_gss_realm AUTH.XELNOR.NET;
auth_gss_keytab /etc/nginx/krb5.keytab;
auth_gss_service_name HTTP;
}
}
Working only in select browsers
Evening gents.
I have been trying to use this module for auth from a kerberos server.
It only seems to be working on select browsers, having some real trouble on Windows clients (various from Win7-Win8-Server2008).
Working:
- OSX (All, Chrome, Firefox, Safari)
- Windows (One, Firefox - Not IE or Chrome)
- Ubuntu (All, Firefox and Chrome - well not Opera, but I blame Opera)
In the working setups, the browser correctly shows the "KERBEROS.COMPANY.ORG" basic auth prompt, and in the non working it will show "hostname.company.org"
kinit using normal user with password and service principal using keytab works fine on the http-server. Any suggestions to how I correct this? I would be grateful for any suggestions.
PS: Relevant debug log entry for failed attempts, I do not see any NTLM errors as I would expect as the errors occur on Windows.
Begin auth
Detect basic auth
Detect SPNEGO token
Token decoded: LEFT OUT (edited)
Client sent a reasonable Negotiate header
GSSAPI authorizing
Use keytab /etc/nginx/nginxhttpandhost.keytab
Using service principal: HTTP/[email protected] my_gss_name HTTP/[email protected]
gss_accept_sec_context() failed: Unknown error:
GSSAPI failed
http finalize request: 403, "/?" a:1, c:1
http special response: 403, "/?"
http set discard body
HTTP/1.1 403 Forbidden
How let this plugin can hand off kerberos name to backend app
Hi , I am use this plugin to feed our nodejs project. when User login to the project, the original proxy(Apache) can hand over the kerberos to backend app. Now i switch to nginx, i found only current plugin support kerberos spnego mechanism. But in usage period, user report sometime, the plugin can't pass kerberos name to end user, it very pain to end User. Could you please share some hints on it , thanks a lot.
Requires libkrb5-dev on ubuntu
Might be good to mention this in the README, and check for it in the configure script, or at least in the troubleshooting section. I figured this out by reading this issue on a similar project.
how to it
Hi, could you give me a detail example for it? Because of I am a newer, i can't let it work see the readme. I need a more detail manual
SSO authentication fallback
Hello All,
I need to setup nginx to handle following scenario:
- when the user opens the page, SSO handshake is attempted, on success, $remote_user variable is relayed to php application
- if the SSO fails for whatever reason, the page php page still opens (but then the auth is handled by the php app)
I need it for a reason of giving access to intranet website from outside of AD domain.
Is it possible to do it with nginx? If so, could you please show me example nginx.conf how it should look like?
Cheers
Purpose of ngx_http_auth_spnego_set_bogus_authorization
Does calling this function ngx_http_auth_spnego_set_bogus_authorization aims to cause nginx to add REMOTE_USER in the HTTP request headers automatically on behalf of spnego-http-auth-nginx-module itself, just as a standard HTTP Basic authentication just happened?
error_page 401 semantics
Problem: Using a custom 401 page doesn't work. Nginx catches the first 401, which is part of SPNEGO protocol, so client never gets to even try authentication.
Solution 1: Only use error_page 401 after all available auth methods are exhausted. This is what Apache/mod_auth_kerb does, AFAIK.
Solution 2: Return 403 instead of 401 when auth has failed.
I'd like to setup following logic:
- SPNEGO on plaintext HTTP, basic fallback disabled
- If it fails, automatic redirect to HTTPS
- SPNEGO on HTTPS, basic fallback enabled
Store the Username (or Kerberos principal name) in Remote User
Would it be possible to store the username in the $remote_user server variable (or in another one), so it can be passed through to a FastCGI script (in this case, PHP).
This would be useful for those like wishing to use the server to perform web application authentication with the server plugin and authorization in in the script.
Apache's mod_auth_kerb supports this behaviour through PHP_AUTH_USER.
Great work on the plugin by the way, works like a charm.
gss_acquire_cred() fails, returns 851968
Hello, I've tried to use this module, but unfortunately it doesn't work for me.
Execution ends on gss_acquire_cred(). I've tried to get some more information from gssapi, it told me that An expected per-message token was not received. When I checked the logs, all the data (principal, hostname, etc.) looked okay.
My setup seems to be working (I've tried kinit and klist and I got valid ticket). The site is using SSL. It is django app running in uwsgi and connected to nginx. It is not connected to AD, just to Kerberos.
Log:
2013/05/14 13:52:46 [error] 18371#0: *17 gss_acquire_cred() failed: : Used service principal: HTTP/[email protected], client: 10.34.4.124, server: alias.company.com, request: "GET /krb5login/ HTTP/1.1", host: "alias.company.com", referrer: "https://alias.company.com/"
Configuration:
server {
listen 443 default_server ssl;
server_name alias.company.com;
access_log /var/log/nginx/app.access.log;
error_log /var/log/nginx/app.error.log debug;
ssl on;
ssl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
location / {
include uwsgi_params;
uwsgi_pass 127.0.0.1:3031;
}
location /krb5login/ {
auth_gss on;
auth_gss_realm COMPANY.COM;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP/app.company.com;
}
}
I would appreciate any kind of help. (I am not C programmer, so making changes in code is not really easy for me)
valgrind detects use-after-free with putenv / getenv
Valgrind is detecting use-after-free errors in this plugin.
The cause is the call to putenv(). putenv's man page has a snippet of text that reads:
The string pointed to by string becomes part of the environment, so altering the string changes the environment.
So the memory that we pass to putenv must be persistent. However, it was allocated from the request memory pool, so the memory is released immediately after the request. This causes all environment getting/setting behavior after this point to be undefined.
I fixed this error by unsetting the environment variable at the end of of ngx_http_auth_spnego_auth_user_gss function:
putenv("KRB5_KTNAME");
It appears to work locally. There may be better solutions though. It seems that editing the environment is generally a bad idea.
nginx 1.6.0
Hello,
Do you plan to test this module with nginx 1.6.0 ?
Thanks !
chrome issues for unauthenticated user
Firefox is fine, but fallback to basic in chrome appears to not work (320).
Superfluous MAX in ngx_spnego_authorized_principal
Line 356 of ngx_http_auth_spnego_module.c@ee771851af:
size_t cmp_len = MAX(auth_princs[ii].len, auth_princs[ii].len);Is that right?
Nginx 1.9.3 + spnego-http-auth-nginx-module -> 403 Forbidden
Hi i have problem i cannot make it work. When gss on i have 403 forbidden. When off everything is working.
My nginx.conf location:
location / {
access_log logs/php.access.log main;
error_log logs/php.debug.log debug;
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
auth_gss on;
auth_gss_keytab /etc/krb5.keytab;
#auth_gss_realm XXXXXX.XX;
#auth_gss_service_name HTTP/plhqkafeteria.xxxxx.xx;
#auth_gss_format_full on;
#auth_gss_allow_basic_fallback on;
#proxy_set_header Authorization "";
#auth_gss_authorized_principal <username>@<realm>
#auth_gss_authorized_principal <username2>@<realm>
php section debug log:
2015/08/06 15:16:00 [debug] 50478#0: *4 hc busy: 0000000000000000 0
2015/08/06 15:16:00 [debug] 50478#0: *4 reusable connection: 1
2015/08/06 15:16:00 [debug] 50478#0: *4 event timer add: 12: 65000:1438867025824
2015/08/06 15:16:00 [debug] 50478#0: *4 post event 0000000001FB6E90
2015/08/06 15:16:00 [debug] 50478#0: *4 delete posted event 0000000001FB6E90
2015/08/06 15:16:00 [debug] 50478#0: *4 http keepalive handler
2015/08/06 15:16:00 [debug] 50478#0: *4 malloc: 0000000001FE2A80:1024
2015/08/06 15:16:00 [debug] 50478#0: *4 recv: fd:12 -1 of 1024
2015/08/06 15:16:00 [debug] 50478#0: *4 recv() not ready (11: Resource temporarily unavailable)
2015/08/06 15:16:00 [debug] 50478#0: *4 free: 0000000001FE2A80
2015/08/06 15:16:00 [debug] 50478#0: *4 post event 0000000001FB6E90
2015/08/06 15:16:00 [debug] 50478#0: *4 delete posted event 0000000001FB6E90
2015/08/06 15:16:00 [debug] 50478#0: *4 http keepalive handler
2015/08/06 15:16:00 [debug] 50478#0: *4 malloc: 0000000001FE2A80:1024
2015/08/06 15:16:00 [debug] 50478#0: *4 recv: fd:12 510 of 1024
2015/08/06 15:16:00 [debug] 50478#0: *4 reusable connection: 0
2015/08/06 15:16:00 [debug] 50478#0: *4 posix_memalign: 0000000001FADD60:4096 @16
2015/08/06 15:16:00 [debug] 50478#0: *4 http cl:-1 max:1048576
2015/08/06 15:16:00 [debug] 50478#0: *4 rewrite phase: 2
2015/08/06 15:16:00 [debug] 50478#0: *4 post rewrite phase: 3
2015/08/06 15:16:00 [debug] 50478#0: *4 generic phase: 4
2015/08/06 15:16:00 [debug] 50478#0: *4 generic phase: 5
2015/08/06 15:16:00 [debug] 50478#0: *4 access phase: 6
2015/08/06 15:16:00 [debug] 50478#0: *4 SSO auth handling IN: token.len=0, head=0, ret=401
2015/08/06 15:16:00 [debug] 50478#0: *4 Begin auth
2015/08/06 15:16:00 [debug] 50478#0: *4 Detect basic auth
2015/08/06 15:16:00 [debug] 50478#0: *4 Detect SPNEGO token
2015/08/06 15:16:00 [debug] 50478#0: *4 Token decoded: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==
2015/08/06 15:16:00 [debug] 50478#0: *4 Client sent a reasonable Negotiate header
2015/08/06 15:16:00 [debug] 50478#0: *4 GSSAPI authorizing
2015/08/06 15:16:00 [debug] 50478#0: *4 Use keytab /etc/krb5.keytab
2015/08/06 15:16:00 [debug] 50478#0: *4 gss_accept_sec_context() failed: Unknown error:
2015/08/06 15:16:00 [debug] 50478#0: *4 GSSAPI failed
2015/08/06 15:16:00 [debug] 50478#0: *4 http finalize request: 403, "/favicon.ico?" a:1, c:1
2015/08/06 15:16:00 [debug] 50478#0: *4 http special response: 403, "/favicon.ico?"
2015/08/06 15:16:00 [debug] 50478#0: *4 http set discard body
2015/08/06 15:16:00 [debug] 50478#0: *4 HTTP/1.1 403 Forbidden^M
Server: nginx/1.9.3^M
Date: Thu, 06 Aug 2015 13:16:00 GMT^M
Content-Type: text/html^M
Content-Length: 570^M
Connection: keep-alive^M
Server debug log section:
2015/08/06 15:16:00 [debug] 50478#0: 4 http header: "Accept: */"
2015/08/06 15:16:00 [debug] 50478#0: 4 http header: "Referer: http://plhqkafeteria01/"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Accept-Encoding: gzip, deflate, sdch"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Accept-Language: en,pl;q=0.8"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Cookie: wp-settings-time-3=1434023169; wp-settings-time-1=1436352044"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header done
2015/08/06 15:16:00 [debug] 50478#0: *4 rewrite phase: 0
2015/08/06 15:16:00 [debug] 50478#0: *4 test location: "/"
2015/08/06 15:16:00 [debug] 50478#0: *4 test location: "50x.html"
2015/08/06 15:16:00 [debug] 50478#0: *4 using configuration "/"
2015/08/06 15:16:00 [debug] 50478#0: *4 event timer del: 12: 1438867025824
2015/08/06 15:16:00 [debug] 50478#0: *4 http process request line
2015/08/06 15:16:00 [debug] 50478#0: *4 http request line: "GET /favicon.ico HTTP/1.1"
2015/08/06 15:16:00 [debug] 50478#0: *4 http uri: "/favicon.ico"
2015/08/06 15:16:00 [debug] 50478#0: *4 http args: ""
2015/08/06 15:16:00 [debug] 50478#0: *4 http exten: "ico"
2015/08/06 15:16:00 [debug] 50478#0: *4 http process request header line
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Host: plhqkafeteria01"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Connection: keep-alive"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Pragma: no-cache"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Cache-Control: no-cache"
2015/08/06 15:16:00 [debug] 50478#0: *4 posix_memalign: 0000000001FAED70:4096 @16
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw=="
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Accept: */"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Referer: http://plhqkafeteria01/"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Accept-Encoding: gzip, deflate, sdch"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Accept-Language: en,pl;q=0.8"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header: "Cookie: wp-settings-time-3=1434023169; wp-settings-time-1=1436352044"
2015/08/06 15:16:00 [debug] 50478#0: *4 http header done
2015/08/06 15:16:00 [debug] 50478#0: *4 rewrite phase: 0
2015/08/06 15:16:00 [debug] 50478#0: *4 test location: "/"
2015/08/06 15:16:00 [debug] 50478#0: *4 test location: "50x.html"
2015/08/06 15:16:00 [debug] 50478#0: *4 using configuration "/"
2015/08/06 15:16:10 [debug] 50478#0: *3 post event 0000000001FB6E30
2015/08/06 15:16:10 [debug] 50478#0: *3 delete posted event 0000000001FB6E30
2015/08/06 15:16:10 [debug] 50478#0: *3 http wait request handler
2015/08/06 15:16:10 [debug] 50478#0: *3 malloc: 0000000001FE2A80:1024
2015/08/06 15:16:10 [debug] 50478#0: *3 recv: fd:3 0 of 1024
2015/08/06 15:16:10 [info] 50478#0: *3 client closed connection while waiting for request, client: 172.21.0.144, server: 0.0.0.0:80
2015/08/06 15:16:10 [debug] 50478#0: *3 close http connection: 3
2015/08/06 15:16:10 [debug] 50478#0: *3 event timer del: 3: 1438867020383
Please help i strugling with that by 3 weeks and i dont have ideas.
Support for ticket delegation
Are there plans to support ticket delegation?
Need some help figuring out whatis missing...
Hi and thanks for your work writing this module.
I'm having problem making it work.
I've tested it using IE10, Chrome42 , FF37 on W8 and Nginx 1.8 on Ubuntu12.04.
When a request gets into the server, I see the response:
2015/04/26 15:31:16 [debug] 12378#0: *41 HTTP/1.1 401 Unauthorized
Server: nginx/1.8.0
Date: Sun, 26 Apr 2015 18:31:16 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Negotiate
And then the browser sends ALWAYS NTLM:
2015/04/26 15:31:16 [debug] 12378#0: 41 http header: "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"
2015/04/26 15:31:16 [debug] 12378#0: *41 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8"
2015/04/26 15:31:16 [debug] 12378#0: *41 http header: "Accept-Language: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3"
2015/04/26 15:31:16 [debug] 12378#0: *41 http header: "Accept-Encoding: gzip, deflate"
2015/04/26 15:31:16 [debug] 12378#0: *41 http header: "Connection: keep-alive"
2015/04/26 15:31:16 [debug] 12378#0: *41 http header: "Cache-Control: max-age=0"
2015/04/26 15:31:16 [debug] 12378#0: *41 http header: "Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAvAjAAAADw=="
echo TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAvAjAAAADw== | base64 -d
NTLMSSP
a few lines downs:
2015/04/26 15:31:16 [debug] 12378#0: *41 Detect SPNEGO token
2015/04/26 15:31:16 [debug] 12378#0: *41 Token decoded: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAvAjAAAADw==
2015/04/26 15:31:16 [debug] 12378#0: *41 Client sent a reasonable Negotiate header
2015/04/26 15:31:16 [debug] 12378#0: *41 GSSAPI authorizing
And finally:
2015/04/26 15:31:16 [debug] 12378#0: *41 GSSAPI failed
I don't know what's missing that makes the browser always sent NTLM, which I know is out of this module. If I undestand why the browser always answers NTLM Auth token, I could try something different to solve it.
Maybe some is related to some browser configuration, some AD configuration or some Nginx configuration.
Thanks a lot!
Gus.
kinit working but problems with browser negotiations
I compiled the module with nginx 1.9.9 without a problem and I could follow all the configuration steps until kinit check step (inclusive)
kinit -5 -V -k -t /etc/krb5.keytab HTTP/nginxlab.cccc.es
Using existing cache: persistent:0:krb_ccache_bEyn0X6
Using principal: HTTP/[email protected]
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5
But when I try to connect from iexplorer browser I get this errors on nginx logs:
2016/02/23 15:43:05 [error] 2541#0: *7 gss_acquire_cred() failed: No key table entry found for [email protected]: Used service principal: [email protected], client: 192.168.12.4, server: blog.cccc.es, request: "GET / HTTP/1.1", host: "nginxlab.cccc.es"
2016/02/23 15:43:05 [error] 2541#0: *6 gss_acquire_cred() failed: No key table entry found for [email protected]: Used service principal: [email protected], client: 192.168.12.4, server: blog.cccc.es, request: "GET /favicon.ico HTTP/1.1", host: "nginxlab.cccc.es"
When I try to connect from firefox where, there is no negotiation with the AD, we use basic authentication without any problems.
gss_accept_sec_context() failed: Unknown error
Hi,
I am getting this error in the nginx logs when attempting to authenticate. Below is as much relevant logs/settings I could think of. Any help is appreciated.
nginx log
2016/04/01 19:35:08 [debug] 22415#0: *4 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2016/04/01 19:35:08 [debug] 22415#0: *4 http header: "Accept-Language: en-US,en;q=0.5"
2016/04/01 19:35:08 [debug] 22415#0: *4 http header: "Accept-Encoding: gzip, deflate"
2016/04/01 19:35:08 [debug] 22415#0: *4 http header: "Connection: keep-alive"
2016/04/01 19:35:08 [debug] 22415#0: *4 http header: "Cache-Control: max-age=0"
2016/04/01 19:35:08 [debug] 22415#0: *4 http header: "Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="
2016/04/01 19:35:08 [debug] 22415#0: *4 http header done
2016/04/01 19:35:08 [debug] 22415#0: *4 rewrite phase: 0
2016/04/01 19:35:08 [debug] 22415#0: *4 test location: "/"
2016/04/01 19:35:08 [debug] 22415#0: *4 using configuration "/"
2016/04/01 19:35:08 [debug] 22415#0: *4 http cl:-1 max:52428800
2016/04/01 19:35:08 [debug] 22415#0: *4 rewrite phase: 2
2016/04/01 19:35:08 [debug] 22415#0: *4 post rewrite phase: 3
2016/04/01 19:35:08 [debug] 22415#0: *4 generic phase: 4
2016/04/01 19:35:08 [debug] 22415#0: *4 generic phase: 5
2016/04/01 19:35:08 [debug] 22415#0: *4 access phase: 6
2016/04/01 19:35:08 [debug] 22415#0: *4 SSO auth handling IN: token.len=0, head=0, ret=401
2016/04/01 19:35:08 [debug] 22415#0: *4 Begin auth
2016/04/01 19:35:08 [debug] 22415#0: *4 Detect SPNEGO token
2016/04/01 19:35:08 [debug] 22415#0: *4 posix_memalign: 000000000198B100:4096 @16
2016/04/01 19:35:08 [debug] 22415#0: *4 Token decoded: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2016/04/01 19:35:08 [debug] 22415#0: *4 Client sent a reasonable Negotiate header
2016/04/01 19:35:08 [debug] 22415#0: *4 GSSAPI authorizing
2016/04/01 19:35:08 [debug] 22415#0: *4 Use keytab /etc/krb5.keytab
2016/04/01 19:35:08 [debug] 22415#0: *4 gss_accept_sec_context() failed: Unknown error:
2016/04/01 19:35:08 [debug] 22415#0: *4 GSSAPI failed
2016/04/01 19:35:08 [debug] 22415#0: *4 http finalize request: 403, "/?" a:1, c:1
2016/04/01 19:35:08 [debug] 22415#0: *4 http special response: 403, "/?"
2016/04/01 19:35:08 [debug] 22415#0: *4 http set discard body
2016/04/01 19:35:08 [debug] 22415#0: *4 HTTP/1.1 403 Forbidden
Server: nginx/1.4.4
Excerpt from nginx conf
location / {
add_header REMOTE_USER $remote_user;
auth_gss on;
auth_gss_keytab /etc/krb5.keytab;
}
klist -e output
Ticket cache: FILE:/tmp/krb5cc_1005
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
04/01/2016 19:44:48 04/02/2016 05:44:48 krbtgt/[email protected]
renew until 04/02/2016 19:44:48, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
klist -kte output
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 04/01/2016 18:44:57 HTTP/[email protected] (arcfour-hmac)
3 04/01/2016 19:43:25 HTTP/[email protected] (arcfour-hmac)
permissions on krb5.keytab/.conf (nginx runs as www-data user)
-rw-rw---- 1 www-data root 953 Apr 1 19:31 krb5.conf
-rw-rw---- 1 www-data root 158 Apr 1 19:43 krb5.keytab
krb5.conf
[libdefaults]
#default_tkt_enctypes = arcfour-hmac-md5
#default_tgs_enctypes = arcfour-hmac-md5
#default_keytab_name = FILE:/etc/krb5.keytab
default_tgs_enctypes = rc4-hmac arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac arcfour-hmac-md5 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac arcfour-hmac-md5 arcfour-hmac
default_realm = HIDDEN.COM
ticket_lifetime = 24h
kdc_timesync = 1
ccache_type = 4
forwardable = false
proxiable = false
[realms]
HIDDEN.COM = {
database_name = /var/lib/krb5kdc/principal
kdc = kdc.hidden.com
admin_server = kdc.hidden.com
default_domain = hidden.com
}
[domain_realm]
.kerberos.server = hidden.COM
.hidden.com = hidden.COM
hidden.com = hidden.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HIDDEN.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = rc4-hmac
supported_enctypes = rc4-hmac:normal arcfour-hmac:normal arcfour-hmac-md5:normal
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/tmp/kdc.log
admin_server = FILE:/tmp/kadmin.log
gss_acquire_cred() failed: no error message, claims GSSAPI auth succeeded, HTTP 500
After a dist-upgrade from Ubuntu Lucid to Precise, kerberos auth is no longer working.
The setup:
Ubuntu 12.04, running nginx from https://launchpad.net/~bcandrea/+archive/ubuntu/nginx-stable
Client: Windows 7 Enterprise, IE 11
Relevant config:
auth_gss on;
auth_gss_realm <realm>;
auth_gss_keytab /etc/http.keytab;
auth_gss_service_name HTTP;
auth_gss_allow_basic_fallback off;
keytab file looks valid:
klist -kt /etc/http.keytab
Keytab name: FILE:/etc/http.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
21 01/01/70 12:00:00 HTTP/<machinename>@<realm>
however, clients attempting to connect get an HTTP 500, and we see this in the logs (lots of lines removed for brevity, let me know if there is more information needed):
2015/06/26 11:49:39 [debug] 21805#0: *2 recv: fd:3 390 of 6122
2015/06/26 11:49:39 [debug] 21805#0: *2 http header: "Authorization: Negotiate <redacted>
2015/06/26 11:49:39 [debug] 21805#0: *2 http header: "Connection: keep-alive"
2015/06/26 11:49:39 [debug] 21805#0: *2 http header done
<snip>
2015/06/26 11:49:39 [debug] 21805#0: *2 SSO auth handling IN: token.len=0, head=0, ret=401
2015/06/26 11:49:39 [debug] 21805#0: *2 Begin auth
2015/06/26 11:49:39 [debug] 21805#0: *2 Detect SPNEGO token
2015/06/26 11:49:39 [debug] 21805#0: *2 posix_memalign: 0000000001D0D500:4096 @16
2015/06/26 11:49:39 [debug] 21805#0: *2 Token decoded: <redacted>
2015/06/26 11:49:39 [debug] 21805#0: *2 Client sent a reasonable Negotiate header
2015/06/26 11:49:39 [debug] 21805#0: *2 GSSAPI authorizing
2015/06/26 11:49:39 [debug] 21805#0: *2 Use keytab /etc/http.keytab
2015/06/26 11:49:39 [debug] 21805#0: *2 Using service principal: HTTP@<realm>
2015/06/26 11:49:39 [debug] 21805#0: *2 my_gss_name HTTP@<realm>
2015/06/26 11:49:39 [error] 21805#0: *2 gss_acquire_cred() failed: : Used service principal: HTTP@<realm>, client: <client_IP>, server: <server>, request: "GET / HTTP/1.1", host: "<server>"
2015/06/26 11:49:39 [debug] 21805#0: *2 GSSAPI auth succeeded
2015/06/26 11:49:39 [debug] 21805#0: *2 SSO auth handling OUT: token.len=1791, head=1, ret=500
2015/06/26 11:49:39 [debug] 21805#0: *2 http finalize request: 500, "/?" a:1, c:1
2015/06/26 11:49:39 [debug] 21805#0: *2 http special response: 500, "/?"
2015/06/26 11:49:39 [debug] 21805#0: *2 http set discard body
2015/06/26 11:49:39 [debug] 21805#0: *2 xslt filter header
2015/06/26 11:49:39 [debug] 21805#0: *2 charset: "" > "utf-8"
2015/06/26 11:49:39 [debug] 21805#0: *2 HTTP/1.1 500 Internal Server Error
I have already read through issue #15. I have not tried any of the patches suggested there, but none of the other suggestions have helped.
remote_user and realm
Hello
As I understand the default behaviour is to split "user@DOM" into only "user" in the remote_user header.
It does not work as this for me.
my domaine is "SITE-CITY.TLD"
users are less than 8 chars
my conf is simple :
auth_gss on;
auth_gss_keytab /etc/nginx/keytab/redmine-rproxy.keytab ;
I try some configs with auth_gss_realm and auth_gss_format_full set. But I did not manage to have only the user without the realm.
I think I missed something.
Could I have more explaination on the behavior please ?
thanks!
GSSAPI fails to use keytab specified in environment
My platform is nginx 1.6.0 on FreeBSD 10.0-STABLE (r264289), which uses Heimdal 1.5.1+, and am building the plugin from 54398b3. nginx workers are running as user www (uid 80). In order to block access to non-HTTP service principals from nginx, I peeled off a special-purpose keytab, containing only the necessary service principals, and gave ownership to the www user.
$ ls -l /etc/*keytab
-rw------- 1 www wheel 1362 Aug 7 20:42 /etc/krb5-HTTP.keytab
-rw------- 1 root wheel 1362 Aug 7 16:45 /etc/krb5.keytab
$ sudo -u www ktutil -k /etc/krb5-HTTP.keytab list
/etc/krb5-HTTP.keytab:
Vno Type Principal Aliases
2 aes256-cts-hmac-sha1-96 HTTP/[email protected]
2 aes128-cts-hmac-sha1-96 HTTP/[email protected]
2 des3-cbc-sha1 HTTP/[email protected]
2 arcfour-hmac-md5 HTTP/[email protected]
I configured the plugin to use this keytab, thusly.
$ grep auth_gss /usr/local/etc/nginx/nginx.conf
auth_gss on;
auth_gss_keytab /etc/krb5-HTTP.keytab;
auth_gss_allow_basic_fallback off;
The following excerpt from the debug log demonstrates, I think, that env_ktname() is processing the configured, non-default keytab, but that in the latter part of ngx_http_auth_spnego_auth_user_gss(), upon invoking gss_acquire_cred(), the GSSAPI library does not recognize the environment variable and instead tries, incorrectly and unsuccessfully, to read the default keytab.
2014/08/07 20:17:23 [debug] 85727#0: *1 Client sent a reasonable Negotiate header
2014/08/07 20:17:23 [debug] 85727#0: *1 GSSAPI authorizing
2014/08/07 20:17:23 [debug] 85727#0: *1 Use keytab /etc/krb5-HTTP.keytab
2014/08/07 20:17:23 [debug] 85727#0: *1 gss_accept_sec_context() failed: keytab /etc/krb5.keytab open failed: Permission denied:
2014/08/07 20:17:23 [debug] 85727#0: *1 GSSAPI failed
I don't believe this is a bug in the FreeBSD/Heimdal implementation because the command line tools correctly act upon the environment variable.
$ sudo -u www env KRB5_KTNAME=/etc/krb5-HTTP.keytab ktutil list
/etc/krb5-HTTP.keytab:
Vno Type Principal Aliases
2 aes256-cts-hmac-sha1-96 HTTP/[email protected]
2 aes128-cts-hmac-sha1-96 HTTP/[email protected]
2 des3-cbc-sha1 HTTP/[email protected]
2 arcfour-hmac-md5 HTTP/[email protected]
enable/disable auth_gss depending on a request header
Note: I'm quite new on nginx config...
Hi,
I'm trying to set up a configuration in which gss auth can be disabled if some request header is present (typically for cookie-based authentication).
I've tried something like:
auth_gss on;
if ($http_authorization ~ (^MyStuff) ) {
auth_gss off;
}
but it fails stating that "nginx: [emerg] "auth_gss" directive is not allowed here"
Is there a way of doing something like this?
Should I try to use auth_request?
PS : with Apache, I used to do something like:
<Location />
AuthType kerberos
[...]
SetEnvIf Authorization "^MyStuff" signed
<RequireAny>
Require env signed
Require valid-user
</RequireAny>
</Location>
HTTP ERROR 401 - Authentication Required
Hi
I have configured a machine as kerberos client and as a user if i get ticket in the machine i am able to do the HTTP authentication. Also i installed ngnix using your module in the same server. Now my problem is if i try to hit the ngnix from my workstation's browser i am getting authentication required error 401.
So i think ngnix is not able to find the user's kerberos ticket. Any way to specify that in the configuration ?
I have HTTP principal in the keytab file.
Here i am trying to access my cloudera cluster HDFS browser url which is kerberos enabled.
my ngnix conf is like this
location / {
auth_gss on;
auth_gss_realm MYREALM.ORG.COM;
auth_gss_keytab /etc/http.keytab;
proxy_pass http://namenode webUI:50070;
}
gss_acquire_cred() failed: Permission denied
Hi, all settings done right, but I'm still getting this error:
2015/04/21 01:07:04 [debug] 3603#0: *66 Client sent a reasonable Negotiate header
2015/04/21 01:07:04 [debug] 3603#0: *66 GSSAPI authorizing
2015/04/21 01:07:04 [debug] 3603#0: *66 Use keytab /etc/krb5.keytab
2015/04/21 01:07:04 [debug] 3603#0: *66 Using service principal: HTTP/[email protected]
2015/04/21 01:07:04 [debug] 3603#0: *66 my_gss_name HTTP/[email protected]
2015/04/21 01:07:04 [error] 3603#0: *66 gss_acquire_cred() failed: Permission denied: Used service principal: HTTP/[email protected], client: 10.0.55.141, server: nginx.sqedra.com, request: "GET / HTTP/1.1", host: "nginx.sqedra.com"
2015/04/21 01:07:04 [debug] 3603#0: *66 GSSAPI failed
2015/04/21 01:07:04 [debug] 3603#0: *66 http finalize request: 500, "/?" a:1, c:1
2015/04/21 01:07:04 [debug] 3603#0: *66 http special response: 500, "/?"
2015/04/21 01:07:04 [debug] 3603#0: *66 http set discard body
2015/04/21 01:07:04 [debug] 3603#0: *66 HTTP/1.1 500 Internal Server Error
Server: nginx/1.7.12
Date: Mon, 20 Apr 2015 22:07:04 GMT
Content-Type: text/html
Content-Length: 193
Connection: close
Don't create "bogus" Authorization: Basic header
I'm using nginx as a reverse proxy to put a Negotiate-based authentication layer in front of another HTTP service.
Currently, when the client successfully authenticates via Negotiate, the resulting upstream request to the proxied service includes an HTTP header like:
Authorization: Basic dXNlckBET01BSU4uQ09NOmJvZ3VzCg==
which decodes to [email protected]:bogus. Why is this necessary? I don't want the upstream service to receive a superfluous Basic auth header.
Can I get the user's realm in a webapp?
I see $remote_user is set to just the user name, like "nick". It doesn't tell me what realm they used. I was expecting something like "[email protected]".
Perhaps I'm wrong for wanting this. Is it conceivable that a single web app could authenticate users from multiple different kerberos realms? Does this plugin support that sort of thing?
undefined reference to `__gss_krb5_nt_principal_name_oid_desc'?
Hi, first, thanks for this - will be nice to stop running both apache and nginx just so intranet kerb-auth works.
On Ubuntu Server 14.04
Have krb5-multidev and libkrb5-dev installed. Libraries in /usr/lib/x86_64-linux-gnu/. First ld couldn't find libkrb5.so and libgssapi_krb5.so since they were suffixed (.3.3 and .2.2 respectively), symlinks were added by apt under mit-krb5 subdirectory - so I copied those out to fix linking and ld finds both just fine.
But now:
objs/addon/spnego-http-auth-nginx-module/ngx_http_auth_spnego_module.o: In function `ngx_http_auth_spnego_auth_user_gss':
spnego-http-auth-nginx-module/ngx_http_auth_spnego_module.c:726: undefined reference to `__gss_krb5_nt_principal_name_oid_desc'
Tried switching to heimdal, linking to various versions (libkrb5.so.26) - still no go.
Any help is greatly appreciated!
gss_accept_sec_context() failed: :
Please, help me debug this problem:
wmp@ubuntu:/tmp/deb$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: MY_USER_NAME@MY_REALM
Valid starting Expires Service principal
08.09.2015 12:20:12 08.09.2015 22:20:12 krbtgt/MY_REALM@MY_REALM
renew until 09.09.2015 00:20:10
wmp@ubuntu:/tmp/deb$ curl --negotiate -u: http://SITE_NAME.MY_REALM/index.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.2.1</center>
</body>
</html>
wmp@ubuntu:/tmp/deb$ k
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: MY_USER_NAME@MY_REALM
Valid starting Expires Service principal
08.09.2015 12:20:12 08.09.2015 22:20:12 krbtgt/MY_REALM@MY_REALM
renew until 09.09.2015 00:20:10
08.09.2015 12:22:06 08.09.2015 22:20:12 HTTP/SITE_NAME.MY_REALM@MY_REALM
renew until 09.09.2015 00:20:10
wmp@ubuntu:/tmp/deb$
Nginx debug:
2015/09/08 12:22:06 [debug] 3418#0: post event 0000000001FE83F0
2015/09/08 12:22:06 [debug] 3418#0: delete posted event 0000000001FE83F0
2015/09/08 12:22:06 [debug] 3418#0: accept on 0.0.0.0:80, ready: 0
2015/09/08 12:22:06 [debug] 3418#0: posix_memalign: 0000000001F91D00:256 @16
2015/09/08 12:22:06 [debug] 3418#0: *2 accept: XXX.YYY.ZZZ.68 fd:12
2015/09/08 12:22:06 [debug] 3418#0: *2 event timer add: 12: 60000:1441707786698
2015/09/08 12:22:06 [debug] 3418#0: *2 epoll add event: fd:12 op:1 ev:80000001
2015/09/08 12:22:06 [debug] 3418#0: *2 post event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 delete posted event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 malloc: 0000000001F99F70:1296
2015/09/08 12:22:06 [debug] 3418#0: *2 posix_memalign: 0000000001FC2840:256 @16
2015/09/08 12:22:06 [debug] 3418#0: *2 malloc: 0000000001F9A730:1024
2015/09/08 12:22:06 [debug] 3418#0: *2 posix_memalign: 0000000001F9F660:4096 @16
2015/09/08 12:22:06 [debug] 3418#0: *2 http process request line
2015/09/08 12:22:06 [debug] 3418#0: *2 recv: fd:12 100 of 1024
2015/09/08 12:22:06 [debug] 3418#0: *2 http request line: "GET /index.php HTTP/1.1"
2015/09/08 12:22:06 [debug] 3418#0: *2 http uri: "/index.php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http args: ""
2015/09/08 12:22:06 [debug] 3418#0: *2 http exten: "php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http process request header line
2015/09/08 12:22:06 [debug] 3418#0: *2 http header: "User-Agent: curl/7.38.0"
2015/09/08 12:22:06 [debug] 3418#0: *2 http header: "Host: SITE_NAME.MY_REALM"
2015/09/08 12:22:06 [debug] 3418#0: *2 http header: "Accept: */*"
2015/09/08 12:22:06 [debug] 3418#0: *2 http header done
2015/09/08 12:22:06 [debug] 3418#0: *2 event timer del: 12: 1441707786698
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 rewrite phase: 1
2015/09/08 12:22:06 [debug] 3418#0: *2 test location: "/"
2015/09/08 12:22:06 [debug] 3418#0: *2 test location: ~ "[^/]\.php(/|$)"
2015/09/08 12:22:06 [debug] 3418#0: *2 using configuration "[^/]\.php(/|$)"
2015/09/08 12:22:06 [debug] 3418#0: *2 http cl:-1 max:1048576
2015/09/08 12:22:06 [debug] 3418#0: *2 rewrite phase: 3
2015/09/08 12:22:06 [debug] 3418#0: *2 http script complex value
2015/09/08 12:22:06 [debug] 3418#0: *2 http script var: "/var/www"
2015/09/08 12:22:06 [debug] 3418#0: *2 http script var: "/index.php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http script copy: ""
2015/09/08 12:22:06 [debug] 3418#0: *2 http script file op 0000000000000001 "/var/www/index.php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http script file op false
2015/09/08 12:22:06 [debug] 3418#0: *2 http script if
2015/09/08 12:22:06 [debug] 3418#0: *2 http script if: false
2015/09/08 12:22:06 [debug] 3418#0: *2 post rewrite phase: 4
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 5
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 6
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 7
2015/09/08 12:22:06 [debug] 3418#0: *2 access phase: 8
2015/09/08 12:22:06 [debug] 3418#0: *2 SSO auth handling IN: token.len=0, head=0, ret=401
2015/09/08 12:22:06 [debug] 3418#0: *2 Begin auth
2015/09/08 12:22:06 [debug] 3418#0: *2 Detect SPNEGO token
2015/09/08 12:22:06 [debug] 3418#0: *2 SSO auth handling OUT: token.len=0, head=1, ret=401
2015/09/08 12:22:06 [debug] 3418#0: *2 http finalize request: 401, "/index.php?" a:1, c:1
2015/09/08 12:22:06 [debug] 3418#0: *2 http special response: 401, "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 http set discard body
2015/09/08 12:22:06 [debug] 3418#0: *2 xslt filter header
2015/09/08 12:22:06 [debug] 3418#0: *2 HTTP/1.1 401 Unauthorized
Server: nginx/1.2.1
Date: Tue, 08 Sep 2015 10:22:06 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Negotiate
2015/09/08 12:22:06 [debug] 3418#0: *2 write new buf t:1 f:0 0000000001FA0380, pos 0000000001FA0380, size: 186 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter: l:0 f:0 s:186
2015/09/08 12:22:06 [debug] 3418#0: *2 http output filter "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 http copy filter: "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 image filter
2015/09/08 12:22:06 [debug] 3418#0: *2 xslt filter body
2015/09/08 12:22:06 [debug] 3418#0: *2 http postpone filter "/index.php?" 0000000001FA0568
2015/09/08 12:22:06 [debug] 3418#0: *2 write old buf t:1 f:0 0000000001FA0380, pos 0000000001FA0380, size: 186 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 write new buf t:0 f:0 0000000000000000, pos 00000000006C16A0, size: 142 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 write new buf t:0 f:0 0000000000000000, pos 00000000006C11C0, size: 52 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter: l:1 f:0 s:380
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter limit 0
2015/09/08 12:22:06 [debug] 3418#0: *2 writev: 380
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter 0000000000000000
2015/09/08 12:22:06 [debug] 3418#0: *2 http copy filter: 0 "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 http finalize request: 0, "/index.php?" a:1, c:1
2015/09/08 12:22:06 [debug] 3418#0: *2 set http keepalive handler
2015/09/08 12:22:06 [debug] 3418#0: *2 http close request
2015/09/08 12:22:06 [debug] 3418#0: *2 http log handler
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F9F660, unused: 67
2015/09/08 12:22:06 [debug] 3418#0: *2 event timer add: 12: 65000:1441707791698
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F99F70
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F9A730
2015/09/08 12:22:06 [debug] 3418#0: *2 hc free: 0000000000000000 0
2015/09/08 12:22:06 [debug] 3418#0: *2 hc busy: 0000000000000000 0
2015/09/08 12:22:06 [debug] 3418#0: *2 tcp_nodelay
2015/09/08 12:22:06 [debug] 3418#0: *2 reusable connection: 1
2015/09/08 12:22:06 [debug] 3418#0: *2 post event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 delete posted event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 http keepalive handler
2015/09/08 12:22:06 [debug] 3418#0: *2 malloc: 0000000001F99F70:1024
2015/09/08 12:22:06 [debug] 3418#0: *2 recv: fd:12 -1 of 1024
2015/09/08 12:22:06 [debug] 3418#0: *2 recv() not ready (11: Resource temporarily unavailable)
2015/09/08 12:22:06 [debug] 3418#0: *2 post event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 delete posted event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 http keepalive handler
2015/09/08 12:22:06 [debug] 3418#0: *2 recv: fd:12 1024 of 1024
2015/09/08 12:22:06 [debug] 3418#0: *2 reusable connection: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 malloc: 0000000001F9A730:1296
2015/09/08 12:22:06 [debug] 3418#0: *2 posix_memalign: 0000000001F9F660:4096 @16
2015/09/08 12:22:06 [debug] 3418#0: *2 http process request line
2015/09/08 12:22:06 [debug] 3418#0: *2 http request line: "GET /index.php HTTP/1.1"
2015/09/08 12:22:06 [debug] 3418#0: *2 http uri: "/index.php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http args: ""
2015/09/08 12:22:06 [debug] 3418#0: *2 http exten: "php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http process request header line
2015/09/08 12:22:06 [debug] 3418#0: *2 http alloc large header buffer
2015/09/08 12:22:06 [debug] 3418#0: *2 malloc: 0000000001F96220:8192
2015/09/08 12:22:06 [debug] 3418#0: *2 http large header alloc: 0000000001F96220 8192
2015/09/08 12:22:06 [debug] 3418#0: *2 http large header copy: 999
2015/09/08 12:22:06 [debug] 3418#0: *2 recv: fd:12 1131 of 7193
2015/09/08 12:22:06 [debug] 3418#0: *2 http header: "Authorization: Negotiate YIIF7AYGKw... cute here ...UTz5m063JpHt
2015/09/08 12:22:06 [debug] 3418#0: *2 http header: "User-Agent: curl/7.38.0"
2015/09/08 12:22:06 [debug] 3418#0: *2 http header: "Host: SITE_NAME.MY_REALM"
2015/09/08 12:22:06 [debug] 3418#0: *2 http header: "Accept: */*"
2015/09/08 12:22:06 [debug] 3418#0: *2 http header done
2015/09/08 12:22:06 [debug] 3418#0: *2 event timer del: 12: 1441707791698
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 rewrite phase: 1
2015/09/08 12:22:06 [debug] 3418#0: *2 test location: "/"
2015/09/08 12:22:06 [debug] 3418#0: *2 test location: ~ "[^/]\.php(/|$)"
2015/09/08 12:22:06 [debug] 3418#0: *2 using configuration "[^/]\.php(/|$)"
2015/09/08 12:22:06 [debug] 3418#0: *2 http cl:-1 max:1048576
2015/09/08 12:22:06 [debug] 3418#0: *2 rewrite phase: 3
2015/09/08 12:22:06 [debug] 3418#0: *2 http script complex value
2015/09/08 12:22:06 [debug] 3418#0: *2 http script var: "/var/www"
2015/09/08 12:22:06 [debug] 3418#0: *2 http script var: "/index.php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http script copy: ""
2015/09/08 12:22:06 [debug] 3418#0: *2 http script file op 0000000000000001 "/var/www/index.php"
2015/09/08 12:22:06 [debug] 3418#0: *2 http script file op false
2015/09/08 12:22:06 [debug] 3418#0: *2 http script if
2015/09/08 12:22:06 [debug] 3418#0: *2 http script if: false
2015/09/08 12:22:06 [debug] 3418#0: *2 post rewrite phase: 4
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 5
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 6
2015/09/08 12:22:06 [debug] 3418#0: *2 generic phase: 7
2015/09/08 12:22:06 [debug] 3418#0: *2 access phase: 8
2015/09/08 12:22:06 [debug] 3418#0: *2 SSO auth handling IN: token.len=0, head=0, ret=401
2015/09/08 12:22:06 [debug] 3418#0: *2 Begin auth
2015/09/08 12:22:06 [debug] 3418#0: *2 Detect SPNEGO token
2015/09/08 12:22:06 [debug] 3418#0: *2 posix_memalign: 0000000001F98230:4096 @16
2015/09/08 12:22:06 [debug] 3418#0: *2 Token decoded: YIIF7AYGKwYBBQUCoIIF4DCCBdygJ... cute here ... tsswOKYx8DYnMU2EpMcOXQj0M
2015/09/08 12:22:06 [debug] 3418#0: *2 Client sent a reasonable Negotiate header
2015/09/08 12:22:06 [debug] 3418#0: *2 GSSAPI authorizing
2015/09/08 12:22:06 [debug] 3418#0: *2 Use keytab /etc/krb5.keytab
2015/09/08 12:22:06 [debug] 3418#0: *2 gss_accept_sec_context() failed: :
2015/09/08 12:22:06 [debug] 3418#0: *2 GSSAPI failed
2015/09/08 12:22:06 [debug] 3418#0: *2 http finalize request: 403, "/index.php?" a:1, c:1
2015/09/08 12:22:06 [debug] 3418#0: *2 http special response: 403, "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 http set discard body
2015/09/08 12:22:06 [debug] 3418#0: *2 xslt filter header
2015/09/08 12:22:06 [debug] 3418#0: *2 HTTP/1.1 403 Forbidden
Server: nginx/1.2.1
Date: Tue, 08 Sep 2015 10:22:06 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
2015/09/08 12:22:06 [debug] 3418#0: *2 write new buf t:1 f:0 0000000001FA03F0, pos 0000000001FA03F0, size: 154 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter: l:0 f:0 s:154
2015/09/08 12:22:06 [debug] 3418#0: *2 http output filter "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 http copy filter: "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 image filter
2015/09/08 12:22:06 [debug] 3418#0: *2 xslt filter body
2015/09/08 12:22:06 [debug] 3418#0: *2 http postpone filter "/index.php?" 0000000001FA05B8
2015/09/08 12:22:06 [debug] 3418#0: *2 write old buf t:1 f:0 0000000001FA03F0, pos 0000000001FA03F0, size: 154 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 write new buf t:0 f:0 0000000000000000, pos 00000000006C17E0, size: 116 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 write new buf t:0 f:0 0000000000000000, pos 00000000006C11C0, size: 52 file: 0, size: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter: l:1 f:0 s:322
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter limit 0
2015/09/08 12:22:06 [debug] 3418#0: *2 writev: 322
2015/09/08 12:22:06 [debug] 3418#0: *2 http write filter 0000000000000000
2015/09/08 12:22:06 [debug] 3418#0: *2 http copy filter: 0 "/index.php?"
2015/09/08 12:22:06 [debug] 3418#0: *2 http finalize request: 0, "/index.php?" a:1, c:1
2015/09/08 12:22:06 [debug] 3418#0: *2 set http keepalive handler
2015/09/08 12:22:06 [debug] 3418#0: *2 http close request
2015/09/08 12:22:06 [debug] 3418#0: *2 http log handler
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F9F660, unused: 104
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F98230, unused: 2426
2015/09/08 12:22:06 [debug] 3418#0: *2 event timer add: 12: 65000:1441707791720
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F9A730
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F99F70
2015/09/08 12:22:06 [debug] 3418#0: *2 hc free: 0000000000000000 0
2015/09/08 12:22:06 [debug] 3418#0: *2 hc busy: 0000000001FC28C0 1
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F96220
2015/09/08 12:22:06 [debug] 3418#0: *2 reusable connection: 1
2015/09/08 12:22:06 [debug] 3418#0: *2 post event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 delete posted event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 http keepalive handler
2015/09/08 12:22:06 [debug] 3418#0: *2 malloc: 0000000001F99F70:1024
2015/09/08 12:22:06 [debug] 3418#0: *2 recv: fd:12 -1 of 1024
2015/09/08 12:22:06 [debug] 3418#0: *2 recv() not ready (11: Resource temporarily unavailable)
2015/09/08 12:22:06 [debug] 3418#0: *2 post event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 delete posted event 0000000001FE84C0
2015/09/08 12:22:06 [debug] 3418#0: *2 http keepalive handler
2015/09/08 12:22:06 [debug] 3418#0: *2 recv: fd:12 0 of 1024
2015/09/08 12:22:06 [info] 3418#0: *2 client XXX.YYY.ZZZ.68 closed keepalive connection
2015/09/08 12:22:06 [debug] 3418#0: *2 close http connection: 12
2015/09/08 12:22:06 [debug] 3418#0: *2 event timer del: 12: 1441707791720
2015/09/08 12:22:06 [debug] 3418#0: *2 reusable connection: 0
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F99F70
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000000000000
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000000000000
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001F91D00, unused: 8
2015/09/08 12:22:06 [debug] 3418#0: *2 free: 0000000001FC2840, unused: 0
Nginx configuration:
SITE_NAME:/etc# cat /etc/nginx/sites-enabled/000-SITE_NAME.MY_REALM
server {
# listen 80; ## listen for ipv4; this line is default and implied
server_name SITE_NAME.MY_REALM;
root /var/www;
index index.php;
auth_gss on;
# auth_gss_realm MY_REALM;
auth_gss_keytab /etc/krb5.keytab;
# auth_gss_service_name HTTP/SITE_NAME.MY_REALM;
# auth_gss_service_name SITE_NAME.MY_REALM;
# auth_gss_service_name HTTP;
auth_gss_allow_basic_fallback off;
# auth_gss_format_full off;
error_log /var/log/nginx/debug.log debug;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
SITE_NAME:/etc#
Krb5 configuration:
SITE_NAME:/etc# cat /etc/krb5.conf
[libdefaults]
default_realm = MY_REALM
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
[realms]
MY_REALM = {
kdc = 172.17.0.101 172.17.0.102 172.17.0.103 172.17.0.114
admin_server = 172.17.0.101
}
[domain_realm]
MY_REALM = MY_REALM
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
SITE_NAME:/etc# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
4 01/01/70 01:00:00 HTTP/SITE_NAME.MY_REALM@MY_REALM
SITE_NAME:/etc# ls -la /etc/krb5.keytab
-rw------- 1 www-data root 81 Sep 8 12:12 /etc/krb5.keytab
SITE_NAME:/etc#
When in nginx configuration i have wrong host in: auth_gss_service_name i have error: gss_acquire_cred() failed: : Used service principal: HTTP/SITE_NAME.MY_REALM@MY_REALM, client: XXX.YYY.ZZZ.68, server: SITE_NAME.MY_REALM, request: "GET /index.php HTTP/1.1", host: "SITE_NAME.MY_REALM"
I dont understand why I must in auth_gss_service_name write hostname, why when i have: auth_gss_service_name HTTP in logs i have: Using service principal: HTTP@MY_REALM. Why ths module don't adding server_name automatical?
And, why this dont works?
Nginx as a Kerberos Client?
I am relatively new to Kerberos and Nginx. I have a web application running with the browser configured to add the Kerberos ticket to the Authorization header. I have verified the Kerberos ticket going into my Nginx reverse proxy matches the header in the request leaving the proxy, but I am getting a Kerberos related error when the request hits the Kerberos protected resource. The company that creates the protected protected has stated that under the current version the do not support a Kerberos client from behind a proxy...
So that is the background. I am wondering if this Github project would be a solution, but I do not understand what this nginx module does. Could you explain more? I have thought that if the Nginx reverse proxy could become a Kerberos client and request a ticket from the KDC, then this might solve my problem. This module support Nginx being a Kerberos client?
Thanks,
Matt
get spnego module part of an existing binary distribution
Adding spnego module to nginx does require recompilation of nginx which is quite hard and risky, clearly not something someone would want to do in a production environment.
Can we have spnego module included in one of the bigger nginx distros? one that would include the spdy one too.
I already raised a feature request against Ubuntu at https://bugs.launchpad.net/nginx/+bug/1486532 -- feel free to support it.
[Feature] Turn Off 401 Response
Would it be possible to have a failed SPNEGO get passed on to a web application (PHP/Ruby/etc) without returning a 401? That way I could have the web app handle the failure with it's own auth system, rather than spit back a 401 for those who don't have SPNEGO by default (i.e. Firefox). I've got the fallback to basic auth turned off. I think this feature would be very useful. What do you think @stnoonan
GSS_S_CONTINUE_NEEDED is set in major_status returned from gss_accept_sec_context
This is a question. I have no idea why this happened. It shouldn't.
configuration is here set within a server directive.
location / {
proxy_set_header REMOTE_USER $remote_user;
auth_gss on;
auth_gss_realm EXAMPLE.COM;
auth_gss_keytab /tmp/nginx/conf/httpd.keytab;
auth_gss_service_name HTTP/hostname;
root html;
index index.html index.htm;
}
Logs here
2015/03/27 16:24:06 [debug] 13557#0: *14 Begin auth
2015/03/27 16:24:06 [debug] 13557#0: *14 Detect basic auth
2015/03/27 16:24:06 [debug] 13557#0: *14 Detect SPNEGO token
2015/03/27 16:24:06 [debug] 13557#0: *14 posix_memalign: 0000000000BB57D0:4096 @16
2015/03/27 16:24:06 [debug] 13557#0: *14 Token decoded: YIID6Q...
2015/03/27 16:24:06 [debug] 13557#0: *14 Client sent a reasonable Negotiate header
2015/03/27 16:24:06 [debug] 13557#0: *14 GSSAPI authorizing
2015/03/27 16:24:06 [debug] 13557#0: *14 Use keytab /tmp/nginx/conf/httpd.keytab
2015/03/27 16:24:06 [debug] 13557#0: *14 Using service principal: HTTP/[email protected]
2015/03/27 16:24:06 [debug] 13557#0: *14 my_gss_name HTTP/[email protected]
2015/03/27 16:24:06 [debug] 13557#0: *14 only one authentication iteration allowed <--
2015/03/27 16:24:06 [debug] 13557#0: *14 GSSAPI failed
Getting the Username
How are underlying apps determining the username? I'm attempting to deploy an internal MoinMoin wiki with SPNEGO over Kerberos. I have the Kerberos part down, but MoinMoin doesn't know what the username for the person should be.
Typically, the upstream SPNEGO system will set a header called REMOTE_USER with the username content of the principal name: https://wiki.python.org/moin/HelpOnAuthentication#Given_authentication
Avoid 401 Round Trip
Hello,
I've been using this module in my DEV & QA environments and recently started rolling out to production as a part of my campaign to replace apache2 and it's working great so far, very pleased with this module overall.
I noticed in the logs, however, a pattern of an anonymous GET that returns 401 occurring before every (authenticated) request. Even though we're on a fast LAN network this seems wasteful. I'd like to reduce this if possible.
Apparently IIS has an option for reducing these roundtrips: http://blogs.msdn.com/b/saurabh_singh/archive/2010/01/06/case-study-are-you-seeing-401-s-too-often-for-http-web-requests.aspx
Is it possible for this module to do something similar? Although I am not sure how that option works under the hood. It sounds like Chrome is behaving correctly according to the spec to make sure the server wants authentication on every request. But maybe this module could store a mapping of client connections to authenticated usernames in order to avoid the repeat requests, so that anonymous requests on a previously authenticated connection don't need to make another 401 roundtrip?
Thanks.
Spurious `WWW-Authenticate: Basic`
Enabling auth_gss seems to have the side effect of adding an unwanted WWW-Authenticate: Basic realm="" header to the server's replies, in addition to the desired WWW-Authenticate: Negotiate header. Example reply headers from curl -v:
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.5.2
< Date: Sat, 10 Aug 2013 15:16:28 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm=""
CENTOS 6.7 ./config not working
All dependencies are installed AFAIK, but ./config doesn't output anything. Makefile is not updated either. make runs, but make install errors with "make: *** No rule to make target 'install'. Stop."
Ideas?
Incomplete error message: gss_accept_sec_context() failed: :
I'm having severe difficulties which are likely my fault (I admit it up front), but the error message presented doesn't point to the proper resolution because it appears to be blank.
Steps to reproduce
- Create a Service Host Principal in Active Directory (2008)
- Create a keytab for that SP
- Transfer the keytab to the webserver
- Configured KRB on the web server
- Configure Nginx (built with the module support):
server {
... CONFIG HERE ...
auth_gss on;
auth_gss_keytab /PATH/TO/KEYTAB;
auth_gss_realm REALM.NAME.TLD;
auth_gss_service_name HTTP/hostname.name.tld;
}
- Test: klist -k -t works (creates a tgt entry in klist)
- Restart Nginx
- Access the web server using Firefox or Chrome with SPNEGO configured (trusted-uris)
Expected behavior
200 OK from server
Actual result
403 Forbidden
Log file contains:
2014/06/18 10:25:20 [debug] 18085#0: *1 Client sent a reasonable Negotiate header
2014/06/18 10:25:20 [debug] 18085#0: *1 GSSAPI authorizing
2014/06/18 10:25:20 [debug] 18085#0: *1 Use keytab /usr/local/nginx/conf/hr.keytab
2014/06/18 10:25:20 [debug] 18085#0: *1 Using service principal: HTTP/[email protected]
2014/06/18 10:25:20 [debug] 18085#0: *1 my_gss_name HTTP/[email protected]
2014/06/18 10:25:20 [debug] 18085#0: *1 gss_accept_sec_context() failed: :
2014/06/18 10:25:20 [debug] 18085#0: *1 GSSAPI failed
2014/06/18 10:25:20 [debug] 18085#0: *1 http finalize request: 403, "/?" a:1, c:1
2014/06/18 10:25:20 [debug] 18085#0: *1 http special response: 403, "/?"
2014/06/18 10:25:20 [debug] 18085#0: *1 http set discard body
2014/06/18 10:25:20 [debug] 18085#0: *1 HTTP/1.1 403 Forbidden
As you can see, the gss_accept_sec_context() fails and it looks as though an error should appear, but there's nothing there.
Can you fix it to display the error returned by the kerberos libraries? Thanks.
after set auth_gss on; nginx return 403 Forbidden
Hi i created server with this nginx module, and everything worked fine until somehow i started to get 403 Forbidden from my site.
I configured nginx with --with-debug parameter and added logs to the nginx.conf but they didnt return any error, tehy all setted for debug lvl.
I checked permission to krb5.conf and krb5.keytab file, permission for whole files in nginx and i dont have clue.
Can anybody help ?
Should support Basic fallback if client-offered negotiate mechanism is not supported
So I managed to finally track this down by comparing the behavior of an apache2 instance compared to nginx with this module:
In Apache2 land, when a client accepts the WWW-Authenticate: negotiate mechanism but offers an unsupported protocol, like NTLMSSP, apache2 returns 401 and then gives WWW-Authenticate: Basic realm="foo" as the ONLY option. User-Agents are then observed using the basic fallback, prompting users for a password, and once the user provides the password, the users are able to access the site.
However, this module has been observed returning 403 Forbidden when an unsupported negotiate mechanism is offered (such as NTLMSSP). This results in the user-agent immediately caching the credentials and then all further requests to the website immediately return 403 Forbidden. Technically this is in-spec: 403 Forbidden says that the credentials are correct, but don't have access.
I believe that the module should be more accommodating to clients offering poor negotiation mechanisms by performing the same behavior: dropping the negotiate header when clients cannot or will not use kerberos.
Unauthorized user returns 401 rather than 403
Specifically, in the case where basic fallback is disabled and we are using an authorized principal list. This should legitimately return a 403, which will make the Chrome/IE on Windows experience a bit more pleasant.
What should we do in the case where basic fallback is enabled?
Add custom fallback if client does not support negotiate (SPENGO Token)
In my application, I want to support both Login via login page form or SPENGO.
If the client supports SPENGO, I use this module and log them in via 'remote-user' attribute.
If the client does not support negotiation, then instead of enabling 'basic auth fallback', I would rather just have the user still go to the root page but my application would render the sign_in page as 'remote_user' attribute would be nil. I do not want to render the basic auth 'pop-up'.
I'm unable to achieve my desired outcome, I tried to modify this module by changing NGX_DECLINED to return NGX_OK. Then, I thought I would achieve my outcome as it would return OK in both cases. This causes the client to never attempt SPENGO, the client always go to index page. It seems like each GET / request results in two requests i.e 401 and then WWW-Negotiate
Any ideas on how I achieve my desired outcome and have support for both.
ngx_str_t *token_out_b64 = NULL;
switch(ret) {
case NGX_DECLINED: /* DECLINED, but not yet FORBIDDEN */
//ctx->ret = NGX_HTTP_UNAUTHORIZED;
ctx->ret = NGX_OK; //lets
break;
case NGX_OK:
ctx->ret = NGX_OK;
token_out_b64 = &ctx->token_out_b64;
break;
case NGX_ERROR:
default:
ctx->ret = NGX_HTTP_INTERNAL_SERVER_ERROR;
break;
}
SLES 11 Install
Is it possible you can tell me what I need to install on SLES 11 SP2? I keep running into com_err.h file or folder cant be found. I am missing something. I keep trying to match items up between the distros but figured I would just ask you. thanks
Version bump
Do you have a timeframe on when the next version is going to be tagged?
It would make packaging for a distribution a lot easier, internally we use the latest git snapshot to build against nginx since 1.0.0 doesn't contain all the necessary features.
When adding module -> error unused variable "len"
error: unused variable ‘len’ [-Werror=unused-variable]
spnego-http-auth-nginx-module-master/ngx_http_auth_spnego_module.c
spnego-http-auth-nginx-module-master/ngx_http_auth_spnego_module.c: In function ‘ngx_http_auth_spnego_basic’:
spnego-http-auth-nginx-module-master/ngx_http_auth_spnego_module.c:455:9: error: unused variable ‘len’ [-Werror=unused-variable]
int len;
^
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/spnego-http-auth-nginx-module-master/ngx_http_auth_spnego_module.o] Error 1
make[1]: Leaving directory `/home/pglica/nginx-1.9.3'
make: *** [build] Error 2
Authorization: Negotiate fails on windows
Hi! I am trying to get spnego fallback working on windows when there is no domain login. Currently everything works as it should, by everything I mean user can login using chrome on OSX, it also works when user is logged on the domain in windows, but it somehow fails when user hasn't been logged in by domain user and Chrome and IE chooses to use Authorization: Negotiate.
Here is a part of debug log:
2015/01/12 21:09:17 [debug] 5499#0: *28 Begin auth
2015/01/12 21:09:17 [debug] 5499#0: *28 Detect basic auth
2015/01/12 21:09:17 [debug] 5499#0: *28 Detect SPNEGO token
2015/01/12 21:09:17 [debug] 5499#0: *28 Token decoded: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==
2015/01/12 21:09:17 [debug] 5499#0: *28 Client sent a reasonable Negotiate header
2015/01/12 21:09:17 [debug] 5499#0: *28 GSSAPI authorizing
2015/01/12 21:09:17 [debug] 5499#0: *28 Use keytab /etc/nginx/global/http_ad.keytab
2015/01/12 21:09:17 [debug] 5499#0: *28 gss_accept_sec_context() failed: Unknown error:
2015/01/12 21:09:17 [debug] 5499#0: *28 GSSAPI failed
Btw, this is really great module, thanks for making it.
Please add a Sample Configuration File to the Documentation
Currently the documentation lists some details on individual properties to set, but nothing on where or how to set them.
For Unix newbies like myself, this would be very helpful to have examples of.
option to 401 basic auth users to handle incorrect passwords
We use this plugin in a multi environment park and many users don't use SSO.
This change asks for password to users not in the SSO domain but don't ask again in case of mistake.
It's possible to add the two different behaviors with a new parameter for example ?
nginx 1.8.0 403 forbidden, gss_accept_sec_context() failed: :
Hello,
kinit works ok with our context:
root@messaging02:~# kinit -5 -V -k -t /etc/krb5.keytab HTTP/<FQDN-Removed>
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/<FQDN-Removed<@<REALM-Removed>
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5
However in nginx it fails, and gives the user 403.
I have verified all configurations, generated new keytab file, checked permissions to keytab (tried 640 and even 777, owner root:www-data), made sure we followed the guide in the readme..
/etc/krb5.conf:
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
default_keytab_name = FILE:/etc/krb5.keytab
default_realm = <REALM-Removed>
ticket_lifetime = 24h
kdc_timesync = 1
ccache_type = 4
forwardable = false
proxiable = false
[realms]
<REALM-Removed> = {
kdc = <AD DC 1 - Removed>:88
kdc = <AD DC 2 - Removed>:88
kdc = <AD DC 3 - Removed>:88
admin_server = <AD DC 1 - Removed>
default_domain = <Domain FQDN Removed>
}
[domain_realm]
.<domain-removed> = <REALM-Removed>
<domain-removed> = <REALM-Removed>
/etc/nginx/sites-enabled/myconf.conf:
<truncated>
location /client {
alias /usr/share/nginx/site;
auth_gss on;
auth_gss_realm <REALM-Removed>;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP/<FQDN-Removed>;
auth_gss_allow_basic_fallback off;
Error.log (auth part):
2016/04/07 09:47:11 [debug] 3676#0: *24030 Begin auth
2016/04/07 09:47:11 [debug] 3676#0: *24030 Detect SPNEGO token
2016/04/07 09:47:11 [debug] 3676#0: *24030 Token decoded: <Removed Data>
2016/04/07 09:47:11 [debug] 3676#0: *24030 Client sent a reasonable Negotiate header
2016/04/07 09:47:11 [debug] 3676#0: *24030 GSSAPI authorizing
2016/04/07 09:47:11 [debug] 3676#0: *24030 Use keytab /etc/krb5.keytab
2016/04/07 09:47:11 [debug] 3676#0: *24030 Using service principal: HTTP/<FQDN-REMOVED>@<REALM-REMOVED>
2016/04/07 09:47:11 [debug] 3676#0: *24030 my_gss_name HTTP/<FQDN-REMOED>@<REALM-REMOVED>
2016/04/07 09:47:11 [debug] 3676#0: *24030 gss_accept_sec_context() failed: :
2016/04/07 09:47:11 [debug] 3676#0: *24030 GSSAPI failed
2016/04/07 09:47:11 [debug] 3676#0: *24030 http finalize request: 403, "/client?" a:1, c:1
2016/04/07 09:47:11 [debug] 3676#0: *24030 http special response: 403, "/client?"
2016/04/07 09:47:11 [debug] 3676#0: *24030 http set discard body
2016/04/07 09:47:11 [debug] 3676#0: *24030 xslt filter header
2016/04/07 09:47:11 [debug] 3676#0: *24030 HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
why "gss_accept_sec_context() failed" does not return additional error info? how can i troubleshoot it? am i missing something?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.