Constrained delegation GssapiUseS4U2Proxy

[harthurd]

Hello! I have three servers. Two of them are Apache, and the third -
PostgreSQL. I need to set up a S4U2Proxy on Apache. The second apache must authenticate with gss in PostgreSQL as a client.
Constrained delegation does not work. Tell me, please, what am I doing wrong?
First Apache config file:

<Directory "${PATH_TO_WEB}/">
    AuthType GSSAPI
    GssapiAllowedMech krb5
    GssapiUseS4U2Proxy On
    GssapiCredStore keytab:/etc/apache2/http.keytab
    GssapiCredStore ccache:DIR:/tmp/srvcache
    GssapiCredStore client_keytab:/etc/apache2/http.keytab
    GssapiDelegCcacheDir /tmp
    GssapiAcceptorName [email protected]
    GssapiImpersonate On
    Options FollowSymLinks
    AllowOverride None
    Require valid-user
    Order allow,deny
    Allow from all
    FileETag None
    SetEnv no-gzip 1
    SetEnv dont-vary 1
    <FilesMatch "\.([^.]+)$">
        Header set Cache-Control "public, max-age=31536000" env=CACHEBLE
        Header unset Pragma
        Header unset ETag
        UnsetEnv CACHEBLE
    </FilesMatch>
    <FilesMatch "\.cache\.(js|html)$">
        Header set Cache-Control "public, max-age=31536000"
    </FilesMatch>
  </Directory>

Second Apache config file:

<Location />
  AuthType GSSAPI
  GssapiUseS4U2Proxy On
  GssapiAllowedMech krb5
  GssapiCredStore keytab:/etc/apache2/http.keytab
  GssapiCredStore ccache:DIR:/tmp/srvcache
  GssapiCredStore client_keytab:/etc/apache2/http.keytab
  GssapiAcceptorName [email protected]
  GssapiDelegCcacheDir /tmp
  GssapiDelegCcacheUnique On
  GssapiImpersonate On  
  Options FollowSymLinks
  Require valid-user
</Location>

The following errors are observed in the logs of the first Apache:
NO AUTH DATA Client did not send any authentication headers and GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)]

Unlimited delegation works without error.
Keytab file permissions are fine.

[simo5]

Sorry but there isn't enough information here to understand what you are trying to do.
What the error says is that your client is not authenticating to the HTTP server.

However it is not clear to me if you want to use the client token to authenticate to postgres or if the auth to postgres is unrelated and should happen with the apache keytab.