No key table entry found matching

[lyrixx]

Hello,

I'm migration a legacy system from mod_kerberos to this module.

And when I try to authenticate, it fails from time to time:

>/home/gregoire clear ; for i in `seq 0 40` ; do curl -su 'gpineau:foobar'  http://foobar:8080/build/2.4956d9f2.js -I | grep HTTP ; done

HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
HTTP/1.1 401 Unauthorized

In the log, I can read, only when it fails:

[Tue Jun 25 18:51:17.496746 2024] [auth_gssapi:error] [pid 103358] [client 127.0.0.1:40726] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [No credentials were supplied, or the credentials were unavailable or inaccessible (No key table entry found matching HTTP/prod-01-isy.prod.com@)]

When it success, there are nothing useful.

Apache Conf

<VirtualHost *:80>
   DocumentRoot /home/foobar/htdocs/isyapp.foobar.fr/current/public
   ServerName isyapp.foobar.fr

   <Directory "/home/foobar/htdocs/isyapp.foobar.fr/current/public">
      <If "%{THE_REQUEST} =~ m# /apiex/?#i">
         AuthType None
         AllowOverride None
         Order Allow,deny
         Allow from All
      </If>
      <Else>
         Options Indexes FollowSymLinks MultiViews

         # Help:
         # * https://docs.active-directory-wp.com/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html
         # * https://github.com/gssapi/mod_auth_gssapi

         AuthType GSSAPI
         AuthName "Kerberos authenticated intranet"
         GssapiCredStore keytab:/etc/kerberos.keytab

         # Only allow krb5 and ignore ntlmssp and iakerb
         GssapiAllowedMech krb5

         # We want to fallback to Basic Auth (linux user)
         GssapiBasicAuth On

         # Resolve remote's user into REMOTE_USER variable. Proper setting of [realms].auth_to_local in /etc/krb5.conf is required
         GssapiLocalName On
         GssapiNegotiateOnce On

         GssapiAcceptorName [email protected]

         GssapiUseSessions On
         Session On
         SessionCookieName gssapi_session path=/;httponly;

         Require valid-user
      </Else>

      <IfModule mod_rewrite.c>
         Options -MultiViews
         RewriteEngine On
         RewriteCond %{REQUEST_FILENAME} !-f
         RewriteRule ^(.*)$ index.php [QSA,L]
      </IfModule>
   </Directory>

   LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
   CustomLog ${APACHE_LOG_DIR}/isyapp.foobar.fr.access.log combined
   ErrorLog  ${APACHE_LOG_DIR}/isyapp.foobar.fr.error.log
</VirtualHost>

/etc/krb5.conf

[libdefaults]
    default_realm = CER02.INTRA

    # The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

/etc/kerberos.keytab

root@p-02-webisy:/etc/apache2# ktutil
ktutil:  r
read_kt  read_st  rkt      rst
ktutil:  read_kt /etc/kerberos.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3        HTTP/[email protected]
   2    4     HTTP/[email protected]

---

To be honest, I really don't know kerberos or GSS API, but I tried many things...

I'm not sure, if it's the root issue, but I was not able to migrate the following config option

   KrbAuthRealms CER02.INTRA

[simo5]

Your configuration says the server name is:

ServerName isyapp.foobar.fr
...
GssapiAcceptorName [email protected]

And yet some client is trying to access it as HTTP/prod-01-isy.prod.com@

In your keytab you have no entry for that last name, yet if it is a krb principal alias in the KDC it could be made to work by adding the ignore_acceptor_hostname option in krb5.conf, see: man krb5.conf for details

If prod-01-isy.prod.com is not a principal alias in your KDC, then you have to fix your clients to not do canonicalization (which is insecure anyway).
Modern Linux clients set canonicalization off by default, I do not know what other OSs do exactly but I think both Windows and Mac should avoid it by default.
See the option dns_canonicalize_hostname in krb5.conf (https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) <- this needs to be done on the clients not the server.

There isn't a direct replacement for KrbAuthRealms, if you have Realm Trusts and you want to allow users only from one specific realm I guess the only good option is to use GssapiLocalName to require user mapping and then trust those users, see the docs for the implications of using that option.
You already set this option, so I think you can just ignore that old setting from mod_auth_kerb.

[hecht-a]

Hello,

thanks, this solution worked 🎊