I'm trying to setup an nginx server (1.19.0) on Ubuntu (18.04) which uses current version of spnego-http-auth-nginx-module.
I successfully built nginx with spnego module, and it works as expected without auth_gss enabled.
I set up my keytab file as stated in ifad's fork.
With this keytab file, when I run command
kinit -5 -V -k -t /usr/local/nginx/krb5.keytab HTTP/deneme.aaa.com
I successfuly get the message
Using default cache: /tmp/krb5cc_1000
Using principal: HTTP/deneme.aaa.com@DOMAIN.COM.TR
Using keytab: krb5.keytab
Authenticated to Kerberos v5
and klist -k krb5.keytab command shows
Keytab name: FILE:krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/deneme.aaa.com@DOMAIN.COM.TR
6 HTTP/deneme.aaa.com@DOMAIN.COM.TR
user root root;
worker_processes 1;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
# HTTPS server
#
server {
listen 443 ssl;
server_name deneme.aaa.com;
ssl_certificate /home/user/public.crt;
ssl_certificate_key /home/user/private.rsa;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
location / {
root html;
index index.html index.htm;
auth_gss on;
auth_gss_allow_basic_fallback off;
}
}
}
With the configuration above, when I hit the page https://deneme.aaa.com, I get 403 unauthorized error withput any login prompt. There's no logs in logs/error.log. In the access.log
192.168.106.1 - - [24/Jun/2020:11:26:29 +0300] "GET / HTTP/1.1" 401 581 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
192.168.106.1 - - [24/Jun/2020:11:26:29 +0300] "GET / HTTP/1.1" 403 555 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
When I make
auth_gss_allow_basic_fallback on;
login prompt appears and with the correct credentials I can access the index page, but this is because basic authentication works.
When I hit the page from browser and run klist on the client machine I can see the Kerberos tickets are issued.
What could be the reason? Should I use the older version of nginx?
Kind regards
Keytab file includes principals created with AES256-SHA1 encryption. However I forgot to check This account supports kerberos aes256 bit encryption checkbox in the Active Directory Users and Computers. So Clients were trying to send RC4-HMAC encrypted Kerberos tickets to NGINX.
Checking this option solved the problem.
Hope this helps.