Constrained delegation GssapiUseS4U2Proxy #276
Description
Hello! I have three servers. Two of them are Apache, and the third -
PostgreSQL. I need to set up a S4U2Proxy on Apache. The second apache must authenticate with gss in PostgreSQL as a client.
Constrained delegation does not work. Tell me, please, what am I doing wrong?
First Apache config file:
<Directory "${PATH_TO_WEB}/">
AuthType GSSAPI
GssapiAllowedMech krb5
GssapiUseS4U2Proxy On
GssapiCredStore keytab:/etc/apache2/http.keytab
GssapiCredStore ccache:DIR:/tmp/srvcache
GssapiCredStore client_keytab:/etc/apache2/http.keytab
GssapiDelegCcacheDir /tmp
GssapiAcceptorName HTTP@fqdn-first-apache-server.com
GssapiImpersonate On
Options FollowSymLinks
AllowOverride None
Require valid-user
Order allow,deny
Allow from all
FileETag None
SetEnv no-gzip 1
SetEnv dont-vary 1
<FilesMatch "\.([^.]+)$">
Header set Cache-Control "public, max-age=31536000" env=CACHEBLE
Header unset Pragma
Header unset ETag
UnsetEnv CACHEBLE
</FilesMatch>
<FilesMatch "\.cache\.(js|html)$">
Header set Cache-Control "public, max-age=31536000"
</FilesMatch>
</Directory>
Second Apache config file:
<Location />
AuthType GSSAPI
GssapiUseS4U2Proxy On
GssapiAllowedMech krb5
GssapiCredStore keytab:/etc/apache2/http.keytab
GssapiCredStore ccache:DIR:/tmp/srvcache
GssapiCredStore client_keytab:/etc/apache2/http.keytab
GssapiAcceptorName HTTP@fqdn-second-apache-server.com
GssapiDelegCcacheDir /tmp
GssapiDelegCcacheUnique On
GssapiImpersonate On
Options FollowSymLinks
Require valid-user
</Location>
The following errors are observed in the logs of the first Apache:
NO AUTH DATA Client did not send any authentication headers and GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)]
Unlimited delegation works without error.
Keytab file permissions are fine.