Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
[solved] Problems with authad, kerberos, sso
Avatar
frmenke #1
Member since Jul 2011 · 4 posts
Group memberships: Members
Show profile · Link to this post
Subject: [solved] Problems with authad, kerberos, sso
If i enable SSO with authad and kerberos i get "Access denied". With SSO disabled and "normal" login i have access.

Without SSO, in the line "logged in as" you can see displayname(samaccountname).
With SSO, in the line "logged in as" you can see samaccountname(samaccountname). ???

What could cause this behaviour? I tried many things and googled the whole day but without luck.

This is my Config:
DokuWiki 2013-12-08 "Binky"

Apache2-Config:

<Directory "/srv/www/iwiki">
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all

  # Kerberos Auth
  AuthType Kerberos
  AuthName "WIKI Login"
  KrbAuthRealms DOMAIN.LOCAL
  KrbServiceName HTTP/wiki.domain.local@DOMAIN.LOCAL
  Krb5Keytab /etc/apache2/conf/dokuwiki.HTTP.keytab
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbLocalUserMapping on
  require valid-user
</Directory>


DokuWiki-Config:

// general DokuWiki options
$conf['useacl'] = 1;
$conf['authtype'] = 'authad';
$conf['disableactions'] = 'register,profile,index';

// configure your Active Directory data here

$conf['superuser'] = '@wiki_admin';
$conf['manager'] = '@wiki_manager';

$conf['plugin']['authad']['account_suffix'] = '@domain.local';
$conf['plugin']['authad']['base_dn'] = 'DC=DOMAIN,DC=local';
$conf['plugin']['authad']['domain_controllers'] = 'dc1.domain.local,dc2.domain.local';
$conf['plugin']['authad']['sso'] = 1;


From a ?do=check with SSO i get:

No ACL setup yet! Denying access to everyone.
PHP version 5.3.10-1ubuntu3.9
More than 32MB RAM (134217728 bytes) available.
Changelog is writable
conf directory is writable
mb_string extension is available and will be used
Your locale C seems not to be a UTF-8 locale, you should fix this if you encounter problems.
Debugging support is disabled
You are currently logged in as user(user)
You are part of the groups
Your current permission for this page is 0
The current page is writable by the webserver
The current page is not writable by you
The search index seems to be working

There are no groups listed, so with SSO DokuWiki can't get the permissions by the groups.

Pleas help me, i'm lost.

EDIT: I forgot the config of the OS and webserver:

OS: Ubuntu Server 12.04
Webserver: Apache 2.2.22

krb5.conf:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = DOMAIN.LOCAL
  ticket_lifetime = 24h
  forwardable = yes
   
[realms]
  DOMAIN.LOCAL = {
    kdc = dc1.domain.local
    kdc = dc2.domain.local
    admin_server = dc1.domain.local
    default_domain = domain.local
  }

[domain_realm]
  wiki.domain.local = DOMAIN.LOCAL
  .domain.local = DOMAIN.LOCAL
  domain.local = DOMAIN.LOCAL

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
This post was edited 2 times, last on 2014-02-07, 14:07 by frmenke.
Avatar
frmenke #2
Member since Jul 2011 · 4 posts
Group memberships: Members
Show profile · Link to this post
I solved this. The problem was the missing / wrong $conf['plugin']['authad']['admin_username'] in local.protected.php. :rolleyes:

In my config the username had a domain like user@domain.com.

You have to write only the username without domain in this config!

Now its all ok  :-D

Maybe someone could isert this info in the documentation of authad?
Avatar
struct #3
Member since Mar 2014 · 2 posts
Group memberships: Members
Show profile · Link to this post
Hi frmenke.
I'm having some difficulty getting the SSO to work.
I tried copying your configs to see if I can reproduce your error.
However, dokuwiki always forces me to login manually no matter what the settings are.
Here is my current config for the local.protected.php.

  $conf['useacl']         = 1;
  $conf['disableactions'] = 'register,resendpwd,profile,index';
  $conf['authtype']       = 'authad';

  // configure your Active Directory data here
  $conf['plugin']['authad']['account_suffix']     = '@domain.net';
  $conf['plugin']['authad']['base_dn']            = 'DC=DOMAIN,DC=NET';
  $conf['plugin']['authad']['domain_controllers'] = 'dc1.domain.net'; //multiple can be given

  $conf['plugin']['authad']['sso']                = 1;
  $conf['plugin']['authad']['admin_username']        = 'username';
  $conf['plugin']['authad']['admin_password']        = 'password';
  $conf['plugin']['authad']['real_primarygroup']  = 1;
  $conf['plugin']['authad']['use_ssl']            = 0; // Don't have ssl/tls options enabled at the same time.
  $conf['plugin']['authad']['use_tls']            = 1; // Only one of them.
  $conf['plugin']['authad']['debug']              = 1;
  $conf['plugin']['authad']['recursive_groups']   = 1; // If number of groups in AD is large switching to 0 will improve performance, but indirect membership will not work
  $conf['plugin']['authad']['additional']         = ''; // additional attributes to fetch
  // warn user about expiring password this many days in advance (in version 2012-03-10 and higher):
  $conf['plugin']['authad']['expirywarn']         = 5;
  $conf['plugin']['authad']['groupfilter']        = '(&(cn=*)(Member=%{dn})(objectClass=group))';

  $conf['superuser'] = '@DOMAIN-IT';

and Apache2 conf and Kerberos settings are almost identical to yours.

But when I go to see ?do=check, I get the following.

PHP version 5.3.10-1ubuntu3.9
More than 32MB RAM (134217728 bytes) available.
Changelog is writable
conf directory is writable
mb_string extension is available and will be used
Your locale C seems not to be a UTF-8 locale, you should fix this if you encounter problems.
Debugging support is disabled
You are currently not logged in
Your current permission for this page is 2
The current page is writable by the webserver
The current page is writable by you
The search index seems to be working

I'm not even getting your
"No ACL setup yet! Denying access to everyone."

Did I miss something? Please let me know and Thanks in advance!
Avatar
frmenke #4
Member since Jul 2011 · 4 posts
Group memberships: Members
Show profile · Link to this post
Hi struct,

did you check Kerberos with kinit/klist?

In your local.protected.php you should only have settings you really need to change and delete the others (e.g. $conf['plugin']['authad']['additional'] or $conf['plugin']['authad']['use_ssl']).

As i know $conf['plugin']['authad']['groupfilter'] isn't an option for authad, this is for authldap.

Please check your ACL-setup. If your account or the group @DOMAIN-IT isn't set here you don't get logged in with SSO.
Avatar
struct #5
Member since Mar 2014 · 2 posts
Group memberships: Members
Show profile · Link to this post
Hi fremenke. Thanks for responding.

kinit/klist is working fine.

root@util:~# kinit struct@DOMAIN.NET
Password for struct@DOMAIN.NET:
root@util:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: struct@DOMAIN.NET

Valid starting    Expires           Service principal
07/03/2014 09:29  07/03/2014 19:30  krbtgt/DOMAIN.NET@DOMAIN.NET
        renew until 08/03/2014 09:29

I took out the groupfilter. (probably this didn't do anything since I was only using AD) and other unnecessary settings.

Still doesn't do what I expect.

My account is in group @DOMAIN-IT and when I login manually, it does assign my account as superuser.
With all the changes, it still doesn't automatically logs me in. Any other ideas?
Avatar
frmenke #6
Member since Jul 2011 · 4 posts
Group memberships: Members
Show profile · Link to this post
Hi struct,

what browser do you use? Did you config your browser as mentioned in https://www.dokuwiki.org/plugin:authad ? So, for Firefox as an example, you have to configure the setting "network.negotiate-auth.trusted-uris" in "about:config".

Please post your local.php, maybe something there causes the problem.
Avatar
dssouza #7
Member since May 2016 · 1 post
Group memberships: Members
Show profile · Link to this post
In reply to post #5
I know this thread is old and, and you probably already found a solution, but for people searching for this problem, I believe I have some useful information:

I was having the same problem, all the config was OK, kinit and klist were OK too, but SSO just didn't work. I checked the error log from apache (/var/log/httpd/error_log) and found a line like this:

[auth_kerb:error] [pid 18784] [client x.x.x.x:40662] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Cannot find key for HTTP/wiki.domain.com@DOMAIN.COM kvno 9 in keytab)


when I performed klist -k /etc/httpd/conf/dokuwiki.HTTP.keytab, I got:

Keytab name: FILE:dokuwiki.HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 HTTP/wiki.domain.com@DOMAIN.COM


so, I realized the kvno in the error log didn't match the kvno in the keytab file. After this, I generated another keytab, this time specifying the -kvno 9 option, to set the kvno to 9, and replaced the old keytab for this one, and it WORKED!

I don't understand much about kerberos and how this whole procedure works, but this is currently working for me, so give it a try if you can.

Hope I can help someone with this.
Avatar
FosseWay #8
Member since May 2016 · 118 posts · Location: Canada
Group memberships: Members
Show profile · Link to this post
Like dssouza, I know this thread is old, but I too have just solved my Kerberos DokuWiki Apache SSO issue, and since this thread is somewhere I found early on in my quest, I hope my answer might help someone else one day.

After trying many, many things and doing literally hundreds of google searches without making my DokuWiki authad Apache Kerberos SSO work...

I finally realized that my wiki server's canonical ANAME record in DNS didn't match what I had in my keytab; instead, the hostname specified in the keytab was provided by a DNS CNAME.

I changed the DNS record for my wiki server so that the ANAME was the exact same FQDN as specified in my keytab file, and as soon as the DNS update came through, clients were able to SSO. To be certain, I tested with a user/PC which had never logged into the wiki before, and they got straight in.

If changing DNS isn't practical, you could also try a new keytab file issued using the correct name, but for me the DNS change was simpler.

Edit: I should add that I figured this out after reading this useful guide to Kerberos setup I found on GitHub: https://gist.github.com/aaugustin/10715655

It has other useful info related to Kerberos SSO setup, and was easy for me to understand. Thanks aaugustin@GitHub  :-)
This post was edited on 2017-04-10, 18:16 by FosseWay.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2020-02-17, 07:12:48 (UTC +01:00)