Using Kerberos and icingaweb2 local users simultaneously

Hi all,

I’m not very experienced with webservers (apache2), so please forgive if this is a stupid question :slight_smile:

I have a Icinga setup were I have enabled Kerberos for the Icinga Web 2 login, thus users are automatically logged in when accessing the monitoring web interface.
Now I (or the customer) would like to enable a non-domain user (no ActiveDirectory account) to login to Icinga Web 2.
Is this possible?

icingaweb2.conf (with kerberos):

Alias /icingaweb2 "/usr/share/icingaweb2/public"

<Directory "/usr/share/icingaweb2/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None

    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

    EnableSendfile Off

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /icingaweb2/
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>

    <IfModule !mod_rewrite.c>
        DirectoryIndex error_norewrite.html
        ErrorDocument 404 /error_norewrite.html
    </IfModule>
                AuthType Kerberos
                AuthName "SOMETHING Monitoring"
                KrbAuthRealms SOMETHING.DE
                KrbServiceName HTTP/monitoring-something.de
                Krb5Keytab /etc/apache2/keytabs/monitoring.keytab
                KrbMethodNegotiate On
                KrbMethodK5Passwd On
                require valid-user

</Directory>

A quick search suggested adding Satisfy any to the config.
This works, but disables the “auto-login”, so everyone has to enter the login credentials by hand.

Best reagrds,
logic :slight_smile:

There may be better options, though my first guess would be to create two different locations.

With Kerberos and autologin: /icingaweb2/let-me-in
Without: /icingaweb2/be-picky

Thats how my customers do it.

Thanks you both for the suggestion :slight_smile:
As I said, I’m not very experienced in the webserver stuff :blush: :blush:

So where would I put the <Location> tags?
I tried moving the whole kerberos stuff to the default-ssl.conf in sites-enabled

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                # Redirect to Subfolder icingaweb2
                RedirectMatch ^/$ /icingaweb2/


                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

        
                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/SOMETHING .cer
                SSLCertificateKeyFile /etc/ssl/private/SOMETHING .key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

 
<Location "/secure">
                AuthType Kerberos
                AuthName "SOMETHING Monitoring"
                KrbAuthRealms SOMETHING .DE
                KrbServiceName HTTP/monitoring-SOMETHING .de
                Krb5Keytab /etc/apache2/keytabs/monitoring.keytab
                KrbMethodNegotiate On
                KrbMethodK5Passwd On
                require valid-user
</Location>
        </VirtualHost>
</IfModule>

But this “only” has the same effect as the stuff in my first post. I always get the Icinga Web 2 login page.
Do I need to create the location URLs? If yes, how :blush:?

I got it working :slight_smile:
Source/props to: https://www.jeffgeerling.com/blogs/jeff-geerling/apache-kerberos-authentication

Alias /icingaweb2 "/usr/share/icingaweb2/public"

<Directory "/usr/share/icingaweb2/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Order allow,deny
    Allow from All
    Deny from something.de internal-subnet1 internal-subnet2
    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

    EnableSendfile Off

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /icingaweb2/
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>

    <IfModule !mod_rewrite.c>
        DirectoryIndex error_norewrite.html
        ErrorDocument 404 /error_norewrite.html
    </IfModule>
#Kerberos Auth
        AuthType Kerberos
        AuthName "something Monitoring"
        KrbAuthRealms something.DE
        KrbServiceName HTTP/monitoring-something.de
        Krb5Keytab /etc/apache2/keytabs/monitoring.keytab
        KrbMethodNegotiate On
        KrbMethodK5Passwd Off
        KrbVerifyKDC on
        Require valid-user
        Satisfy any
</Directory>

The significant lines were:

    Order allow,deny
    Allow from All
    Deny from something.de internal-subnet1 internal-subnet2
    KrbMethodK5Passwd Off
    Require valid-user
    Satisfy any

This way I get the Icinga Web 2 login page when accessing from our external support system (S2S-VPN) to the customers monitoring. When accessing from inside the customers network/domain I am logged on via SSO

2 Likes