Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230

Ken Raeburn raeburn at MIT.EDU
Tue Feb 3 11:29:35 EST 2009 

On Feb 3, 2009, at 11:15, Omair Sajid wrote:
> Detailed error message from apache error log, we are on red hat  
> enterprise 5
>
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
> *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
> Kerberos
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432):
> [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147):
> [client *.*.*.*] Acquiring creds for HTTP@*.*.*.*
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266):
> [client *.*.*.*] Verifying client data using KRB5 GSS-API
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282):
> [client *.*.*.*] Verification returned code 851968
> [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*]  
> gss_accept_sec_context()
> failed: Unspecified GSS failure.  Minor code may provide more  
> information
> (Unknown code krb5 230)

There may be some problem with initialization causing the error  
strings not to be accessible.  Error 230 in the krb5 table is  
KRB5_KT_KVNONOTFOUND, "Key version number for principal in key table  
is incorrect".  How did you set up the keytab file on the server?   
And, is the KDC for this realm an MIT KDC or Windows AD?  (If it's AD,  
I'm not familiar with the proper procedure for setting up a keytab for  
an application server running MIT code, but I'm sure others on this  
list are.)

Note that in the MIT code, the kadmin option for generating a keytab  
changes the key in the process, so if you ran it more than once (maybe  
on different machines?), then only the last one generated is going to  
be useful.

Also, check in case the client showing the problem has old credentials  
for the service cached using an earlier key version number and maybe  
the server only has a newer key; logging out and back in on the  
Windows box should avoid that problem.

Ken

More information about the Kerberos mailing list