Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230

Omair Sajid omair at omairsajid.com
Tue Feb 3 12:51:30 EST 2009 

Hi Ken,

I have asked the domain admin to give me details on how the key was
generated will let you know once i have full details. Also can you point me
to the krb5 error table from where you got the mapping for Error 230.
Because when i google it i get something different.
Also if there is some problem with keytab file then i assume that kinit
using this keytab should not work. If i do

kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de

then it works fine. I only get error if when going through apache.
Also kinit user@*.* also works fine red hat machine.

I am new at this so please let me know if i am asking stupid questions
or am missing something basic :)



On Tue, Feb 3, 2009 at 9:29 PM, Ken Raeburn <raeburn at mit.edu> wrote:

> On Feb 3, 2009, at 11:15, Omair Sajid wrote:
>
>> Detailed error message from apache error log, we are on red hat enterprise
>> 5
>>
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
>> *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
>> Kerberos
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432):
>> [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and
>> auth_type Kerberos
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147):
>> [client *.*.*.*] Acquiring creds for HTTP@*.*.*.*
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266):
>> [client *.*.*.*] Verifying client data using KRB5 GSS-API
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282):
>> [client *.*.*.*] Verification returned code 851968
>> [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*]
>> gss_accept_sec_context()
>> failed: Unspecified GSS failure.  Minor code may provide more information
>> (Unknown code krb5 230)
>>
>
> There may be some problem with initialization causing the error strings not
> to be accessible.  Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, "Key
> version number for principal in key table is incorrect".  How did you set up
> the keytab file on the server?  And, is the KDC for this realm an MIT KDC or
> Windows AD?  (If it's AD, I'm not familiar with the proper procedure for
> setting up a keytab for an application server running MIT code, but I'm sure
> others on this list are.)
>
> Note that in the MIT code, the kadmin option for generating a keytab
> changes the key in the process, so if you ran it more than once (maybe on
> different machines?), then only the last one generated is going to be
> useful.
>
> Also, check in case the client showing the problem has old credentials for
> the service cached using an earlier key version number and maybe the server
> only has a newer key; logging out and back in on the Windows box should
> avoid that problem.
>
> Ken
>

More information about the Kerberos mailing list