Subject: Help needed on "Server not found in Kerberos Database" while using "mod_auth_kerb+Apache"

Keshav Prasad keshavhs at rediffmail.com
Thu Jul 8 11:20:32 EDT 2004 

Hi,
	My Kerberos Setup is as follows-

Kerberos v5 Server- example.domain.com   (Linux Box)
Kerberos Realm- EXAMPLE.COM
Registered User on Kerberos realm- test at EXAMPLE.COM

Apache Server(with mod_auth_kerb) can be accessed as: 
http://apache.domain.com  (Linux Box)

Now I have added a principal name- HTTP/apache.domain.com at EXAMPLE.COM
using the addprinc command. I have generated a keytab file for this
principal (using ktadd) and then transferred it to the Apache
Server(apache.domain.com). I have pointed to this keytab file in
.htaccess file.

Now when I try to access APACHE.DOMAIN.COM:80 through a browser(IE)
running on my desktop say  CLIENT1.DOMAIN.COM, and give the proper
user credentials...it doesnt authenticate. When I look this up in the
Kerberos log file (krb5kdc.log) it gives the following messages...for
the event-

Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): AS_REQ (6
etypes {18 16 23 1 3 2}) 192.168.200.27: ISSUE: authtime 1089292954,
etypes {rep=16 tkt=16 ses=16}, test at EXAMPLE.COM for
krbtgt/EXAMPLE.COM at EXAMPLE.COM
Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6
etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime
1089292954,  test at EXAMPLE.COM for krbtgt/REALM1.COM at EXAMPLE.COM,
Server not found in Kerberos database
Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6
etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime
1089292954,  test at EXAMPLE.COM for krbtgt/COM at EXAMPLE.COM, Server not
found in Kerberos database



In the above data-
1. test at EXAMPLE.COM is the registered user.
2. 192.168.200.27(apache.domain.com) is the Apache server machine
which is the registered to the KDC as an service principal
(HTTP/apache.domain.com at EXAMPLE.COM)
3. The client machine (CLIENT1.DOMAIN.COM) running Internet Explorer
is not getting logged into kerberose log. The client is running
Windows 2000.
4. The htaccess has the following details:
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /usr/krb5/Apache2/apache.keytab
KrbServiceName HTTP
KrbAuthRealm EXAMPLE.COM
KrbMethodNegotiate on
KrbAuthoritative on
KrbSaveCredentials off
KrbVerifyKDC on
Require valid-user


Can anyone please throw some light on this...

More information about the Kerberos mailing list