Problems with Service Key

Matt Joyce syslists at vtsystems.com
Thu Mar 24 15:57:28 EST 2005 

Hi All.... Here's a hopefully easy one to be fielded.

So I have a KDC... lets call him kdc.fqdn-example.com  for a realm 
suitably named realm.non-fqdn-example.com
And lets say i have a box  called  smellybox.fqdn-example.com.

Now I generated principals for smellybox on the kdc.... as follows.

host/smellybox.fqdn-example.com at realm.non-fqdn-example.com
HTTP/smellybox.fqdn-example.com at realm.non-fqdn-example.com

so I kinit... these guys work... swell....

hop into ktutil...

rkt /etc/example.keytab
list  (looks good to me)
wkt /home/user/shiptosmellybox.keytab

then i scp that keytab to smellybox....

hop onto smellybox...

ktutil
rkt /home/user/shiptosmellybox.keytab
list (still there yay!)
wkt /etc/example.keytab

Sweet.

kinit... works... pimp.

Try to auth to mod_auth_kerb... and....

/var/log/krb5kdc.log reports

Mar 24 15:36:26 kdc.fqdn-example.com krb5kdc[2367](info): DISPATCH: 
repeated (retransmitted?) request from 10.0.0.234 port 88, resending 
previous response
Mar 24 15:36:26 kdc.fqdn-example.com krb5kdc[2367](info): TGS_REQ (3 
etypes {16 3 1}) 10.0.0.234(88): ISSUE: authtime 1111696586, etypes 
{rep=1 tkt=1 ses=1}, valid-principal at realm.non-fqdn-example.com for 
HTTP/smellybox.fqdn-example.com at realm.non-fqdn-example.com

Looks good ...But...

/var/log/httpd/error.log-smellybox.fqdn-example.com

reads....

[Thu Mar 24 15:51:36 2005] [error] [client 10.0.0.107] 
gss_accept_sec_context() failed: A token was invalid (Token header is 
malformed or corrupt)

* This is probably SPNEGO related Bunk.

[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify 
krb5 credentials: Key version number for principal in key table is incorrect
[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify 
krb5 credentials: Key version number for principal in key table is incorrect
[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify 
krb5 credentials: Key version number for principal in key table is incorrect

Now someone want to tell me how something in this setup managed to fail 
to verify a key version?
Anyone at all.... I am thinking I made a stupid mistake... I am just not 
seeing it. 

-Matt Joyce

More information about the Kerberos mailing list