kerberos service (httpd using mod_auth_kerb) in DMZ
Achim Grolms
kerberosml at grolmsnet.de
Mon Nov 14 14:16:54 EST 2005
On Monday 14 November 2005 18:48, FM wrote:
> I'm trying to use mod_auth_kerb to authenticate users with kerberos.
Have you read <http://www.grolmsnet.de/kerbtut/>?
> But when I try to authenticat myself http error_log show :
> [error] [client 192.168.4.171] krb5_verify_init_creds() failed: Key
> table entry not found
Use kerbtray.exe / kvno + klist -e / kgetcred + klist -v
To verify if keytype, kvno and principalname match
each other on clientside and in keytabfile.
> Kerberos is in my LAN : kerberos.lan.pri
> http server is in the DMZ : nagios.dmz.pri
Browsersoftware?
KDC-Software?
> In Kerberos I created : http/nagios.dmz.lexum.pri and exported to a keytab.
The principalname is
HTTP/nagios.dmz.lexum.pri at KERBEROS.DOMAIN
(uppercase 'HTTP'!)
> krb5.conf :
> [realms]
> KERBEROS.DOMAIN = {
> kdc = kerberos.lan.pri:88
> admin_server = kerberos.lan.pri:749
> default_domain = kerberos.domain
> }
>
> [domain_realm]
> .lan.pri = KERBEROS.DOMAIN
> lan.pri = KERBEROS.DOMAIN
> .dmz.pri = KERBEROS.DOMAIN
> dmz.pri = KERBEROS.DOMAIN
I'm missing
.dmz.lexum.pri KERBEROS.DOMAIN
here.
modauthkerb-help at lists.sourceforge.net is a more mod_auth_kerb specific
Mailinglist.
Achim
--
using mod_auth_kerb and Windows 2000/2003 as KDC:
<http://www.grolmsnet.de/kerbtut/>
More information about the Kerberos
mailing list