kerberos service (httpd using mod_auth_kerb) in DMZ

Achim Grolms kerberosml at grolmsnet.de
Mon Nov 14 14:16:54 EST 2005


On Monday 14 November 2005 18:48, FM wrote:

> I'm trying to use mod_auth_kerb to authenticate users with kerberos. 

Have you read <http://www.grolmsnet.de/kerbtut/>?

> But  when I try to authenticat myself http error_log show :
> [error] [client 192.168.4.171] krb5_verify_init_creds() failed: Key
> table entry not found

Use kerbtray.exe / kvno + klist -e / kgetcred + klist -v

To verify if keytype, kvno and principalname match
each other on clientside and in keytabfile.

> Kerberos is in my LAN : kerberos.lan.pri
> http server is in the DMZ : nagios.dmz.pri

Browsersoftware?
KDC-Software?

> In Kerberos I created : http/nagios.dmz.lexum.pri and exported to a keytab.

The principalname is
HTTP/nagios.dmz.lexum.pri at KERBEROS.DOMAIN
(uppercase 'HTTP'!)

> krb5.conf :
> [realms]
>  KERBEROS.DOMAIN = {
>   kdc = kerberos.lan.pri:88
>   admin_server = kerberos.lan.pri:749
>   default_domain = kerberos.domain
>  }
>
> [domain_realm]
> .lan.pri = KERBEROS.DOMAIN
>  lan.pri  = KERBEROS.DOMAIN
>  .dmz.pri = KERBEROS.DOMAIN
>  dmz.pri  = KERBEROS.DOMAIN

I'm missing 
.dmz.lexum.pri KERBEROS.DOMAIN
here.

modauthkerb-help at lists.sourceforge.net is a more mod_auth_kerb specific
Mailinglist.

Achim

-- 
using mod_auth_kerb and Windows 2000/2003 as KDC:
<http://www.grolmsnet.de/kerbtut/>


More information about the Kerberos mailing list