kerberos service (httpd using mod_auth_kerb) in DMZ

FM dist-list at LEXUM.UMontreal.CA
Mon Nov 14 14:43:56 EST 2005


Thanks for the reply,

We're using Linux
browser is Firefox
KDC : MIT Kerberos 1.3
you can use http if you add tu http conf :  KrbServiceName  "http"
thank you for the ML Link !


Achim Grolms wrote:

>On Monday 14 November 2005 18:48, FM wrote:
>
>  
>
>>I'm trying to use mod_auth_kerb to authenticate users with kerberos. 
>>    
>>
>
>Have you read <http://www.grolmsnet.de/kerbtut/>?
>
>  
>
>>But  when I try to authenticat myself http error_log show :
>>[error] [client 192.168.4.171] krb5_verify_init_creds() failed: Key
>>table entry not found
>>    
>>
>
>Use kerbtray.exe / kvno + klist -e / kgetcred + klist -v
>
>To verify if keytype, kvno and principalname match
>each other on clientside and in keytabfile.
>
>  
>
>>Kerberos is in my LAN : kerberos.lan.pri
>>http server is in the DMZ : nagios.dmz.pri
>>    
>>
>
>Browsersoftware?
>KDC-Software?
>
>  
>
>>In Kerberos I created : http/nagios.dmz.lexum.pri and exported to a keytab.
>>    
>>
>
>The principalname is
>HTTP/nagios.dmz.lexum.pri at KERBEROS.DOMAIN
>(uppercase 'HTTP'!)
>
>  
>
>>krb5.conf :
>>[realms]
>> KERBEROS.DOMAIN = {
>>  kdc = kerberos.lan.pri:88
>>  admin_server = kerberos.lan.pri:749
>>  default_domain = kerberos.domain
>> }
>>
>>[domain_realm]
>>.lan.pri = KERBEROS.DOMAIN
>> lan.pri  = KERBEROS.DOMAIN
>> .dmz.pri = KERBEROS.DOMAIN
>> dmz.pri  = KERBEROS.DOMAIN
>>    
>>
>
>I'm missing 
>.dmz.lexum.pri KERBEROS.DOMAIN
>here.
>
>modauthkerb-help at lists.sourceforge.net is a more mod_auth_kerb specific
>Mailinglist.
>
>Achim
>
>  
>


More information about the Kerberos mailing list