kerberos service (httpd using mod_auth_kerb) in DMZ
FM
dist-list at LEXUM.UMontreal.CA
Mon Nov 14 14:43:56 EST 2005
Thanks for the reply,
We're using Linux
browser is Firefox
KDC : MIT Kerberos 1.3
you can use http if you add tu http conf : KrbServiceName "http"
thank you for the ML Link !
Achim Grolms wrote:
>On Monday 14 November 2005 18:48, FM wrote:
>
>
>
>>I'm trying to use mod_auth_kerb to authenticate users with kerberos.
>>
>>
>
>Have you read <http://www.grolmsnet.de/kerbtut/>?
>
>
>
>>But when I try to authenticat myself http error_log show :
>>[error] [client 192.168.4.171] krb5_verify_init_creds() failed: Key
>>table entry not found
>>
>>
>
>Use kerbtray.exe / kvno + klist -e / kgetcred + klist -v
>
>To verify if keytype, kvno and principalname match
>each other on clientside and in keytabfile.
>
>
>
>>Kerberos is in my LAN : kerberos.lan.pri
>>http server is in the DMZ : nagios.dmz.pri
>>
>>
>
>Browsersoftware?
>KDC-Software?
>
>
>
>>In Kerberos I created : http/nagios.dmz.lexum.pri and exported to a keytab.
>>
>>
>
>The principalname is
>HTTP/nagios.dmz.lexum.pri at KERBEROS.DOMAIN
>(uppercase 'HTTP'!)
>
>
>
>>krb5.conf :
>>[realms]
>> KERBEROS.DOMAIN = {
>> kdc = kerberos.lan.pri:88
>> admin_server = kerberos.lan.pri:749
>> default_domain = kerberos.domain
>> }
>>
>>[domain_realm]
>>.lan.pri = KERBEROS.DOMAIN
>> lan.pri = KERBEROS.DOMAIN
>> .dmz.pri = KERBEROS.DOMAIN
>> dmz.pri = KERBEROS.DOMAIN
>>
>>
>
>I'm missing
>.dmz.lexum.pri KERBEROS.DOMAIN
>here.
>
>modauthkerb-help at lists.sourceforge.net is a more mod_auth_kerb specific
>Mailinglist.
>
>Achim
>
>
>
More information about the Kerberos
mailing list