failed to authenticate using mod_auth_kerb for Apache
Siarhei Baidun
siarheibaidun at gmail.com
Wed Oct 5 11:39:01 EDT 2005
Hi again Everybody,
Second week I have been batling with the problem...
A lot of problems a have already solved on the way thanks to your advises.
Now I have done everything in compliance with the manual (
http://www.grolmsnet.de/kerbtut/)
I have created a fresh domain account in the test domain (because I cannot
use production one) , have mapped principal to it, etc.
And I'm getting now the error (in the Apache's error_log file) :
--------------------- Apache's LOG
in case
KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------
[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client
10.3.103.154 <http://10.3.103.154>] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
10.3.103.154 <http://10.3.103.154>] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client
10.3.103.154 <http://10.3.103.154>] kerb_authenticate_user_krb5pwd ret=0
user=TEST at TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154 <http://10.3.103.154>]
configuration error: couldn't check access. No groups file?: /
--------------------- Apache's LOG
in case
KrbMethodK5Passwd off
KrbMethodNegotiate on
------------------------
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
10.3.103.194 <http://10.3.103.194>] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
10.3.103.194 <http://10.3.103.194>] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client
10.3.103.194 <http://10.3.103.194>] Acquiring creds for
HTTP/gvepl100.test.epo at TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client
10.3.103.194 <http://10.3.103.194>] Verifying client data using SPNEGO
GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client
10.3.103.194 <http://10.3.103.194>] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client
10.3.103.194 <http://10.3.103.194>] GSS-API token of length 0 bytes will be
sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 <http://10.3.103.194>]
configuration error: couldn't check access. No groups file?: /
What does it mean? Which groups file I do not have?
I'm very, very appreciated for any help!
Below are my httpd.conf and krb5.conf
--
Thank you very much in advance,
Siarhei Baidun
------------------
krb5.conf
-----------------
[libdefaults]
default_realm = TEST.EPO
[domain_realm]
gvepl100.test.epo = TEST.EPO
[realms]
TEST.EPO = {
admin_server = odessa.test.epo
kdc = odessa.test.epo
}
----------------------------Apache's
httpd.conf----------------------------------
AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab
KrbAuthRealms TEST.EPO
KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user
------------------ result of "ktutil -k /etc/wolfi3.keytab list" command
------------------------------
Vno Type Principal
1 des-cbc-md5 HTTP/gvepl100.test.epo at TEST.EPO
More information about the Kerberos
mailing list