failed to authenticate using mod_auth_kerb for Apache
Siarhei Baidun
siarheibaidun at gmail.com
Thu Oct 6 12:25:46 EDT 2005
Hello Everybody,
Just little question.
Do I need to have the principal
HOST/gvepl100.test.epo at TEST.EPO for my web server machine or it is enough
to have only
HTTP/gvepl100.test.epo at TEST.EPO one?
Because this issue is not desribed in the manual (
http://www.grolmsnet.de/kerbtut/).
I`m constantly having the error : "configuration error: couldn't check
access. No groups file?: /"
And I just think that this error means that modauthkerb does not try to
authorize a user with KDC as userdatabase on the web server (in my case it
is gvepl100.test.epo). And it tries to find some file as userdatabase. And
reason might be that I do not have principal
HOST/gvepl100.test.epo at TEST.EPO for my web server, but only this one:
HTTP/gvepl100.test.epo at TEST.EPO.
Is it right suggestion?
--
Thanks,
Siarhei Baidun
On 10/5/05, Siarhei Baidun <siarheibaidun at gmail.com> wrote:
>
> Hi again Everybody,
> Second week I have been batling with the problem...
> A lot of problems a have already solved on the way thanks to your advises.
> Now I have done everything in compliance with the manual (
> http://www.grolmsnet.de/kerbtut/)
> I have created a fresh domain account in the test domain (because I
> cannot use production one) , have mapped principal to it, etc.
> And I'm getting now the error (in the Apache's error_log file) :
> --------------------- Apache's LOG
> in case
> KrbMethodK5Passwd on
> KrbMethodNegotiate off
> ------------------------
>
> [Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client
> 10.3.103.154 <http://10.3.103.154/>] kerb_authenticate_user entered with
> user (NULL) and auth_type Kerberos
> [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
> 10.3.103.154 <http://10.3.103.154/>] kerb_authenticate_user entered with
> user (NULL) and auth_type Kerberos
> [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client
> 10.3.103.154 <http://10.3.103.154/>] kerb_authenticate_user_krb5pwd ret=0
> user=TEST at TEST.EPO authtype=Basic
> [Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154<http://10.3.103.154/>]
> configuration error: couldn't check access. No groups file?: /
> --------------------- Apache's LOG
> in case
> KrbMethodK5Passwd off
> KrbMethodNegotiate on
> ------------------------
>
> [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
> 10.3.103.194 <http://10.3.103.194/>] kerb_authenticate_user entered with
> user (NULL) and auth_type Kerberos
> [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
> 10.3.103.194 <http://10.3.103.194/>] kerb_authenticate_user entered with
> user (NULL) and auth_type Kerberos
> [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client
> 10.3.103.194 <http://10.3.103.194/>] Acquiring creds for
> HTTP/gvepl100.test.epo at TEST.EPO
> [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client
> 10.3.103.194 <http://10.3.103.194/>] Verifying client data using SPNEGO
> GSS-API
> [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client
> 10.3.103.194 <http://10.3.103.194/>] Verification returned code 0
> [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client
> 10.3.103.194 <http://10.3.103.194/>] GSS-API token of length 0 bytes will
> be sent back
> [Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194<http://10.3.103.194/>]
> configuration error: couldn't check access. No groups file?: /
>
> What does it mean? Which groups file I do not have?
> I'm very, very appreciated for any help!
> Below are my httpd.conf and krb5.conf
> --
> Thank you very much in advance,
> Siarhei Baidun
> ------------------
> krb5.conf
> -----------------
>
> [libdefaults]
> default_realm = TEST.EPO
>
> [domain_realm]
> gvepl100.test.epo = TEST.EPO
>
> [realms]
> TEST.EPO = {
> admin_server = odessa.test.epo
> kdc = odessa.test.epo
> }
>
> ----------------------------Apache's httpd.conf----------------------------------
>
> AuthType Kerberos
> AuthName "Kerberos Login"
> Krb5KeyTab /etc/wolfi2.keytab
>
> KrbAuthRealms TEST.EPO
>
> KrbMethodK5Passwd on
> KrbMethodNegotiate off
> KrbServiceName HTTP
> require valid-user
>
>
> ------------------ result of "ktutil -k /etc/wolfi3.keytab list" command
> ------------------------------
>
> Vno Type Principal
> 1 des-cbc-md5 HTTP/gvepl100.test.epo at TEST.EPO
>
>
>
>
More information about the Kerberos
mailing list