acquiring creds for different principal ??

Markus Moeller huaraz at moeller.plus.com
Fri Sep 30 18:55:53 EDT 2005


In your krb5 config you use
       sx86qa2.hyd.de.com = DE.COM
but the server wants deshaw.com not de.com !
   HTTP/sx86qa2.hyd.deshaw.com at HYD.DE.COM

You need an entry for hyd.deshaw.com in your config file or change your 
hostname to hyd.de.com. Also which key is in your keytab ?
Can you do a kinit -k -t keytab_file HTTP/sx86qa2.hyd.deshaw.com at HYD.DE.COM 
or kinit -k -t keytab_file HTTP/sx86qa2.hyd.de.com at HYD.DE.COM ?

Regards
Markus

<mnikhil at gmail.com> wrote in message 
news:1128065906.809179.177020 at o13g2000cwo.googlegroups.com...
> Hi
>
> I am running Apache(2.0.52) on Sol-10 (x86). and am using mod_auth_kerb
> for kerberos authentication..
>
> I have correctly generated the keytab file for the host following the
> details at http://www.grolmsnet.de/kerbtut/.
> but at seeing the logs, it shows me that Apache/mod_auth_kerb is
> getting creds for differnet principal instead of mentioned in the
> /etc/krb5/krb5.conf..
> What could be wrong here ..
>
> my /etc/krb5/krb5.conf
> ===========
> mulleyn at sx86qa2:/etc/apache2> cat /etc/krb5/krb5.conf
> #
> # Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
> # Use is subject to license terms.
> #
> # ident "@(#)krb5.conf  1.3     04/03/25 SMI"
> #
>
> # krb5.conf template
> # In order to complete this configuration file
> # you will need to replace the __<name>__ placeholders
> # with appropriate values for your network.
> #
> [libdefaults]
>        default_realm = DE.COM
>
> [realms]
>        DESHAW.COM = {
>                kdc = dchyd1.hyd.de.com
>                admin_server = dchyd1.hyd.de.com
>        }
>
> [domain_realm]
>        sx86qa2.hyd.de.com = DE.COM
>
> [logging]
>        default = FILE:/var/krb5/kdc.log
>        kdc = FILE:/var/krb5/kdc.log
>
>
> =========================
> Logs in the apache at /
>
> mulleyn at sx86qa2:/etc/apache2> sudo tail -f /var/apache2/logs/error_log
> [Fri Sep 30 13:03:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
> 149.77.165.65] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Sep 30 13:03:04 2005] [debug] src/mod_auth_kerb.c(1023): [client
> 149.77.165.65] Acquiring creds for
> HTTP/sx86qa2.hyd.deshaw.com at HYD.DE.COM
> [Fri Sep 30 13:03:04 2005] [error] [client 149.77.165.65]
> gss_acquire_cred() failed: Miscellaneous failure (No principal in
> keytab matches desired name)
>
>
> Instead of DE.COM, it is going for HYD.DE.COM..it is confusing me..
> can someone please throw light on this and possibly direct me to the
> correct answer ?
>
> Regards,
> Nikhil
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list