auth with apache

Mike Coyne Mike.Coyne at PACCAR.com
Mon Feb 13 13:30:13 EST 2006 

You might try setting KrbMethodNegotiate off , KrbSaveCredentials on in
the .htaccess file and exporting the KRB5CCNAME within apache if
possible 

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of kerberos-request at mit.edu
Sent: Monday, February 13, 2006 11:02 AM
To: kerberos at mit.edu
Subject: Kerberos Digest, Vol 38, Issue 15

Send Kerberos mailing list submissions to
	kerberos at mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
	kerberos-request at mit.edu

You can reach the person managing the list at
	kerberos-owner at mit.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."


Today's Topics:

   1. [Re: auth with apache] (Lukas Pataki)
   2. <failed to verify krb5 credentials: Request is a replay>
      error (FM)


----------------------------------------------------------------------

Message: 1
Date: Mon, 13 Feb 2006 12:40:30 +0100
From: Lukas Pataki <lukas at netskip.net>
Subject: [Re: auth with apache]
To: kerberos at mit.edu
Message-ID: <43F0702E.8020107 at netskip.net>
Content-Type: text/plain; charset=ISO-8859-15


Martin v. L?wis wrote:

> If you meant to say: "The HTTP server does not request a ticket".
> then I respond: of course not. In Kerberos, there is not
> any communication between the service and the KDC at all.
> Instead, the client is supposed to send the ticket to the server,
> and then the server uses the service ticket, plus its keytab
> entry, to validate the ticket.
> 
> You should set the Apache DebugLevel to the highest value
> (is that "all"?), 
nope => debug :)

allready done that:

[Sun Feb 12 22:02:37 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.0.12] kerb_authenticate_user entered with user (NULL) and
auth_type KerberosV5
[Sun Feb 12 22:02:37 2006] [debug] src/mod_auth_kerb.c(879): [client
192.168.0.12] kerb_authenticate_user_krb5pwd ret=0
user=webuser at SERVER.LOCALDOMAIN authtype=Basic
[Sun Feb 12 22:02:37 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.0.12] kerb_authenticate_user entered with user
webuser at SERVER.LOCALDOMAIN and auth_type KerberosV5
[Sun Feb 12 22:02:37 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.0.12] kerb_authenticate_user entered with user
webuser at SERVER.LOCALDOMAIN and auth_type KerberosV5



any ideas ?

thanks
luke



------------------------------

Message: 2
Date: Mon, 13 Feb 2006 10:06:58 -0500
From: FM <dist-list at LEXUM.UMontreal.CA>
Subject: <failed to verify krb5 credentials: Request is a replay>
	error
To: Mailing List Kerberos <kerberos at mit.edu>
Message-ID: <43F0A092.7020903 at lexum.umontreal.ca>
Content-Type: text/plain; charset=UTF-8; format=flowed

Hello,
I configure subversion (web_dav) to use mod_auth_kerb
in shell, no prob it's using ticket_cache but from eclipse (for ex), it 
use basic auth.
Some  commits fail because of this error :
"failed to verify krb5 credentials": Request is a replay

I know that it is a kdc error but what does it mean ? Do you know a work

around ?

thanks !


------------------------------

_______________________________________________
Kerberos mailing list
Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


End of Kerberos Digest, Vol 38, Issue 15
****************************************

More information about the Kerberos mailing list