Kerberos, Solaris 9, mod_auth_kerb

Henry, Dane Dane.W.Henry at uscg.mil
Thu Jul 13 09:08:44 EDT 2006 

Hey all,
	I have some questions about kerberos, and more specifically,
about mod_auth_kerb and Solaris. My setup is as follows:
Solaris 9
Apache (have tested 2.0.48 and 2.0.55) currently: 2.0.55
MIT Kerberos (tested both 1.4.3 and 1.5 ) currently: 1.5
Mod_auth_kerb (tried rc 6 and rc7) currently: rc7
Windows 2003 Active Directory

I know for certain that the kerberos environment is set up correctly.
Not only can I do a kinit and klist and get that set up, but also the
kvno numbers match and the logs on the Active Directory confirm that I
have been authenticated. The problem however is that mod_auth_kerb
causes apache to segfault whenever the KrbMethodNegotiate is set to on
(This happens whether KrbMethodK5Passwd is set to on or off). When
KrbMethodNegotiate is set to off, and KrbMethodK5Passwd is set to on
(and obviously I provide the correct credentials) it works flawlessly.
Normally, I would assume this to be either an apache or a mod_auth_kerb
issue, however, I have tested it with multiple version of both and
soemthing else leads me to believe it has something to do with
mod_auth_kerb and Solaris 9. When we set this up on a Linux Server (Red
Hat Enterprise), and use the mod_auth_kerb that has been pre-compiled
for Red Hat, it works, both in the KrbMethodNegotiate and
KrbMethodV5Passwd. So I know that mod_auth_kerb as a module works, and I
know it works with Apache on my Kerberos environment against the Active
Directory, but what it doesn't work with is Solaris 9. So my question is
this, is there someone out that who can specify their exact
configuration for Solaris 9 (and Solaris 9 only!) or provide me with
their already-compiled version of mod_auth_kerb for Solaris 9. Below is
my .htaccess configuration for mod_auth_kerb. Thanks in advance for all
ya'll's help and if you need more info, please just ask.

Mod_auth_kerb .htaccess:

AuthType Kerberos
KrbMethodNegotiate off
KrbMethodK5Passwd on
KrbAuthoritative off
KrbAuthRealms XXXXXXX.XXXX.XXX
KrbVerifyKDC off
KrbServiceName HTTP
Krb5Keytab /etc/krb5.keytab
require valid-user



Dane Henry
Operations Systems Center - Web Services
United States Coast Guard

More information about the Kerberos mailing list