Apache error log

Will Fiveash William.Fiveash at sun.com
Mon Jul 17 13:21:23 EDT 2006


On Mon, Jul 17, 2006 at 11:27:32AM -0400, Richard E. Silverman wrote:
> > 
> > Hi,
> > I was setting up Kerberos enviroment using this guide
> > http://www.grolmsnet.de/kerbtut. Done all described steps, but
> > authorization not working! Please see error messages. Where I should
> > look? I can do kinit or kvno all are working. I totaly confused after
> > many days fight with this thing! Can anyone help??
> > Thank you!
> > -------------------------------------------------------------------------------------------------
> > [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
> > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
> > 10.196.5.113] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
> > 10.196.5.113] Acquiring creds for HTTP at testsd.vsaa.lv
> 
> What is KrbServiceName set to?  This looks wrong; "HTTP at testsd.vsaa.lv"
> should be HTTP/<hostname>@TESTSD.VSAA.LV (realms are traditionally upper
> case).

If the logging is outputting the GSS principal then HTTP at testsd.vsaa.lv
may be okay as a GSS_C_NT_HOSTBASED_SERVICE name.

> > [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
> > gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
> > provide more information (No principal in keytab matches desired name)
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I bet the Kerberos service key for HTTP/testsd.vsaa.lv@<Kerberos Realm>
is missing in the keytab however.  The admin needs to create this
kerberos principal then do a kadmin ktadd of this service principal to
the local keytab file.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)



More information about the Kerberos mailing list