Problems with mod_auth_kerb and Windows 2003 ADS
thilger@gmail.com
thilger at gmail.com
Fri Aug 24 07:53:25 EDT 2007
I don't know if this is helpful but the service provider gave me a
list with the installed patches on the Windows Server:
Q147222
KB890046 - Update
KB893756 - Update
KB896358 - Update
KB896422 - Update
KB896424 - Update
KB896428 - Update
KB898715 - Update
KB899587 - Update
KB899588 - Update
KB899589 - Update
KB899591 - Update
KB900725 - Update
KB901017 - Update
KB901214 - Update
KB902400 - Update
KB904706 - Update
KB905414 - Update
KB908519 - Update
KB908531 - Update
KB910437 - Update
KB911562 - Update
KB911567 - Update
KB911927 - Update
KB912812 - Update
KB912919 - Update
KB913446 - Update
On 8/23/07, thilger at gmail.com <thilger at gmail.com> wrote:
> HI List,
> I'm having problems with the authentication through mod_auth_kerb.
> The used solution had worked forfour months without any problems. Ever
> since 16 Aug 2007 that solution hasn't been functional.
>
> Nothing has been changed in our system (Apache 2.0.55 with mod_auth_kerb).
> The service provider who administrates the ADS confirmed that there were no
> changes made or any patches installed. The same applies to clients who are
> administrated by an external service provider; no changes resp. installation
> of patches were supposed to be done. However, I cannot confirm the external
> service provider's statements.
>
> The following error messages appear in the VHost's apache error log:
> --<apache error log>--
> [Wed Aug 22 15:17:04 2007] [debug] src/mod_auth_kerb.c(1485): [client
> 127.0.0.2] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://intern.customer.com/index.html
> [Wed Aug 22 15:17:26 2007] [debug] src/mod_auth_kerb.c(1485): [client
> 127.0.0.2] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1485): [client
> 127.0.0.2] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1172): [client
> 127.0.0.2] Acquiring creds for HTTP at intern.customer.com, referer:
> http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1316): [client
> 127.0.0.2] Verifying client data using KRB5 GSS-API, referer:
> http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1332): [client
> 127.0.0.2] Verification returned code 589824, referer:
> http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1359): [client
> 127.0.0.2] Warning: received token seems to be NTLM, which isn't
> supported by the Kerberos module. Check your IE configuration.,
> referer: http://intern.customer.com/index.html
> --</apache error log>--
>
>
> I get the following message when requesting the Kerberos commands:
> [root at server1:/opt/krb5/bin]$ ./klist -e -f -a -nTicket cache:
> FILE:/tmp/krb5cc_2022Default principal:
> HTTP/intern.customer.com at SITE.ALL.LAN
>
> Valid starting Expires Service principal
> 08/22/07 17:07:36 08/23/07 03:08:07 krbtgt/SITE.ALL.LAN at SITE.ALL.LAN
> renew until 08/23/07 17:07:36, Flags: RIA
> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> Addresses: (none)
>
> [root at server1:/opt/krb5/bin]# ./kvno HTTP/intern.customer.com at SITE.ALL.LAN
> kvno: Server not found in Kerberos database while getting credentials
> for HTTP/intern.cutomer.com at SITE.ALL.LAN
>
> After consultation with the service provider, a new keytab file has
> already been exported and transfered to the Apache System.
>
> ktpass -princ HTTP/intern.customer.com
> -mapuser http-intern at SITE.ALL.LAN
> -crypto DES-CBC-MD5
> -ptype KRB_NT_PRINCIPAL
> -mapop set +desonly
> -pass ********
> -out c:\temp\keytab
>
> -rw-r--r-- 1 httpd httpd 77 Aug 23 10:16 intern.keytab
>
> Do you have any advice what else to check or even a solution proposal?
>
> Thanks for your help,
>
> Thorsten
>
More information about the Kerberos
mailing list