RES: RES: RES: mod_auth_kerb credential error for principal

Edson Habowsky EdsonH at weg.net
Wed Mar 28 06:52:39 EDT 2007 

It's solved! (a bit)
I put the parameter into httpd.conf:
	KrbVerifyKDC off
     KrbServiceName  HTTP

and it started working!!

Tkx a lot,



Edson Habowsky 
Departamento de Sistemas de Informação
Sc Data Center - Tecnologia 
Analista de Infra - Servidores/Storage 
Fone: 55 (47) 3276 4619 - edsonh at weg.net 
WEG Equipamentos Elétricos S.A. - Corporativo
"TRANSFORMANDO ENERGIA EM SOLUÇÕES"
-----Mensagem original-----
De: Douglas E. Engert [mailto:deengert at anl.gov] 
Enviada em: sexta-feira, 23 de março de 2007 15:59
Para: Edson Habowsky
Assunto: Re: RES: RES: mod_auth_kerb credential error for principal

Ask your question on the mod_auth_kerb list.


Edson Habowsky wrote:
> Yupeeee..
> 
> I got something.
> I reset the pwd of the user, and started over all thing and now I'm able to do the kinit -kt ../../apache.keytab HTTP/linuxserver.domain.com at DOMAIN.COM
> 
> And if I run klist.. I got the default Principal ticket OK in the cache. NICE...
> But,
> Now if I try access the webserver I'm not able to authenticate, and if I see the /usr/local/apache2/logs/error_log I see this:
> 
> failed to verify krb5 credentials: Server not found in Kerberos database
> 
> Do you know what is this? I'm still with same problem?
> 
> Edson Habowsky 
> Departamento de Sistemas de Informação
> Sc Data Center - Tecnologia 
> Analista de Infra - Servidores/Storage 
> Fone: 55 (47) 3276 4619 - edsonh at weg.net 
> WEG Equipamentos Elétricos S.A. - Corporativo
> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
> 
> -----Mensagem original-----
> De: Edson Habowsky 
> Enviada em: sexta-feira, 23 de março de 2007 14:42
> Para: 'Douglas E. Engert'
> Assunto: RES: RES: mod_auth_kerb credential error for principal
> 
> Man, this is driving me crazy already..
> I'm using a tool called adsiedit from M$ in order to edit the user properties and the principal properties. What I do is delete from both, the information that indicates who is the PrincipalService and the user mapped to it.
> 
> Then I run ktpass again with -mapuser myuser (the mapuser:myuser doesn't work) in order to generate the keytab again. This works!.
> Then I put this file into the linux box, wich is the principal, and run kinit program over the key, and I get the msg already related here.
> " kinit(v5): Client not found in Kerberos database while getting initial credentials"
> 
> I already tested with other user to this principal and also I reset the account for this principal at M$ AD side, and I'm still having same msg.
> 
> Edson Habowsky 
> Departamento de Sistemas de Informação
> Sc Data Center - Tecnologia 
> Analista de Infra - Servidores/Storage 
> Fone: 55 (47) 3276 4619 - edsonh at weg.net 
> WEG Equipamentos Elétricos S.A. - Corporativo
> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
> 
> -----Mensagem original-----
> De: Douglas E. Engert [mailto:deengert at anl.gov] 
> Enviada em: sexta-feira, 23 de março de 2007 13:16
> Para: Edson Habowsky
> Assunto: Re: RES: mod_auth_kerb credential error for principal
> 
> 
> 
> Edson Habowsky wrote:
>> I did it with the lowercase:
>>
>> [root at linuxserver ~]# kinit -k -t /usr/local/apache2/conf/apache.keytab HTTP/linuxserver.domain.com at DOMAIN.COM
>> kinit(v5): Preauthentication failed while getting initial credentials
>>
>> before I do this above, I ran adsiedit and deledte de userprincipal from linuxserver and the principal associated to the the useraccount. Then I generate the keytab.
>>
> 
> It is not clear what you did. Did you start over?
> 
> 
> The password used with the service account, (what you have been calling myuser)
> has to be the same password used with the ktpass command to create the
> keytab.
> 
> I would stat over, by deleting the "myuser" account.
> Then have your AD create an account with the name HTTP-linuxserver
> It can not have a "/"must be 20 characters or less and unique name
> with in the AD forest. It is the samAccountName.
> The run the ktpass using  /mapuser:HTTP-linuxserver
> 
> 
>> Edson Habowsky 
>> Departamento de Sistemas de Informação
>> Sc Data Center - Tecnologia 
>> Analista de Infra - Servidores/Storage 
>> Fone: 55 (47) 3276 4619 - edsonh at weg.net 
>> WEG Equipamentos Elétricos S.A. - Corporativo
>> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
>> -----Mensagem original-----
>> De: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Enviada em: quinta-feira, 22 de março de 2007 16:57
>> Para: Edson Habowsky
>> Cc: kerberos at mit.edu
>> Assunto: Re: mod_auth_kerb credential error for principal
>>
>> A couple of things.
>>     AD is case insenitive, but Kerberos is not.
>>     the principal should have lowercase host name.
>>     fix it now before it causes more problems.
>>
>>
>>     kinit requires a principal as a parameter.
>>     kinit -k  \
>>      -t /usr/local/apache2/conf/apache.keytab \
>>      HTTP/linuxserver.domain.com at WEG.NET
>>
>>    Thae account name myuser, should relate tothe
>>    principal name, aseach principal will need an account.
>>    (MS called it a user account, it isnot a real user, it is
>>     forthe service.)
>>
>> Edson Habowsky wrote:
>>> Hello,
>>>
>>> I'm facing serious problem with Kerberos ticket 
>>>
>>> I'm trying authenticate Windows users to the Linux apache webserver using Kerberos authenticate method, and for apache mod_auth_kerb.
>>>
>>> Having problems with keytab.
>>>
>>>  
>>>
>>> Targeting domain controller: DCserver.domain.com
>>>
>>> Successfully mapped HTTP/LinuxServer.domain.com to myuser.
>>>
>>> Type the password for HTTP/LinuxServer.domain.com:
>>>
>>> Type the password again to confirm:
>>>
>>> Key created.
>>>
>>> Output keytab to c:\temp\apache.keytab:
>>>
>>> Keytab version: 0x502
>>>
>>> keysize 56 HTTP/LinuxServer.weg.net at WEG.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp
>>>
>>> e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)
>>>
>>> Account myuser has been set for DES-only encryption.
>>>
>>>  
>>>
>>>> I'm trying use this keytab at the linux apache server with 
>>>> mod_auth_kerb; and if put the apache.keytab that was just created at windows side, into linux side, it 
>>>> doesn't work. I got the error when I run the kinit command:
>>>> #kinit -k -t /usr/local/apache2/conf/apache.keytab
>>>> kinit(v5): Client not found in Kerberos database while getting initial 
>>>> credentials
>>>  
>>>
>>> If I run kinit myuser and put my passwd, it works fine, and after run this, if I run klist it bring me the cached ticket fine.
>>>
>>> Also, if I run kutil and check kvno into the keytab, it give me the right number (same as the one created at windows site through the ktpass).
>>>
>>>  
>>>
>>>  
>>>
>>>> May someone help me please,
>>>> I'm stuck on this, almost one week, and don't know what else to do.
>>>  
>>>
>>> Edson Habowsky 
>>> Departamento de Sistemas de Informação 
>>> Sc Data Center - Tecnologia 
>>> Analista de Infra - Servidores/Storage 
>>> Fone: 55 (47) 3276 4619 - edsonh at weg.net <mailto:edsonh at weg.net>  
>>> WEG Equipamentos Elétricos S.A. - Corporativo 
>>> "TRANSFORMANDO ENERGIA EM SOLUÇÕES" 
>>>
>>>  
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list