Error authenticating RHEL4 apache from Win 2k3 AD Kerberos

Nabeel Moidu nabeelmoidu at gmail.com
Mon Nov 19 03:14:28 EST 2007 

Hi

I'm trying to get the Apache my RHEL 4 AS server to authenticate from
a Windows 2003 AD.

I've configured the /etc/krb5.conf as follows :
[root at test ~]# cat /etc/krb5.conf
....
[libdefaults]
 default_realm = FOO.BAR
 dns_lookup_realm = false
 dns_lookup_kdc = true

[realms]
 FOO.BAR = {
  kdc = DC.FOO.BAR:88
  admin_server = DC.FOO.BAR:749
  default_domain = FOO.BAR
 }

[domain_realm]
 .FOO.BAR = FOO.BAR
 FOO.BAR = FOO.BAR

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


The AD is dc.foo.bar and there's no firewall issue between apache and
the AD. NTP sync from the AD also works fine.
[root at test ~]# ntpdate -u dc.foo.bar
19 Nov 09:42:35 ntpdate[3440]: adjust time server 172.31.100.165
offset -0.048116 sec

When I try kinit apache1 it works fine.

[root at test ~]# kinit apache1
Password for apache1 at FOO.BAR:
[root at test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: apache1 at FOO.BAR
Valid starting     Expires            Service principal
11/19/07 08:17:26  11/19/07 18:13:38  krbtgt/FOO.BARA at FOO.BAR
        renew until 11/20/07 08:17:26
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Now I've configured Apache as follows :
[root at test ~]# cat /etc/httpd/conf/httpd.conf | grep Realm -B 8 -A 10
# features.
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm foo.bar
KrbServiceName HTTP
KrbMethodNegotiate on
Krb5KeyTab /etc/krb5.keytab
KrbVerifyKDC off
#require user apache1 at FOO.BAR
require valid-user

</Directory>

My keytab file is as follows

[root at test ~]# cat /var/www/krb5.keytab
HTTP/test.foo.bar at FOO.BAR
[root at test ~]# ll /var/www/krb5.keytab
-rw-r--r--  1 apache apache 36 Nov 19 10:08 /var/www/krb5.keytab
[root at test ~]#

When I try to login as apache1 from the browser,
[Mon Nov 19 09:25:33 2007] [error] [client 172.31.32.52]
krb5_get_init_creds_password() failed: KDC reply did not match
expectations

If the username is wrong or the password is wrong , I get errors
saying client not in database or preauthentication failed. Its only
when the password is correct that I get this error. On the browser
side, the server just prompts for password again.

Suggestions anybody ?

Thanks in advance
Nabeel

More information about the Kerberos mailing list