Access problem Apache/mod_auth_kerb/AD

Mikkel Kruse Johnsen mikkel at linet.dk
Wed Nov 21 09:38:01 EST 2007


Hi

I had some trouble finding out my self. So I ended up changing in
configure. Really stupid patch. Changes the check to reverse.

/Mikkel

--- ../BUILD/mod_auth_kerb-5.3/configure        2007-08-15
08:36:07.000000000 +0200
+++ /home/mkj/mod_auth_kerb-5.3.orig/configure  2007-07-25
11:38:20.000000000 +0200
@@ -3903,7 +3903,7 @@
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-   if test $? -eq 1; then
+   if test $? -eq 0; then
                      echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
                      cat >>confdefs.h <<\_ACEOF


On Wed, 2007-11-21 at 15:20 +0100, Florian.Dautermann at gmx.de wrote:

> Hi Mikkel,
> 
> thanks for the quick answer! Can you tell me how I switch to the internal SPNEGO? I did not find any information about that on the project web page nor on the internet.
> 
> Thanks,
> Florian
> 
> thanks 
> 
> > Hi Florian
> > 
> > I had the same problem. There is an error in mod_auth_kerb when using
> > the system SPNEGO. You have to use the mod_auth_kerb internal SPNEGO.
> > 
> > I was testing on RHEL5 and had to recompile with internal SPNEGO and it
> > worked.
> > 
> > /Mikkel
> > 
> > On Wed, 2007-11-21 at 14:36 +0100, Florian Dautermann wrote:
> > 
> > > Hello,
> > > 
> > > I have a the following problem:
> > > Our KDC is a Windows 2003 AD Server with address "company.corp" 
> > > which is also the name of the domain. We have an Apache 
> > > Webserver running on an OpenSuse with mod_auth_kerb (5.3). 
> > > Its name is "department.location.company.corp". It has a 
> > > valid keytab file (for 
> > > HTTP/department.location.company.corp at company.corp) with 
> > > which it can get tickets. The WebServer is accessed via
> > "http://department.location.company.corp:1081/site".
> > > 
> > > Some hosts can access the WebServer correctly. 
> > > 
> > > The other hosts who cannot access the WebServer are 
> > > Windows XP Pro machines, hooked into the domain with a 
> > > domain user logged on. Access is not possible via: IE6, 
> > > IE7, Mozilla despite correct configuration (Integrated 
> > > Windows Authentication is on, correct zone is set...). 
> > > Access is possible via the following ways: running the 
> > > browsers explicitly as the users domain account; using 
> > > MIT Kerberos for Windows in combination with mozilla 
> > > (switching network.auth.use-sspi to false). Kerbtray 
> > > shows a TGT in the MSLSA cache. 
> > > 
> > > In case of a failure, Apache log shows that the client 
> > > is sending an NTLM token. Network sniffers show, that 
> > > there is no communication between the client and the KDC.
> > > 
> > > One really funny thing about the whole thing is that 
> > > the error appears exclusively if the user is in the local 
> > > Administrators group. (User logs on; it is working; user 
> > > is granted administrative rights; logs off and on again; 
> > > it does not work). Removing the user from Administrator 
> > > group again afterwards does not solve the problem.
> > > 
> > > I guess somehow the Microsoft SSPI is the problem, but
> > > I do not know how to fix it.
> > > 
> > > Any ideas or thoughts are appreciated.
> > > 
> > > Thanks,
> > > Florian
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> > Med Venlig Hilsen / Kind Regards
> > 
> > 
> > Mikkel Kruse
> > Johnsen
> > Adm.Dir.
> > 
> > Linet
> > Ørholmgade 6 st tv
> > Copenhagen N 2200
> > Denmark
> > 
> > Work:    +45
> > 21287793
> > Mobile: +45
> > 21287793
> > Email:
> > mikkel at linet.dk
> > IM:
> > mikkel at linet.dk
> > (MSN)
> >  Professional
> > Profile
> > Healthcare 
> > 
> > 
> > Network
> > Consultant 

Med Venlig Hilsen / Kind Regards


Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work:    +45
21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant 



More information about the Kerberos mailing list