Using Apache with mod_auth_kerb

Russ Allbery rra at stanford.edu
Mon Dec 1 20:14:08 EST 2008


Ansgar Burchardt <ansgar at 2008.43-1.org> writes:

> I have a small problem with mod_auth_kerb and Firefox 3.0:  While
> authenticating via Kerberos works fine from a computer located in the
> same domain, I cannot get Firefox to authenticate from my home computer.
>
> I have a Kerberos ticket and Konqueror handles the Kerberos
> authentication just fine, but Firefox seems to have problems.  So far I
> have only found that the option
>     network.negotiate-auth.trusted-uris
> has to be set by me (I set it to `https://example.com', the web server I
> wish to authenticate to is `https://www.example.com'.  I have also tried
> different combinations).  All other `negotiate-auth' related settings
> still have their default values.

After you try to visit the web site in question, run klist.  Does an
HTTP/* ticket for the web server show up in your ticket cache?  If so,
something is going wrong with the Negotiate-Auth part of Firefox's code;
if not, you probably have a more basic problem with mapping the web server
to an existing Kerberos principal.

Make sure that your realm mappings are correct in your /etc/krb5.conf
file, for example.  That's often the problem.

> I am also not quite sure what the network.negotiate-auth.delegation-uris
> is supposed to do.  Will it pass the TGT to the server?

Yes.  Be very careful with this, since it gives the server full access to
do anything Kerberized as you.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list