Keytab server principal cuts off at @
Charles Breite
Charles.Breite at altertrading.com
Mon Jun 15 14:30:39 EDT 2009
Hi All,
I have a strange problem and hope someone can help....
I have a new installation of
Kerberos 5 release 1.6.2 and we have this working on all of our
production servers but this server
Continues to fail to authenticate.
What I see in the logs for the failure is
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(1485): [client
10.10.100.29] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(940): [client
10.10.100.29] Using HTTP/servername.domain.com@ as server principal for
password verification
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(680): [client
10.10.100.29] Trying to get TGT for user charlesb at Domain.COM
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(594): [client
10.10.100.29] Trying to verify authenticity of KDC using principal
HTTP/servername.domain.com@
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(609): [client
10.10.100.29] krb5_get_credentials() failed when verifying KDC
[Mon Jun 15 13:08:52 2009] [error] [client 10.10.100.29] failed to
verify krb5 credentials: Server not found in Kerberos database
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(1019): [client
10.10.100.29] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)
authtype=(NULL)
I am wondering if anyone has seen this where the principal is
cutoff....I have regenerated the keytab several times and re-checked the
windows accounts we are using for the auth.... Shouldn't the principal
be HTTP/servername.domain.com at domain.com
Apache config is:
<VirtualHost 10.10.10.14:80>
ServerName servername.domain.com
ServerAlias servername.domain.com
ServerAlias servername
DocumentRoot /usr/local/nagios/share
ErrorLog /var/log/apache2/nagios_error.log
TransferLog /var/log/apache2/nagios_access.log
LogLevel Debug
ScriptAlias /nagios/cgi-bin/ "/usr/local/nagios/sbin/"
<Directory "/usr/local/nagios/sbin/">
Options ExecCGI
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Nagios"
Krb5Keytab /etc/apache2/keytabs/HTTP.servername.keytab
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
KrbVerifyKDC on
KrbMethodNegotiate off
KrbMethodK5Passwd on
AuthGroupFile /usr/local/nagios/web_groups
Require group nagios
</Directory>
<Directory "/usr/local/nagios/share">
Options FollowSymLinks
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Nagios"
Krb5Keytab /etc/apache2/keytabs/HTTP.servername.keytab
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
KrbVerifyKDC on
KrbMethodNegotiate off
KrbMethodK5Passwd on
AuthGroupFile /usr/local/nagios/web_groups
Require group nagios
</Directory>
I am fairly new to Kerberos so I apologize if I am not seeing something
that I should be....
Thanks!
More information about the Kerberos
mailing list