key table entry not found
Afrodita Petrova
dita.bt at gmail.com
Tue Aug 24 09:01:31 EDT 2010
Hello ,
I have Virtual Network configured to use Kerberos authentication.The setup
is as follows:
Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com;
Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com;
Windows XP Prof. (client) (FQDN) zdravko.lab.com;
They are in the DNS lookup zone.I create one test user account for accessing
the client machine under given domain(lab.com).The user name is "achimtest1"
and its password never expires,and it's not going to be prompted for
changing.After that I create one "dummy" user which will be used for
SPN(service principal name mapping to it).It's called "http-test" and the
same flags are used as in "achimtest1" user + one more:"This account
supports AES 256 bit encryption".I continued with creating the keytab file:
c:\>ktpass /princ HTTP/debian.lab.com at LAB.COM /mapuser
http-test at lab.com/pass Debian26 /crypto AES256-SHA1 /ptype
KRB5_NT_SRV_HST /out
http-test.keytab
the keytab is successfully created and I have checked it with the following
command:c:\>setspn -L http-test->I have the service principal name:HTTP/
debian.lab.com registered to it.I copy the "http-test.keytab" file via pscp
to the Debian box in /etc/apache2/keytab/ directory.In /etc/hosts file in
Debian I've deleted "127.0.0.1" line and replaced it with:"192.168.100.103
debian.lab.com debian";192.168.100.103 is the linux box's IP.
In /etc/resolf.conf file I have made the following changes:
domain lab.com
search lab.com
nameserver 192.168.100.102
-192.168.100.102 is the DNS's IP.
The packages versions are the following:
krb5-config:1.22;
krb5-user:1.6.dfsg.4-beta1-5lenny4;
krb5-clients:1.6dfsg.4-beta1-5lenny4;
libapache2-mod-auth-kerb:5.3-5;The following lines will be from
/etc/krb5.conf :
[libdefaults]
default_realm = LAB.COM
default_keytab_name = FILE:/etc/apache2/keytab/http-test.keytab
krb4_congig = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
[realms]
LAB.COM = {
kdc = labserver.lab.com
admin_server = labserver.lab.com
default_domain = lab.com
}
[domain_realm]
.lab.com = LAB.COM
lab.com = LAB.COM
[login]
krb4_convert = true
krb4_get_tickets = false
The following lines will be from /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
ServerAdmin webmaster at localhost
<Directory /var/www/>
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthRealms LAB.COM
Krb5Keytab /etc/apache2/keytab/http-test.keytab
KrbVerifyKDC on
KrbServiceName Any
AuthName "Kerberos Login"
Require valid-user
Options FollowSymLinks
AllowOverride None
</Directory>
I did all kind of testing in Debian with the "kinit" command(mind you that
I'm not doing this for the first time-so every question like:"Did u checked
the kvno" is unnecessary).Every test with the kvno,e-type is performed and
is as expected-positive.
I'm logged in as root,the keytab file is readable by root,so is the apache
process.After I log in in my client machine(XP) I setup the IExplorer using
the Achim's tutorial.The error that is occurring when I try to access
http://debian.lab.com is Authorization Required(401).
The kerbtray activated on my client shows that the tickets that are received
from the server are encrypted with ArcFour(RC4) encryption and that the
etype=0.
Nothing matches with my setup.There is no trace of AES256-SHA1 encryption
mechanism.The Apache /var/log/apache2/error.log writes the following lines:
[debug]src/mod_auth_kerb.c(1579):[client 192.168.100.126]
kerb_authenticate_user entered with user4 (NULL) and auth_type Kerberos
[debug]mod_deflate.c(615):[client 192.168.100.126] Zlib: Compressed 594 to
399 : URL /
[debug]src/mod_auth_kerb.c(1579): [client 192.168.100.126]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug]src/mod_auth_kerb.c(1407): [client 192.168.100.126] Verifying client
data using KRB5 GSS-API
[debug]src/mod_auth_kerb.c(1423): [client 192.168.100.126] Verification
returned code 851968
[error] [client 192.168.100.126] gss_accept_sec_context()Unspecified GSS
failure (Key table entry not found)
[debug]mod_deflate.c(615):[client 192.168.100.126] Zlib:Compressed 594 to
399 : URL /
Sorry about the long post:)
Regards
More information about the Kerberos
mailing list