Key table entry not found-this time with Heimdal
Afrodita Petrova
dita.bt at gmail.com
Mon Aug 30 06:15:49 EDT 2010
Hello,
this is the same setup like in my previous post from this month,but this
time I'm using heimdal-clients.I have removed all of the MIT packages that I
have installed: krb5-user,krb5-clients.
I have Virtual Network configured to use Kerberos authentication.The
setup is as follows:
Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com;
Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com;
Windows XP Prof. (client) (FQDN) zdravko.lab.com;
[Windows Server 2008 Settings]
They are in the DNS lookup zone.I create one test user account for
accessing the client machine under given
domain(lab.com).The user name is "zdravko1" and its password never
expires,and it's not going to be prompted for
changing.After that I create one "dummy" user which will be used for
SPN(service principal name mapping to it).It's called
"http" and the same flags are used as in "zdravko1":
-User cannot change password;
-Password never expires;
-This account supports AES 256 bit encryption;
I continued with creating the keytab file:
c:\>ktpass /princ HTTP/debian.lab.com at LAB.COM <http://lab.com/> /mapuser
http at LAB.COM
/pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /out http.keytab
Keytab version: 0x502
keysize 78 HTTP/debian.lab.com at LAB.COM <http://lab.com/> ptype 1
(KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x......)
The keytab is successfully created and I have checked it with the
following command:c:\>setspn -L http->I have the service
principal name:HTTP/debian.lab.com registered to it.
I copy the "http.keytab" file via pscp to the Debian box in
/etc/apache2/keytab/ directory.
[Debian 5.0 Settings]
In /etc/hosts file in Debian I've deleted the "127.0.0.1" line and
replaced it with:"192.168.100.103 debian.lab.com debian";
192.168.100.103 is the linux box's IP.
In /etc/resolf.conf file I have made the following changes:
domain lab.com
search lab.com
nameserver 192.168.100.102
192.168.100.102 is the DNS's IP.
The packages versions are the following:
heimdal-clients:1.2.dfsg.1-2.1;
libapache2-mod-auth-kerb:5.3-5;
The following lines will be from /etc/krb5.conf :
[libdefaults]
default_realm = LAB.COM <http://lab.com/>
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
[realms]
LAB.COM <http://lab.com/> = {
kdc = 192.168.100.102
admin_server = 192.168.100.102
}
[domain_realm]
.lab.com = LAB.COM <http://lab.com/>
lab.com = LAB.COM <http://lab.com/>
[login]
krb4_convert = true
krb4_get_tickets = false
The following lines will be from /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
ServerAdmin webmaster at localhost
DocumentRoot
<Directory /var/www/>
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthRealms LAB.COM <http://lab.com/>
Krb5Keytab /etc/apache2/keytab/http.keytab
KrbVerifyKDC on
KrbServiceName Any
AuthName "Kerberos Login"
Require valid-user
Options FollowSymLinks
AllowOverride None
</Directory>
I did testing in Debian with the "kinit","klist -v" :
*[debian:/]kinit zdravko1*
zdravko1 at LAB.COM' S password:Debian26
*[debian:/]klist*
Credentials cache: FILE:/tmp/krb5cc_0
Principal: zdravko1 at LAB.COM
Issued Expires Principal
Aug 27 11:53:02 Aug 27 21:53:01 krbtgt/LAB.COM
<http://lab.com/>@LAB.COM<http://lab.com/>
*[debian:/]klist -v*
Credentials cashe: FILE:/tmp/krb5cc_0
Principal: zdravko1 at LAB.COM
Cache version: 4
Server: krbtgt/LAB.COM <http://lab.com/>@LAB.COM <http://lab.com/>
Client: zdravko1 at LAB.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2(why is this 2,when upon
creation with the "ktpass" command,the kvno was 3 ?!?)
Ticket length: 977
Auth time: Aug 27 12:06:34 2010
End time: Aug 27 22:06:24 2010
Ticket flags: initial,pre-authenticated
Addresses: addressless
I'm logged in as root,the keytab file is readable by root,so is the
apache process.After I log into my client machine(XP)
with the "zdravko1" user,I setup the IExplorer using the Achim's
tutorial http://www.grolmsnet.de/kerbtut/<http://www.grolmsnet.de/kerbtut/).The>
The
error that is
occurring when I try to access http://debian.lab.com is Authorization
Required(401).
The kerbtray activated on my client shows that the tickets that are
received from the server are encrypted with ArcFour(RC4)
encryption and that the etype=0.
Nothing matches with my setup.There is no trace of AES256-SHA1
encryption mechanism.The Apache /var/log/apache2/error.log
writes the following lines:
[debug]src/mod_auth_kerb.c(1579):[client 192.168.100.126]
kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[debug]mod_deflate.c(615):[client 192.168.100.126] Zlib: Compressed
594 to 399 : URL /
[debug]src/mod_auth_kerb.c(1579): [client 192.168.100.126]
kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[debug]src/mod_auth_kerb.c(1407): [client 192.168.100.126] Verifying
client data using KRB5 GSS-API
[debug]src/mod_auth_kerb.c(1423): [client 192.168.100.126]
Verification returned code 851968
[error] [client 192.168.100.126] gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more
information (Key table entry not found)
[debug]mod_deflate.c(615):[client 192.168.100.126] Zlib:Compressed 594
to 399 : URL /
So...I have two questions:
Why does the TGT have key version number(kvno) different from the
keytab file that I created 2!=3....and
Is this the reason for the above output from the error.log?
Regards.
More information about the Kerberos
mailing list