mod_auth_kerb roblem
Ben Kwint
benkwint at gmail.com
Wed Dec 1 04:31:09 EST 2010
On Nov 30, 12:43 am, Andreas Ntaflos <d... at pseudoterminal.org> wrote:
> On Thursday 25 November 2010 09:03:49 Ben Kwint wrote:
>
> > After that I installed apache on the same machine to test
> > mod_auth_kerb. Installed mod_auth_kerb module on the apache machine
> > and set up the following .htaccess file
>
> > AuthType Kerberos
> > AuthName "Kerberos Login"
> > KrbVerifyKDC off
> > KrbMethodK5Passwd off
> > #KrbServiceName server
> > ### Krb5Keytab /etc/krb5.keytab.apache
> > KrbAuthRealms LOCAL.NETWORK
> > require valid-user
>
> > I tested all kinds of different setups of my .htaccess file
>
> Did you correctly create an HTTP service principal and add it to a
> keytab file Apache has permissions to read? The following (all from
> memory) assumes two different servers, one for the KDC, one for the
> webserver, but it shouldn't really matter. Replace the "kadmin -p ..."
> call with "kadmin.local" if it is all one machine:
>
> KDC# kadmin.local -q "ank -randkey HTTP/web.local.netw... at LOCAL.NETWORK"
> web# kadmin -p your-admin-account -q "ktadd \
> -k /etc/apache2/http.keytab HTTP/web.local.netw... at LOCAL.NETWORK"
> web# chown root:www-data /etc/apache2/http.keytab
> web# chmod 640 /etc/apache2/http.keytab
>
> Then tell Apache where to find it. In the .htaccess file:
>
> KrbServiceName HTTP
> Krb5KeyTab /etc/apache2/http.keytab
>
> You should also keep "KrbVerifyKDC on".
>
> Restart Apache. The mod_auth_kerb homepage might also help you
> understand this procedure:http://modauthkerb.sourceforge.net/configure.html
>
> > My apache server does not show any errors but when I look at the
> > mozilla error log I see this:
>
> Does your KDC log anything useful?
>
>
>
> > -1216447824[b7517060]: using REQ_DELEGATE
> > -1216447824[b7517060]: service = local.network
> > -1216447824[b7517060]: using negotiate-gss
> > -1216447824[b7517060]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> > -1216447824[b7517060]: Attempting to load gss functions
> > -1216447824[b7517060]: entering nsAuthGSSAPI::Init()
> > -1216447824[b7517060]:
> > nsHttpNegotiateAuth::GenerateCredentials_1_9_2()
> > [challenge=Negotiate] -1216447824[b7517060]: entering
> > nsAuthGSSAPI::GetNextToken() -1216447824[b7517060]:
> > gss_init_sec_context() failed: Unspecified GSS failure. Minor code
> > may provide more information
> > -1216447824[b7517060]: leaving nsAuthGSSAPI::GetNextToken
> > [rv=80004005]
>
> > Any idea what might be causing this error?
>
> I can't really tell from this log output but did you set up Firefox to
> do the whole "negotiate-auth" dance for the webserver in question? I.e.
> set "network.negotiate-auth.trusted-uris" in "about:config" to, in your
> case, "local.network"?
>
> > Any help would be greatly appreciated. If someone knows any public
> > kdc which you can use to test stuff it would be even better, Then I
> > could forget all about installing my own kdc.
>
> I don't know of any public KDCs to test this against. And how would it
> be even possible? You need a service principal for the webserver as I
> explained above which is something the KDC administrator must create and
> distribute to your webserver.
>
> > So what I basically want is to be able to install an entire test
> > setup on 1 machine. Is this possible?
>
> I don't see why not, provided that your DNS works. This could really
> make or break any Kerberos setup. Be sure that both the KDC and the
> webserver can be resolved correctly forwards and backwards.
>
> HTH
>
> Andreas
>
> signature.asc
> < 1KViewDownload
Hi,
today i got to testing again, but now i have the followign problem, I
tried what you said but that didn't work
When i looked at the kdc.log file i got the following error
Dec 01 10:23:09 ben-MS-6580 krb5kdc[2398](info): TGS_REQ (4 etypes {18
17 16 23}) 192.168.68.16: UNKNOWN_SERVER: authtime 0,
test at LOCAL.NETWORK for HTTP/ben-ms-6580 at LOCAL.NETWORK, Server not
found in Kerberos database
so i added the principal HTTP/ben-ms-6580 which didn't work because i
still get the error
Any suggestions??
Ben Kwint
More information about the Kerberos
mailing list