mod_auth_kerb roblem

Ben Kwint benkwint at gmail.com
Thu Nov 25 03:03:49 EST 2010


Hi,

a while ago I got the assignment from my manager to start testing with
kerberos to be able to implement it into one of our websites.

Our clients are going to supply the kdc for us, so we actually don't
have to worry to much about that. The only thing is we want to test it
before we start working with it.

Yesterday I set up a kerberos KDC on my kubuntu linux machine. And it
seems to work.

When I do kinit -A test and enter the password for that user and do
klist I see that I did get a ticket

klist output:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: test at LOCAL.NETWORK

Valid starting     Expires            Service principal
11/25/10 08:20:55  11/25/10 18:20:55  krbtgt/
LOCAL.NETWORK at LOCAL.NETWORK
        renew until 11/26/10 08:20:53

So that part seems to work. Btw I used this tutorial to setup my kdc:
http://community.jboss.org/wiki/SettingupyourKerberosDevelopmentEnvironment

After that I installed apache on the same machine to test
mod_auth_kerb. Installed mod_auth_kerb module on the apache machine
and set up the following .htaccess file

AuthType Kerberos
AuthName "Kerberos Login"
KrbVerifyKDC off
KrbMethodK5Passwd off
#KrbServiceName server
### Krb5Keytab /etc/krb5.keytab.apache
KrbAuthRealms LOCAL.NETWORK
require valid-user

I tested all kinds of different setups of my .htaccess file

My apache server does not show any errors but when I look at the
mozilla error log I see this:

-1216447824[b7517060]:   using REQ_DELEGATE
-1216447824[b7517060]:   service = local.network
-1216447824[b7517060]:   using negotiate-gss
-1216447824[b7517060]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1216447824[b7517060]: Attempting to load gss functions
-1216447824[b7517060]: entering nsAuthGSSAPI::Init()
-1216447824[b7517060]:
nsHttpNegotiateAuth::GenerateCredentials_1_9_2() [challenge=Negotiate]
-1216447824[b7517060]: entering nsAuthGSSAPI::GetNextToken()
-1216447824[b7517060]: gss_init_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information


-1216447824[b7517060]:   leaving nsAuthGSSAPI::GetNextToken
[rv=80004005]

Any idea what might be causing this error?

Any help would be greatly appreciated. If someone knows any public kdc
which you can use to test stuff it would be even better, Then I could
forget all about installing my own kdc.

So what I basically want is to be able to install an entire test setup
on 1 machine. Is this possible?



More information about the Kerberos mailing list