mod_auth_kerb roblem

Andreas Ntaflos daff at pseudoterminal.org
Mon Nov 29 18:43:57 EST 2010 

On Thursday 25 November 2010 09:03:49 Ben Kwint wrote:
 
> After that I installed apache on the same machine to test
> mod_auth_kerb. Installed mod_auth_kerb module on the apache machine
> and set up the following .htaccess file
> 
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbVerifyKDC off
> KrbMethodK5Passwd off
> #KrbServiceName server
> ### Krb5Keytab /etc/krb5.keytab.apache
> KrbAuthRealms LOCAL.NETWORK
> require valid-user
> 
> I tested all kinds of different setups of my .htaccess file

Did you correctly create an HTTP service principal and add it to a 
keytab file Apache has permissions to read? The following (all from 
memory) assumes two different servers, one for the KDC, one for the 
webserver, but it shouldn't really matter. Replace the "kadmin -p ..." 
call with "kadmin.local" if it is all one machine:

KDC# kadmin.local -q "ank -randkey HTTP/web.local.network at LOCAL.NETWORK"
web# kadmin -p your-admin-account -q "ktadd \
  -k /etc/apache2/http.keytab HTTP/web.local.network at LOCAL.NETWORK"
web# chown root:www-data /etc/apache2/http.keytab
web# chmod 640 /etc/apache2/http.keytab

Then tell Apache where to find it. In the .htaccess file:

KrbServiceName HTTP
Krb5KeyTab /etc/apache2/http.keytab

You should also keep "KrbVerifyKDC on". 

Restart Apache. The mod_auth_kerb homepage might also help you 
understand this procedure: 
http://modauthkerb.sourceforge.net/configure.html

> My apache server does not show any errors but when I look at the
> mozilla error log I see this:

Does your KDC log anything useful? 
 
> -1216447824[b7517060]:   using REQ_DELEGATE
> -1216447824[b7517060]:   service = local.network
> -1216447824[b7517060]:   using negotiate-gss
> -1216447824[b7517060]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1216447824[b7517060]: Attempting to load gss functions
> -1216447824[b7517060]: entering nsAuthGSSAPI::Init()
> -1216447824[b7517060]:
> nsHttpNegotiateAuth::GenerateCredentials_1_9_2()
> [challenge=Negotiate] -1216447824[b7517060]: entering
> nsAuthGSSAPI::GetNextToken() -1216447824[b7517060]:
> gss_init_sec_context() failed: Unspecified GSS failure.  Minor code
> may provide more information
> -1216447824[b7517060]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
> 
> Any idea what might be causing this error?

I can't really tell from this log output but did you set up Firefox to 
do the whole "negotiate-auth" dance for the webserver in question? I.e. 
set "network.negotiate-auth.trusted-uris" in "about:config" to, in your 
case, "local.network"?

> Any help would be greatly appreciated. If someone knows any public
> kdc which you can use to test stuff it would be even better, Then I
> could forget all about installing my own kdc.

I don't know of any public KDCs to test this against. And how would it 
be even possible? You need a service principal for the webserver as I 
explained above which is something the KDC administrator must create and 
distribute to your webserver. 

> So what I basically want is to be able to install an entire test
> setup on 1 machine. Is this possible?

I don't see why not, provided that your DNS works. This could really 
make or break any Kerberos setup. Be sure that both the KDC and the 
webserver can be resolved correctly forwards and backwards.

HTH 

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101130/69759bd7/attachment.bin

More information about the Kerberos mailing list