mod_auth_kerb roblem
Andreas Ntaflos
daff at pseudoterminal.org
Mon Nov 29 18:43:57 EST 2010
On Thursday 25 November 2010 09:03:49 Ben Kwint wrote:
> After that I installed apache on the same machine to test
> mod_auth_kerb. Installed mod_auth_kerb module on the apache machine
> and set up the following .htaccess file
>
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbVerifyKDC off
> KrbMethodK5Passwd off
> #KrbServiceName server
> ### Krb5Keytab /etc/krb5.keytab.apache
> KrbAuthRealms LOCAL.NETWORK
> require valid-user
>
> I tested all kinds of different setups of my .htaccess file
Did you correctly create an HTTP service principal and add it to a
keytab file Apache has permissions to read? The following (all from
memory) assumes two different servers, one for the KDC, one for the
webserver, but it shouldn't really matter. Replace the "kadmin -p ..."
call with "kadmin.local" if it is all one machine:
KDC# kadmin.local -q "ank -randkey HTTP/web.local.network at LOCAL.NETWORK"
web# kadmin -p your-admin-account -q "ktadd \
-k /etc/apache2/http.keytab HTTP/web.local.network at LOCAL.NETWORK"
web# chown root:www-data /etc/apache2/http.keytab
web# chmod 640 /etc/apache2/http.keytab
Then tell Apache where to find it. In the .htaccess file:
KrbServiceName HTTP
Krb5KeyTab /etc/apache2/http.keytab
You should also keep "KrbVerifyKDC on".
Restart Apache. The mod_auth_kerb homepage might also help you
understand this procedure:
http://modauthkerb.sourceforge.net/configure.html
> My apache server does not show any errors but when I look at the
> mozilla error log I see this:
Does your KDC log anything useful?
> -1216447824[b7517060]: using REQ_DELEGATE
> -1216447824[b7517060]: service = local.network
> -1216447824[b7517060]: using negotiate-gss
> -1216447824[b7517060]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1216447824[b7517060]: Attempting to load gss functions
> -1216447824[b7517060]: entering nsAuthGSSAPI::Init()
> -1216447824[b7517060]:
> nsHttpNegotiateAuth::GenerateCredentials_1_9_2()
> [challenge=Negotiate] -1216447824[b7517060]: entering
> nsAuthGSSAPI::GetNextToken() -1216447824[b7517060]:
> gss_init_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information
> -1216447824[b7517060]: leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
>
> Any idea what might be causing this error?
I can't really tell from this log output but did you set up Firefox to
do the whole "negotiate-auth" dance for the webserver in question? I.e.
set "network.negotiate-auth.trusted-uris" in "about:config" to, in your
case, "local.network"?
> Any help would be greatly appreciated. If someone knows any public
> kdc which you can use to test stuff it would be even better, Then I
> could forget all about installing my own kdc.
I don't know of any public KDCs to test this against. And how would it
be even possible? You need a service principal for the webserver as I
explained above which is something the KDC administrator must create and
distribute to your webserver.
> So what I basically want is to be able to install an entire test
> setup on 1 machine. Is this possible?
I don't see why not, provided that your DNS works. This could really
make or break any Kerberos setup. Be sure that both the KDC and the
webserver can be resolved correctly forwards and backwards.
HTH
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101130/69759bd7/attachment.bin
More information about the Kerberos
mailing list