What are the issues with dns_lookup_realm ?
Christopher D. Clausen
cclausen at acm.org
Mon Oct 11 09:54:50 EDT 2010
Brian Candler <B.Candler at pobox.com> wrote:
> The error message from /var/log/http/ssl_error_log was unhelpful:
>
> [Mon Oct 11 11:20:17 2010] [error] [client 172.31.131.185]
> krb5_verify_init_creds() failed: Key table entry not found
>
> What was even more odd, if I did a 'su' to the apache user, I was able to
> 'kinit' using one of the usernames/passwords which apache was rejecting as
> Basic Auth credentials. Surely mod_auth_kerb should be doing the same??
There is more to it than just a kinit, unless you have KrbVerifyKDC off
which you shouldn't b/c it can be a security problem. Mod_auth_kerb is just
blindly trusting that ANY successful Kerberos reply comes from your KDC with
this turned off. When it is on, it uses its keytab to verify that the KDC
that responded is legit and not one an attacher setup.
> [snip]
> The fact that adding the DNS record fixed things suggests that it was a
> hostname-to-realm mapping issue. But I'd really like to know what
> principal
> it was looking for when I got the "Key table entry not found" error
> message.
The requested service principal name would likely be logged on the KDC when
apache tries to authenticate users and produces this message.
<<CDC
More information about the Kerberos
mailing list