Kerberos troubles

Jean-Yves Avenard jyavenard at gmail.com
Thu Sep 16 23:05:43 EDT 2010 

Hi

Thank you for your answer..

On 17 September 2010 11:45, Greg Hudson <ghudson at mit.edu> wrote:
> On Thu, 2010-09-16 at 21:31 -0400, Jean-Yves Avenard wrote:
>> I'm having a great deal of trouble getting mod_auth_kerb working on a
>> FreeBSD 8.1 box.
>
> Are you using the system Kerberos library or your own build?  If your
> own build, what version?
>
The base heimdal being broken (it's missing some GSSA libraries).
So this FreeBSD box is compiled without the base kerberos support
(e.g. no heimdal)

> (The system Kerberos library on FreeBSD is Heimdal, as far as I know.)

I installed MIT krb5 from the ports and this is what is being used now.

A bit more details:

The kdc is a mac os 10.6 server also running mit kerberos.

Here is the /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = M.DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 M.DOMAIN.COM = {
  kdc = m.domain.com
  admin_server = m.domain.com
  default_domain = m.domain.com
 }

[domain_realm]
 .domain.com = M.DOMAIN.COM
 domain.com = M.DOMAIN.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

The principal was created on the kdc with:
kadmin.local:  addprinc -randkey HTTP/svn.domain.com
WARNING: no policy specified for HTTP/svn.domain.com at M.DOMAIN.COM;
defaulting to no policy
Principal "HTTP/svn.domain.com at M.DOMAIN.COM" created.
kadmin.local:  ktadd HTTP/svn.domain.com at M.DOMAIN.COM
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type ArcFour with HMAC/md5 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:/etc/krb5.keytab.
kadmin.local:  quit

Then copied over the machine running apache:
bash-3.2# scp /etc/krb5.keytab
svn.domain.com:/usr/local/etc/apache22/kerberos/server4.keytab


This is the configuration for mod_auth_kerb
Alias /test /usr/local/www/test

<Location /test>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms M.DOMAIN.COM
  Krb5KeyTab /usr/local/etc/apache22/kerberos/server4.keytab
  KrbVerifyKDC off
  require valid-user

  Order allow,deny
  Allow from all
</Location>

testing the keytab using kerberos command line utilities show no
problem in getting a ticket
svn# kinit -k -t /usr/local/etc/apache22/kerberos/server4.keytab
HTTP/svn.domain.com
svn# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/svn.domain.com at M.DOMAIN.COM

Valid starting     Expires            Service principal
09/17/10 12:57:20  09/17/10 22:57:20  krbtgt/M.DOMAIN.COM at M.DOMAIN.COM
	renew until 09/18/10 12:57:20

Trying to access:
https://svn.domain.com/test

goes on forever, and in the logs I have thousands of
[Fri Sep 17 12:59:45 2010] [info] Subsequent (No.76) HTTPS request
received for child 1 (server svn.domain.com:443)
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1638): [client
XX.XX.XX.XX] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1250): [client
XX.XX.XX.XX] Acquiring creds for HTTP at svn.domain.com
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1395): [client
XX.XX.XX.XX] Verifying client data using KRB5 GSS-API
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1411): [client
XX.XX.XX.XX] Client didn't delegate us their credential
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1430): [client
XX.XX.XX.XX] GSS-API token of length 9 bytes will be sent back
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1111): [client
XX.XX.XX.XX] GSS-API major_status:000d0000, minor_status:000186a3
[Fri Sep 17 12:59:45 2010] [error] [client XX.XX.XX.XX]
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
may provide more information (, )
[Fri Sep 17 12:59:45 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 5/5 byte

with SSL logs in between (using LogLevel debug right now). It keeps
looping until I stop the web browser to access the test page.


Very puzzling. I've spend days trying to get this one sorted with no luck.
All other boxes (linux mainly) have been trouble free.
Could it be that MIT krb5 is broken on FreeBSD?

More information about the Kerberos mailing list