Kerberos troubles
Jean-Yves Avenard
jyavenard at gmail.com
Thu Sep 16 23:05:43 EDT 2010
Hi
Thank you for your answer..
On 17 September 2010 11:45, Greg Hudson <ghudson at mit.edu> wrote:
> On Thu, 2010-09-16 at 21:31 -0400, Jean-Yves Avenard wrote:
>> I'm having a great deal of trouble getting mod_auth_kerb working on a
>> FreeBSD 8.1 box.
>
> Are you using the system Kerberos library or your own build? If your
> own build, what version?
>
The base heimdal being broken (it's missing some GSSA libraries).
So this FreeBSD box is compiled without the base kerberos support
(e.g. no heimdal)
> (The system Kerberos library on FreeBSD is Heimdal, as far as I know.)
I installed MIT krb5 from the ports and this is what is being used now.
A bit more details:
The kdc is a mac os 10.6 server also running mit kerberos.
Here is the /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = M.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
M.DOMAIN.COM = {
kdc = m.domain.com
admin_server = m.domain.com
default_domain = m.domain.com
}
[domain_realm]
.domain.com = M.DOMAIN.COM
domain.com = M.DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
The principal was created on the kdc with:
kadmin.local: addprinc -randkey HTTP/svn.domain.com
WARNING: no policy specified for HTTP/svn.domain.com at M.DOMAIN.COM;
defaulting to no policy
Principal "HTTP/svn.domain.com at M.DOMAIN.COM" created.
kadmin.local: ktadd HTTP/svn.domain.com at M.DOMAIN.COM
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type ArcFour with HMAC/md5 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/svn.domain.com at M.DOMAIN.COM with kvno 3,
encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:/etc/krb5.keytab.
kadmin.local: quit
Then copied over the machine running apache:
bash-3.2# scp /etc/krb5.keytab
svn.domain.com:/usr/local/etc/apache22/kerberos/server4.keytab
This is the configuration for mod_auth_kerb
Alias /test /usr/local/www/test
<Location /test>
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms M.DOMAIN.COM
Krb5KeyTab /usr/local/etc/apache22/kerberos/server4.keytab
KrbVerifyKDC off
require valid-user
Order allow,deny
Allow from all
</Location>
testing the keytab using kerberos command line utilities show no
problem in getting a ticket
svn# kinit -k -t /usr/local/etc/apache22/kerberos/server4.keytab
HTTP/svn.domain.com
svn# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/svn.domain.com at M.DOMAIN.COM
Valid starting Expires Service principal
09/17/10 12:57:20 09/17/10 22:57:20 krbtgt/M.DOMAIN.COM at M.DOMAIN.COM
renew until 09/18/10 12:57:20
Trying to access:
https://svn.domain.com/test
goes on forever, and in the logs I have thousands of
[Fri Sep 17 12:59:45 2010] [info] Subsequent (No.76) HTTPS request
received for child 1 (server svn.domain.com:443)
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1638): [client
XX.XX.XX.XX] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1250): [client
XX.XX.XX.XX] Acquiring creds for HTTP at svn.domain.com
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1395): [client
XX.XX.XX.XX] Verifying client data using KRB5 GSS-API
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1411): [client
XX.XX.XX.XX] Client didn't delegate us their credential
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1430): [client
XX.XX.XX.XX] GSS-API token of length 9 bytes will be sent back
[Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1111): [client
XX.XX.XX.XX] GSS-API major_status:000d0000, minor_status:000186a3
[Fri Sep 17 12:59:45 2010] [error] [client XX.XX.XX.XX]
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information (, )
[Fri Sep 17 12:59:45 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 5/5 byte
with SSL logs in between (using LogLevel debug right now). It keeps
looping until I stop the web browser to access the test page.
Very puzzling. I've spend days trying to get this one sorted with no luck.
All other boxes (linux mainly) have been trouble free.
Could it be that MIT krb5 is broken on FreeBSD?
More information about the Kerberos
mailing list