Kerberos troubles

Jean-Yves Avenard jyavenard at gmail.com
Tue Sep 21 14:48:13 EDT 2010


Hi there

On 17 September 2010 13:05, Jean-Yves Avenard <jyavenard at gmail.com> wrote:

> goes on forever, and in the logs I have thousands of
> [Fri Sep 17 12:59:45 2010] [info] Subsequent (No.76) HTTPS request
> received for child 1 (server svn.domain.com:443)
> [Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1638): [client
> XX.XX.XX.XX] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1250): [client
> XX.XX.XX.XX] Acquiring creds for HTTP at svn.domain.com
> [Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1395): [client
> XX.XX.XX.XX] Verifying client data using KRB5 GSS-API
> [Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1411): [client
> XX.XX.XX.XX] Client didn't delegate us their credential
> [Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1430): [client
> XX.XX.XX.XX] GSS-API token of length 9 bytes will be sent back
> [Fri Sep 17 12:59:45 2010] [debug] src/mod_auth_kerb.c(1111): [client
> XX.XX.XX.XX] GSS-API major_status:000d0000, minor_status:000186a3
> [Fri Sep 17 12:59:45 2010] [error] [client XX.XX.XX.XX]
> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> may provide more information (, )
> [Fri Sep 17 12:59:45 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 5/5 byte

I have now identified the cause of the issue.
When using mod_auth_kerb with MIT krb5 v1.6.x it works perfectly
with krb5 1.7 and 1.7.1 same.
However, I get this "GSS-API major_status:000d0000,
minor_status:000186a3" error whenever I use MIT 1.8.x kerberos
libraries (tested with 1.8.1 and 1.8.3)

Not sure what can be done from there...

JY




More information about the Kerberos mailing list