I think I may be getting incorrect tickets??
Douglas E. Engert
deengert at anl.gov
Mon Sep 27 10:56:01 EDT 2010
On 9/27/2010 2:24 AM, Jon Bowes wrote:
> Here is my setup...
>
> I have a Windows 2003 DC running active directory (dc.domain.com)
> I have a Linux Apache web server that I wish to allow access to. (apache.domain.com)
> I have installed mod_auth_kerb
>
> I found an excellent tutorial here: http://www.grolmsnet.de/kerbtut/ which I followed, but keep running into the same problem.
> Here is my /etc/krb5.conf file:
> [libdefaults]
> default_realm = DOMAIN.COM
>
> [domain_realm]
> apache.domain.com = DOMAIN.COM
>
> [realms]
> DOMAIN.COM = {
> admin_server = dc.domain.com
> kdc = dc.domain.com
> }
>
> Then, if I run kinit my.windows.login at DOMAIN.COM<mailto:my.windows.login at DOMAIN.COM> I get asked for my domain password which I enter.
>
> I then run klist and get:
> Default principal: my.windows.login at DOMAIN.COM<mailto:my.windows.login at DOMAIN.COM>
> Service principal: krbtgt/DOMAIN.COM at DOMAIN.COM<mailto:krbtgt/DOMAIN.COM at DOMAIN.COM>
>
> Is this correct??
>
> I then generate my keytab:
> C:\>ktpass -princ HTTP/apache.domain.com at DOMAIN.COM<mailto:HTTP/apache.domain.com at DOMAIN.COM>
> -mapuser apachea
> -crypto rc4-hmac-nt
> -ptype KRB5_NT_SRV_HST
> -pass longlongpassword -out c:\temp\apache.keytab
I assume you created the AD account for apachea to represent the server before running this?
There was a hot fix for ktpass on 2003:
http://support.microsoft.com/kb/843071
http://support.microsoft.com/kb/919557
Google for ktpass hotfix
>
> This has been copied to apache at /etc/krb5.keytab. The file is world readable, so apache should be able to read it no problem.
>
No, that could be a problem. The kerberos library may treat a world readable keytab
as a security issue and not use it.
> I then test my keytabfile:
>
> kinit -k -t /etc/krb5.keytab HTTP/apache.domain.com
> and get
> kinit(v5): Client not found in Kerberos database while getting initial credentials
klist -e -k -t /etc/krb5.keytab
should also be helpful.
Wireshark or other network packet traces can be very helpful, as Wireshark
can print much of the Kerberos protocol, and show what princpals, kvnos, enctypes
and servers are involved. http://www.wireshark.org/
>
> I can't get past this bit! Any ideas where I can look?
> Additionally, I have used kerbtray.exe to check my tickets when I logon.
> I seem to get 2 as follows:
> DOMAIN.COM
> |_ host/dc.jackwills.com
> |_ krbtgt/DOMAIN.COM
>
> I would appreciate any help that you guys can provide...
>
> Jon
>
>
> This email and its attachments are confidential and are intended solely for the use
> of the individual(s) or entity to whom it is addressed. Any views or opinions
> expressed are solely those of the author and do not necessarily represent those of
> "Jack Wills Ltd". If you are not the intended recipient of this email and its
> attachments, you must take no action based upon them, nor must you copy or show them
> to anyone. Please contact the sender if you believe you have received this email in
> error. This footnote also confirms that this email message has been swept for the
> presence of computer viruses, but does not warrant that the message is virus free.
>
> Jack Wills Ltd (3504842 England)
> Registered Offices:
> 22 Fore Street
> Salcombe
> TQ8 8ET
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list