Kerberos cross-realm with AD
Jean-Yves Avenard
jyavenard at gmail.com
Mon Feb 7 18:03:35 EST 2011
On 8 February 2011 09:36, Jean-Yves Avenard <jyavenard at gmail.com> wrote:
> Now if fails somewhere else ; and on the web server I see:
> [Tue Feb 08 09:13:29 2011] [error] [client 1.2.3.4] gss_acquire_cred()
> failed: Unspecified GSS failure. Minor code may provide more
> information (, No key table entry found for
> HTTP/server4-2.mel.domain.com at MEL.DOMAIN.COM)
>
> So it would seem the keytab on the web server running mod_auth_kerb
> will also need a realm created on the new MEL.DOMAIN.COM kdc ..
I found the reasoning behind this one.
In the /etc/krb5.conf I had:
Ah , as I was writing this I came with another idea ;
in /etc/krb5.conf I had:
[domain_realm]
.domain.com = M.DOMAIN.COM
domain.com = M.DOMAIN.COM
.mel.domain.com = MEL.DOMAIN.COM
And sure enough, removing that last line ; error in apache logs are
gone, and it doesn't try to use
HTTP/server4-2.mel.domain.com at MEL.DOMAIN.COM anymore.
It still fails (with either Unspecified GSS failure. Minor code may
provide more information (, Decrypt integrity check failed) ; or
Unspecified GSS failure. Minor code may provide more information (,
Wrong principal in request)
; but I'm progressing. I'm now unsure if the remaining error is only
related to mod_auth_kerb or kerberos in general.
Thank you all for your help.. Made lots of progress today
Jean-Yves
More information about the Kerberos
mailing list