mod_auth_kerb and kerberos

Phillip Ames phillip.ames at uconn.edu
Mon Sep 5 20:50:32 EDT 2005 

Hi,
I'm using Kerberos version 1.4.1 in tandem with mod_auth_kerb version 
5.0 and apache 2.0.54 to authenticate users on a web interface.  All of 
these configurations happily hummed away using older versions of 
kerberos and mod_auth_kerb, but since upgrading, I am not having much 
luck.  The error message I receive in the apache logs is:

[Mon Sep 05 20:46:09 2005] [error] [client 137.99.133.183] failed to 
verify krb5 credentials: Server not found in Kerberos database

My .htaccess file for apache consists of this:
----
AuthName Kerberos
AuthType Kerberos
AuthGroupFile /etc/apache2/conf/group
KrbAuthRealms UCONN.EDU
Require group security misc
ExpiresActive On
ExpiresDefault "access plus 30 minutes"
Options FollowSymLinks Indexes
SSLRequireSSL
----

and in my krb5.conf I have the following:

----
[libdefaults]
         ticket_lifetime = 600
         default_realm = UCONN.EDU
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
         UCONN.EDU = {
         kdc = kerberos.uconn.edu:88
         admin_server = kerberos.uconn.edu:749
         }

[domain_realm]
         .uconn.edu = UCONN.EDU
         uconn.edu = UCONN.EDU

[kdc]
         profile = /etc/krb5kdc/kdc.conf

[logging]
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log
----

I've looked through the kerberos source code but can't figure out why 
this error would be appearing.  When I try to authenticate, tcpdump 
shows communication between the kerberos server and the web server:

---
20:46:09.745827 IP ares.uits.uconn.edu.51376 > 137.99.25.201.kerberos:  v5
20:46:09.747189 IP 137.99.25.201.kerberos > ares.uits.uconn.edu.51376:  v5
20:46:09.755931 IP ares.uits.uconn.edu.51376 > 137.99.25.201.kerberos:
20:46:09.758294 IP 137.99.25.201.kerberos > ares.uits.uconn.edu.51376:
---

Running a command like 'kinit <user>' works properly:
---
ares ~ # kinit testuser
Password for testuser at UCONN.EDU:
ares ~ # kinit testuser
Password for testuser at UCONN.EDU:
kinit(v5): Password incorrect while getting initial credentials
---

First time with proper password, second time without.  I suspect that 
something might be wrong with my krb5.conf but I'm not sure what it 
would be.  Does anyone have any insight as to why this might be 
happening?  Thanks,

-Phil

More information about the krbdev mailing list