mod_auth_kerb and kerberos

Phillip Ames phillip.ames at
Mon Sep 5 20:50:32 EDT 2005

I'm using Kerberos version 1.4.1 in tandem with mod_auth_kerb version 
5.0 and apache 2.0.54 to authenticate users on a web interface.  All of 
these configurations happily hummed away using older versions of 
kerberos and mod_auth_kerb, but since upgrading, I am not having much 
luck.  The error message I receive in the apache logs is:

[Mon Sep 05 20:46:09 2005] [error] [client] failed to 
verify krb5 credentials: Server not found in Kerberos database

My .htaccess file for apache consists of this:
AuthName Kerberos
AuthType Kerberos
AuthGroupFile /etc/apache2/conf/group
KrbAuthRealms UCONN.EDU
Require group security misc
ExpiresActive On
ExpiresDefault "access plus 30 minutes"
Options FollowSymLinks Indexes

and in my krb5.conf I have the following:

         ticket_lifetime = 600
         default_realm = UCONN.EDU
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

         UCONN.EDU = {
         kdc =
         admin_server =

[domain_realm] = UCONN.EDU = UCONN.EDU

         profile = /etc/krb5kdc/kdc.conf

         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log

I've looked through the kerberos source code but can't figure out why 
this error would be appearing.  When I try to authenticate, tcpdump 
shows communication between the kerberos server and the web server:

20:46:09.745827 IP >  v5
20:46:09.747189 IP >  v5
20:46:09.755931 IP >
20:46:09.758294 IP >

Running a command like 'kinit <user>' works properly:
ares ~ # kinit testuser
Password for testuser at UCONN.EDU:
ares ~ # kinit testuser
Password for testuser at UCONN.EDU:
kinit(v5): Password incorrect while getting initial credentials

First time with proper password, second time without.  I suspect that 
something might be wrong with my krb5.conf but I'm not sure what it 
would be.  Does anyone have any insight as to why this might be 
happening?  Thanks,


More information about the krbdev mailing list