Re: mod_auth_kerb and Heimdal KDC

[Tillman Hodgson <tillman@seekingfire.com>]

On Wed, Aug 21, 2002 at 08:42:29AM +0200, Daniel Kouril wrote:
> On Wed, Aug 21, 2002 at 12:27:52AM -0600, Tillman Hodgson wrote:
> > I've build mod_auth_kerb on a web server, suign the MIT libs as the
> > author doesn't support Heimdal and it doesn't compile with Heimdal
> > libs. It compiles correctly and appears to operate sanely, though it
> > doesn't like my /usr/local/apache/etc/keytab:
> > 
> > Aug 21 00:15:34 coyote [Wed Aug 21 00:15:34 2002] [error] (13) Permission denied: access to /members/index.html failed for 192.168.23.211, reason: krb5_rd_req(): Permission denied (13)
> 
> Is the keytab readable by the Apache user?

It turns out that it wasn't, and correcting that got things going.
Thanks!

This also confirmed for me that Heimbal and MIT keytabs are equivalent.
Since mod_auth_kerb was built (has to be built, more like) against MIT
and yet it accepted a keytab created by Heimdals kadmin, I think I can
use the same trick to extract a keytab for my MIT RedHat 7.3
workstations and just scp it over.

> We are using an apache module available from
> http://meta.cesnet.cz/software/heimdal/index.en.html

Yes, that's the module that I'm using as well. Their patches for Mozilla
and Apache look seriously interesting ... much better than the "dump the
login page onto SSL" approach.

- Tillman

-- 
Those who would repeat the past must control the teaching of history.
	- Bene Gesserit Coda