[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heimdal 0.7.2 with mod_auth_kerb 5.0rc7

To: heimdal-discuss@sics.se
Subject: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
From: Eric Ritchie <eric.ritchie@100days.de>
Date: Tue, 14 Mar 2006 11:13:08 +0100
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

Hello,

I have been trying various configurations in the attempt to get single 
sign on working with a Windows 2003 server (acting as KDC) and a Suse 10 
Linux box (running Apache).

I first tried to use NTLM authentication to verify that all was talking 
together and found that I needed to set "KrbVerifyKDC off" to get things 
working. Otherwise I see:

[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(597): [client 
10.1.4.68] Trying to verify authenticity of KDC using principal 
HTTP/melunar.elite.cmsd.de@ELITE.CMSD.DE
[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(612): [client 
10.1.4.68] krb5_get_credentials() failed when verifying KDC
[Fri Mar 10 15:51:49 2006] [error] [client 10.1.4.68] failed to verify 
krb5 credentials: Server not found in Kerberos database
[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(1022): [client 
10.1.4.68] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) 
authtype=(NULL)

Perhaps this is the reason for my problems when I switch to authenticate 
mode and get the following error message in my log file:

[Mon Mar 13 15:12:07 2006] [debug] src/mod_auth_kerb.c(1483): [client 
10.1.4.96] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Mon Mar 13 15:12:07 2006] [debug] src/mod_auth_kerb.c(1483): [client 
10.1.4.96] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Mon Mar 13 15:12:07 2006] [debug] src/mod_auth_kerb.c(1174): [client 
10.1.4.96] Acquiring creds for HTTP/melunar.elite.cmsd.de@ELITE.CMSD.DE
[Mon Mar 13 15:12:07 2006] [debug] src/mod_auth_kerb.c(1314): [client 
10.1.4.96] Verifying client data using KRB5 GSS-API
[Mon Mar 13 15:12:07 2006] [debug] src/mod_auth_kerb.c(1330): [client 
10.1.4.96] Verification returned code 851968
[Mon Mar 13 15:12:07 2006] [debug] src/mod_auth_kerb.c(1348): [client 
10.1.4.96] GSS-API token of length 9 bytes will be sent back
[Mon Mar 13 15:12:07 2006] [error] [client 10.1.4.96] 
gss_accept_sec_context() failed:  Miscellaneous failure (see text) (Success)

The last line seems to suggest that all was successful, but in fact 
things just stop at that point.

Any hints as to what is going wrong would be most gratefully 
appreciated. I enclose our configuration below for reference.

Many thanks in advance,
Eric Ritchie.
100 Days Software Projects.
http://100days.de


krb5.conf:
[libdefaults]
    clockskew = 3000
    default_realm = ELITE.CMSD.DE
    dns_lookup_realm = false
    dns_lookup_kdc = false

[domain_realm]
    melunar.elite.cmsd.de = ELITE.CMSD.DE

[realms]
    INTRA.DORTEN.COM = {
       kdc = ucs.intra.dorten.com
       admin_server = ucs.intra.dorten.com
    }
    ELITE.CMSD.DE = {
       kdc = sels07.elite.cmsd.de
       admin_server = sels07.elite.cmsd.de
    }

apache 1.3.33 conf:
    AuthType Kerberos
    AuthName "ELITE Kerberos Login"
    KrbAuthRealms ELITE.CMSD.DE
    KrbServiceName HTTP
    Krb5Keytab /usr/local/apache/conf/melunarhttp.keytab
    KrbVerifyKDC off
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    require valid-user

Follow-Ups:
- Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: w2k not happy with 0.7
Next by Date: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
Prev by thread: w2k not happy with 0.7
Next by thread: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
Index(es):
- Date
- Thread