Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7

[Michael B Allen <mba2000@ioplex.com>]

On Tue, 14 Mar 2006 11:13:08 +0100
Eric Ritchie <eric.ritchie@100days.de> wrote:

> Hello,
> 
> I have been trying various configurations in the attempt to get single 
> sign on working with a Windows 2003 server (acting as KDC) and a Suse 10 
> Linux box (running Apache).
> 
> I first tried to use NTLM authentication to verify that all was talking 
> together and found that I needed to set "KrbVerifyKDC off" to get things 
> working. Otherwise I see:
> 
> [Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(597): [client 
> 10.1.4.68] Trying to verify authenticity of KDC using principal 
> HTTP/melunar.elite.cmsd.de@ELITE.CMSD.DE
> [Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(612): [client 
> 10.1.4.68] krb5_get_credentials() failed when verifying KDC
> [Fri Mar 10 15:51:49 2006] [error] [client 10.1.4.68] failed to verify 
> krb5 credentials: Server not found in Kerberos database
> [Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(1022): [client 
> 10.1.4.68] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) 
> authtype=(NULL)

Did you export the necessary principals with ktpass.exe and add them to
melunarhttp.keytab with kutil copy?

The KrbVerifyKDC error sounds like there needs to be a host principal in
the keytab. The user=(NULL) OTOH sounds like theres a problem reading
the initiator's name from the initial Kerberos token or maybe it's an
artifact of not correctly exporting and importing the http principal
(in which case I would file a bug report regarding the lack of proper
debug messages).

I would get a packet capture and verify that the client is actually
doing the right thing (e.g. is IE properly configured to do integrated
authentication, the WWW server in the "intranet zone", etc).

Whatever the case, I don't feel this is a Heimdal problem. You might be
better off trying the apache user's mailing list.

Mike