[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7

Hi Mike,

Michael B Allen wrote:
> On Tue, 14 Mar 2006 11:13:08 +0100
> Eric Ritchie <eric.ritchie@100days.de> wrote:
>>I have been trying various configurations in the attempt to get single 
>>sign on working with a Windows 2003 server (acting as KDC) and a Suse 10 
>>Linux box (running Apache).
>>I first tried to use NTLM authentication to verify that all was talking 
>>together and found that I needed to set "KrbVerifyKDC off" to get things 
>>working. Otherwise I see:
>>[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(597): [client 
>>] Trying to verify authenticity of KDC using principal 
>>[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(612): [client 
>>] krb5_get_credentials() failed when verifying KDC
>>[Fri Mar 10 15:51:49 2006] [error] [client] failed to verify 
>>krb5 credentials: Server not found in Kerberos database
>>[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(1022): [client 
>>] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) 
> Did you export the necessary principals with ktpass.exe and add them to
> melunarhttp.keytab with kutil copy?

Yes, I used ktpass to add the principal and the melunarhttp.keytab file 
was the result of that command. I added this principal to my system wide 
krb5.keytab file with kutil copy, but I did not need to for the Apache 

> The KrbVerifyKDC error sounds like there needs to be a host principal in
> the keytab. The user=(NULL) OTOH sounds like theres a problem reading
> the initiator's name from the initial Kerberos token or maybe it's an
> artifact of not correctly exporting and importing the http principal
> (in which case I would file a bug report regarding the lack of proper
> debug messages).

I did add a host principle to the krb5.keytab file, but this did not 
seem to help. I posted to the mod_auth_kerb mailing list and seem to 
have started a discussion about adding extra logging messages. Seems 
like I discovered a bug.

> I would get a packet capture and verify that the client is actually
> doing the right thing (e.g. is IE properly configured to do integrated
> authentication, the WWW server in the "intranet zone", etc).
> Whatever the case, I don't feel this is a Heimdal problem. You might be
> better off trying the apache user's mailing list.

I did eventually solve the problem. It was a bad keytab file (Windows 
2k3 problem). So you are right in your guess that it is not a Heimdal 

Thanks for your answer.

Eric Ritchie.