[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7

On Mar 14, 2006, at 2:00 PM, Eric Ritchie wrote:

> Hi Mike,
> Michael B Allen wrote:
>> On Tue, 14 Mar 2006 11:13:08 +0100
>> Eric Ritchie <eric.ritchie@100days.de> wrote:
>>> Hello,
>>> I have been trying various configurations in the attempt to get  
>>> single sign on working with a Windows 2003 server (acting as KDC)  
>>> and a Suse 10 Linux box (running Apache).
>>> I first tried to use NTLM authentication to verify that all was  
>>> talking together and found that I needed to set "KrbVerifyKDC  
>>> off" to get things working. Otherwise I see:
>>> [Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(597):  
>>> [client] Trying to verify authenticity of KDC using  
>>> principal HTTP/melunar.elite.cmsd.de@ELITE.CMSD.DE
>>> [Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(612):  
>>> [client] krb5_get_credentials() failed when verifying KDC
>>> [Fri Mar 10 15:51:49 2006] [error] [client] failed to  
>>> verify krb5 credentials: Server not found in Kerberos database
>>> [Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(1022):  
>>> [client] kerb_authenticate_user_krb5pwd ret=401 user= 
>>> (NULL) authtype=(NULL)
>> Did you export the necessary principals with ktpass.exe and add  
>> them to
>> melunarhttp.keytab with kutil copy?
> Yes, I used ktpass to add the principal and the melunarhttp.keytab  
> file was the result of that command. I added this principal to my  
> system wide krb5.keytab file with kutil copy, but I did not need to  
> for the Apache setup.

You should be able to do a

kinit --keytab=/usr/local/apache/conf/melunarhttp.keytab \

and have success on your web server.  (That is the principal you  
created, right?  The hostname melunar.elite.cmsd.de is really the  
server name?  It comes first in /etc/hosts?, etc.)

>> The KrbVerifyKDC error sounds like there needs to be a host  
>> principal in
>> the keytab. The user=(NULL) OTOH sounds like theres a problem reading
>> the initiator's name from the initial Kerberos token or maybe it's an
>> artifact of not correctly exporting and importing the http principal
>> (in which case I would file a bug report regarding the lack of proper
>> debug messages).
> I did add a host principle to the krb5.keytab file, but this did  
> not seem to help. I posted to the mod_auth_kerb mailing list and  
> seem to have started a discussion about adding extra logging  
> messages. Seems like I discovered a bug.

The Apache module does the verification with the HTTP principal, not  
the system host principal.

Make sure your Kerberos libraries and principals are properly set up  
before you pursue the other problems.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu