[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problem authenticating with mod_auth_kerb

To: heimdal-discuss@sics.se
Subject: Re: problem authenticating with mod_auth_kerb
From: michel.brabants@euphonynet.be
Date: Tue, 22 Aug 2006 15:47:27 +0200 (CEST)
Importance: Normal
In-Reply-To: <200608221507.41094.achim@grolmsnet.de>
References: <1083.217.136.238.173.1156248680.squirrel@webmail.euphonynet.be> <200608221507.41094.achim@grolmsnet.de>
Sender: owner-heimdal-discuss@sics.se
User-Agent: SquirrelMail/1.4.5

Hello,

it suddenly started to work. To suddenly is because I don't really know
what teh difference is ... with the former, non-working/slow case. It
always worked, but it was slow. Not it's back to it's previous speed,
although the repository-browsing using tortoise (with basic authentication
of mod_auth_kerb) is slow. The other operations of tortoise are ok.

The repository-browsing using spnego and trac's build-in
subversion-browser is very fast in comparison to tortoise. The 4.x version
of tortoise should have spnego enabled I think.

Thank you for your help,

Greetings,

Michel

> On Tuesday 22 August 2006 14:11, michel.brabants@euphonynet.be wrote:
>
>> I checked the HTTP-account on the backup-server and I saw that is didn't
>> have "trust account for delegation" checked, whioch should be as far as
>> I
>> remembered . don't knwo where I got this from, but an it be  that the
>> delegation is needed to spnego to work?
>
> "Delegation" is used to configure TGT-forwarding, but not necessary
> to do authentication.

Thank you ofr his information.
>
>> Now the problem: The subversion-utilities can't use spnego yet (or it si
>> disbaled for the moment), so basic authentication of mod_auth_kerb is
>> used. However, when basic authentication is used, I see the following in
>> the logs:
>
> Can you check step by step my tutorial
> <http://www.grolmsnet.de/kerbtut/>
> and describe what steps work, what steps fail?

I followed you turotial when I first set it up. thank you for this
information. I would like to add 1 thing to your tutorial ( I had to do
it, else ti didn't work). After the creating of the dummy user for the
service in zindows 2003 (and after creating the ktab-file), a name-mapping
to the HTTP-name should still be made, else this mapping doesn't exist.

You can find more information about creating the mapping at teh following
page:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx.
Search for "To create a mapping".

>
> A specialized mod_auth_kerb Mailingslist
> modauthkerb-help@lists.sourceforge.net is available at
> <http://sourceforge.net/mail/?group_id=51775>
>
>>krb5_rd_req() failed when verifying KDC
>>failed to verify krb5 credentials: Key table entry not found
>
> Does your keytab contain the webservers's principal?
>

Yes, it does.

> BTW: I never used neon <http://www.webdav.org/neon/>, but I thought
> it is able to do GSSAPI.
> What is the problem with neon?
>
> Achim
>

References:
- problem authenticating with mod_auth_kerb
  - From: michel.brabants@euphonynet.be
- Re: problem authenticating with mod_auth_kerb
  - From: Achim Grolms <achim@grolmsnet.de>

Prev by Date: Re: problem authenticating with mod_auth_kerb
Next by Date: Re: problem authenticating with mod_auth_kerb
Prev by thread: Re: problem authenticating with mod_auth_kerb
Next by thread: 2nd. anouncement of the 12th. german speeking AFS-conference: Nowsign in
Index(es):
- Date
- Thread