[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Separate keytab with mod_auth_kerb



* Björn Schlögl wrote:

> i am not familiar with the heimdal api, but i have apache 2.2.8
> working with mod_auth_kerb 5.3 and heimdal 1.1. did you try to set
> the "Krb5Keytab" option in httpd.conf? what exactly did you specify
> in httpd.conf?

Loading the module:

    LoadModule auth_kerb_module   libexec/apache22/mod_auth_kerb.so

Authentication setup (for the DocumentRoot directory):

    AuthType Kerberos
    AuthName "taygete"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthRealms MY-REALM
    Krb5KeyTab /usr/local/etc/apache22/keytab
    Require valid-user

When I run Apache with that configuration, and then access it from my
browser (which gets a ticket), the response is an internal server
error, and all the error log contains is:

    [Sat Mar 15 15:22:59 2008] [error] [client 192.168.0.94]
    gss_display_name() failed:  An invalid name was supplied
    (unknown mech-code 0 for mech unknown)

I ran Apache under FreeBSD's ktrace:

    ktrace -i -tn sh /usr/local/etc/rc.d/apache22 start

The options mean "child processes inherit the trace" and "trace only
name translations" (which includes everything involving a file name).
In the ktrace output, this happens:

    [root@taygete /usr/local/etc/apache22]# kdump | fgrep keytab
    874 httpd    NAMI  "/etc/krb5.keytab"

If I then copy /usr/local/etc/apache22/keytab to /etc/krb5.keytab and
give the Apache user access to that, the authentication _immediately_
starts working. (Yes, it had access to the original file as well, and
even a stat() or access() call would have shown up in the ktrace
output.)

-- 
Christian Ullrich