[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7

To: Michael B Allen <mba2000@ioplex.com>
Subject: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
From: Eric Ritchie <eric.ritchie@100days.de>
Date: Tue, 14 Mar 2006 23:00:55 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: <20060314111959.7ad2574c.mba2000@ioplex.com>
Organization: Dorten GmbH
References: <44169734.4040100@100days.de> <20060314111959.7ad2574c.mba2000@ioplex.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Hi Mike,

Michael B Allen wrote:
> On Tue, 14 Mar 2006 11:13:08 +0100
> Eric Ritchie <eric.ritchie@100days.de> wrote:
> 
> 
>>Hello,
>>
>>I have been trying various configurations in the attempt to get single 
>>sign on working with a Windows 2003 server (acting as KDC) and a Suse 10 
>>Linux box (running Apache).
>>
>>I first tried to use NTLM authentication to verify that all was talking 
>>together and found that I needed to set "KrbVerifyKDC off" to get things 
>>working. Otherwise I see:
>>
>>[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(597): [client 
>>10.1.4.68] Trying to verify authenticity of KDC using principal 
>>HTTP/melunar.elite.cmsd.de@ELITE.CMSD.DE
>>[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(612): [client 
>>10.1.4.68] krb5_get_credentials() failed when verifying KDC
>>[Fri Mar 10 15:51:49 2006] [error] [client 10.1.4.68] failed to verify 
>>krb5 credentials: Server not found in Kerberos database
>>[Fri Mar 10 15:51:49 2006] [debug] src/mod_auth_kerb.c(1022): [client 
>>10.1.4.68] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) 
>>authtype=(NULL)
> 
> 
> Did you export the necessary principals with ktpass.exe and add them to
> melunarhttp.keytab with kutil copy?
> 

Yes, I used ktpass to add the principal and the melunarhttp.keytab file 
was the result of that command. I added this principal to my system wide 
krb5.keytab file with kutil copy, but I did not need to for the Apache 
setup.

> The KrbVerifyKDC error sounds like there needs to be a host principal in
> the keytab. The user=(NULL) OTOH sounds like theres a problem reading
> the initiator's name from the initial Kerberos token or maybe it's an
> artifact of not correctly exporting and importing the http principal
> (in which case I would file a bug report regarding the lack of proper
> debug messages).
> 

I did add a host principle to the krb5.keytab file, but this did not 
seem to help. I posted to the mod_auth_kerb mailing list and seem to 
have started a discussion about adding extra logging messages. Seems 
like I discovered a bug.

> I would get a packet capture and verify that the client is actually
> doing the right thing (e.g. is IE properly configured to do integrated
> authentication, the WWW server in the "intranet zone", etc).
> 
> Whatever the case, I don't feel this is a Heimdal problem. You might be
> better off trying the apache user's mailing list.
> 

I did eventually solve the problem. It was a bad keytab file (Windows 
2k3 problem). So you are right in your guess that it is not a Heimdal 
problem.

Thanks for your answer.

Regards,
Eric Ritchie.

Follow-Ups:
- Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
  - From: Eric Ritchie <eric.ritchie@100days.de>
- Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: [mechglue] No initial response at all if no responseToken
Next by Date: gss problem, invalid cksum type
Prev by thread: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
Next by thread: Re: Heimdal 0.7.2 with mod_auth_kerb 5.0rc7
Index(es):
- Date
- Thread