[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Separate keytab with mod_auth_kerb

To: heimdal-discuss@sics.se
Subject: Re: Separate keytab with mod_auth_kerb
From: "Christian Ullrich" <chris@chrullrich.net>
Date: Sat, 15 Mar 2008 14:37:09 +0000 (UTC)
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <frbi4h$h3e$1@ger.gmane.org> <200803150108.09671.mastamind@quantentunnel.de>
Reply-To: heimdal-discuss@sics.se, "Christian Ullrich" <chris@chrullrich.net>
Sender: news <news@ger.gmane.org>
User-Agent: XanaNews/1.18.1.6

* Björn Schlögl wrote:

> i am not familiar with the heimdal api, but i have apache 2.2.8
> working with mod_auth_kerb 5.3 and heimdal 1.1. did you try to set
> the "Krb5Keytab" option in httpd.conf? what exactly did you specify
> in httpd.conf?

Loading the module:

    LoadModule auth_kerb_module   libexec/apache22/mod_auth_kerb.so

Authentication setup (for the DocumentRoot directory):

    AuthType Kerberos
    AuthName "taygete"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthRealms MY-REALM
    Krb5KeyTab /usr/local/etc/apache22/keytab
    Require valid-user

When I run Apache with that configuration, and then access it from my
browser (which gets a ticket), the response is an internal server
error, and all the error log contains is:

    [Sat Mar 15 15:22:59 2008] [error] [client 192.168.0.94]
    gss_display_name() failed:  An invalid name was supplied
    (unknown mech-code 0 for mech unknown)

I ran Apache under FreeBSD's ktrace:

    ktrace -i -tn sh /usr/local/etc/rc.d/apache22 start

The options mean "child processes inherit the trace" and "trace only
name translations" (which includes everything involving a file name).
In the ktrace output, this happens:

    [root@taygete /usr/local/etc/apache22]# kdump | fgrep keytab
    874 httpd    NAMI  "/etc/krb5.keytab"

If I then copy /usr/local/etc/apache22/keytab to /etc/krb5.keytab and
give the Apache user access to that, the authentication _immediately_
starts working. (Yes, it had access to the original file as well, and
even a stat() or access() call would have shown up in the ktrace
output.)

-- 
Christian Ullrich

References:
- Separate keytab with mod_auth_kerb
  - From: "Christian Ullrich" <chris@chrullrich.net>
- Re: Separate keytab with mod_auth_kerb
  - From: Björn Schlögl <mastamind@quantentunnel.de>

Prev by Date: Re: Separate keytab with mod_auth_kerb
Next by Date: Re: Separate keytab with mod_auth_kerb
Prev by thread: Re: Separate keytab with mod_auth_kerb
Next by thread: Reminder: CFP & Registration for OpenAFS & Kerberos Best Practices Workshop '08
Index(es):
- Date
- Thread