[28753] in Kerberos
Error authenticating RHEL4 apache from Win 2k3 AD Kerberos
daemon@ATHENA.MIT.EDU (Nabeel Moidu)
Mon Nov 19 03:15:39 2007
Message-ID: <3fd6d7cc0711190014mcbd7826o387d5309465292c8@mail.gmail.com>
Date: Mon, 19 Nov 2007 11:14:28 +0300
From: "Nabeel Moidu" <nabeelmoidu@gmail.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi
I'm trying to get the Apache my RHEL 4 AS server to authenticate from
a Windows 2003 AD.
I've configured the /etc/krb5.conf as follows :
[root@test ~]# cat /etc/krb5.conf
....
[libdefaults]
default_realm = FOO.BAR
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
FOO.BAR = {
kdc = DC.FOO.BAR:88
admin_server = DC.FOO.BAR:749
default_domain = FOO.BAR
}
[domain_realm]
.FOO.BAR = FOO.BAR
FOO.BAR = FOO.BAR
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
The AD is dc.foo.bar and there's no firewall issue between apache and
the AD. NTP sync from the AD also works fine.
[root@test ~]# ntpdate -u dc.foo.bar
19 Nov 09:42:35 ntpdate[3440]: adjust time server 172.31.100.165
offset -0.048116 sec
When I try kinit apache1 it works fine.
[root@test ~]# kinit apache1
Password for apache1@FOO.BAR:
[root@test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: apache1@FOO.BAR
Valid starting Expires Service principal
11/19/07 08:17:26 11/19/07 18:13:38 krbtgt/FOO.BARA@FOO.BAR
renew until 11/20/07 08:17:26
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Now I've configured Apache as follows :
[root@test ~]# cat /etc/httpd/conf/httpd.conf | grep Realm -B 8 -A 10
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm foo.bar
KrbServiceName HTTP
KrbMethodNegotiate on
Krb5KeyTab /etc/krb5.keytab
KrbVerifyKDC off
#require user apache1@FOO.BAR
require valid-user
</Directory>
My keytab file is as follows
[root@test ~]# cat /var/www/krb5.keytab
HTTP/test.foo.bar@FOO.BAR
[root@test ~]# ll /var/www/krb5.keytab
-rw-r--r-- 1 apache apache 36 Nov 19 10:08 /var/www/krb5.keytab
[root@test ~]#
When I try to login as apache1 from the browser,
[Mon Nov 19 09:25:33 2007] [error] [client 172.31.32.52]
krb5_get_init_creds_password() failed: KDC reply did not match
expectations
If the username is wrong or the password is wrong , I get errors
saying client not in database or preauthentication failed. Its only
when the password is correct that I get this error. On the browser
side, the server just prompts for password again.
Suggestions anybody ?
Thanks in advance
Nabeel
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
