[28767] in Kerberos
Re: Access problem Apache/mod_auth_kerb/AD
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Wed Nov 21 09:38:42 2007
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Florian.Dautermann@gmx.de
In-Reply-To: <20071121142017.250680@gmx.net>
Date: Wed, 21 Nov 2007 15:38:01 +0100
Message-Id: <1195655881.2641.12.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Reply-To: mikkel@linet.dk
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi
I had some trouble finding out my self. So I ended up changing inconfigure. Really stupid patch. Changes the check to reverse.
/Mikkel
--- ../BUILD/mod_auth_kerb-5.3/configure 2007-08-1508:36:07.000000000 +0200+++ /home/mkj/mod_auth_kerb-5.3.orig/configure 2007-07-2511:38:20.000000000 +0200@@ -3903,7 +3903,7 @@ ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then- if test $? -eq 1; then+ if test $? -eq 0; then echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\_ACEOF
On Wed, 2007-11-21 at 15:20 +0100, Florian.Dautermann@gmx.de wrote:
> Hi Mikkel,> > thanks for the quick answer! Can you tell me how I switch to the internal SPNEGO? I did not find any information about that on the project web page nor on the internet.> > Thanks,> Florian> > thanks > > > Hi Florian> > > > I had the same problem. There is an error in mod_auth_kerb when using> > the system SPNEGO. You have to use the mod_auth_kerb internal SPNEGO.> > > > I was testing on RHEL5 and had to recompile with internal SPNEGO and it> > worked.> > > > /Mikkel> > > > On Wed, 2007-11-21 at 14:36 +0100, Florian Dautermann wrote:> > > > > Hello,> > > > > > I have a the following problem:> > > Our KDC is a Windows 2003 AD Server with address "company.corp" > > > which is also the name of the domain. We have an Apache > > > Webserver running on an OpenSuse with mod_auth_kerb (5.3). > > > Its name is "department.location.company.corp". It has a > > > valid keytab file (for > > > HTTP/department.location.company.corp@company.corp) with > > > which it can get tickets. The WebServer is accessed via> > "http://department.location.company.corp:1081/site".> > > > > > Some hosts can access the WebServer correctly. > > > > > > The other hosts who cannot access the WebServer are > > > Windows XP Pro machines, hooked into the domain with a > > > domain user logged on. Access is not possible via: IE6, > > > IE7, Mozilla despite correct configuration (Integrated > > > Windows Authentication is on, correct zone is set...). > > > Access is possible via the following ways: running the > > > browsers explicitly as the users domain account; using > > > MIT Kerberos for Windows in combination with mozilla > > > (switching network.auth.use-sspi to false). Kerbtray > > > shows a TGT in the MSLSA cache. > > > > > > In case of a failure, Apache log shows that the client > > > is sending an NTLM token. Network sniffers show, that > > > there is no communication between the client and the KDC.> > > > > > One really funny thing about the whole thing is that > > > the error appears exclusively if the user is in the local > > > Administrators group. (User logs on; it is working; user > > > is granted administrative rights; logs off and on again; > > > it does not work). Removing the user from Administrator > > > group again afterwards does not solve the problem.> > > > > > I guess somehow the Microsoft SSPI is the problem, but> > > I do not know how to fix it.> > > > > > Any ideas or thoughts are appreciated.> > > > > > Thanks,> > > Florian> > > ________________________________________________> > > Kerberos mailing list Kerberos@mit.edu> > > https://mailman.mit.edu/mailman/listinfo/kerberos> > > > Med Venlig Hilsen / Kind Regards> > > > > > Mikkel Kruse> > Johnsen> > Adm.Dir.> > > > Linet> > Ørholmgade 6 st tv> > Copenhagen N 2200> > Denmark> > > > Work: +45> > 21287793> > Mobile: +45> > 21287793> > Email:> > mikkel@linet.dk> > IM:> > mikkel@linet.dk> > (MSN)> > Professional> > Profile> > Healthcare > > > > > > Network> > Consultant
Med Venlig Hilsen / Kind Regards
Mikkel KruseJohnsenAdm.Dir.
LinetØrholmgade 6 st tvCopenhagen N 2200Denmark
Work: +4521287793Mobile: +4521287793Email:mikkel@linet.dkIM:mikkel@linet.dk(MSN) ProfessionalProfileHealthcare
NetworkConsultant ________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
