[31252] in Kerberos
Keytab server principal cuts off at @
daemon@ATHENA.MIT.EDU (Charles Breite)
Mon Jun 15 14:31:05 2009
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 15 Jun 2009 13:30:39 -0500
Message-ID: <5D490E0402B4D14F836B5C4436D5949A8AD654@VMEXCHANGE2.alterscrap.com>
From: "Charles Breite" <Charles.Breite@altertrading.com>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All,
I have a strange problem and hope someone can help....
I have a new installation of
Kerberos 5 release 1.6.2 and we have this working on all of our
production servers but this server
Continues to fail to authenticate.
What I see in the logs for the failure is
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(1485): [client
10.10.100.29] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(940): [client
10.10.100.29] Using HTTP/servername.domain.com@ as server principal for
password verification
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(680): [client
10.10.100.29] Trying to get TGT for user charlesb@Domain.COM
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(594): [client
10.10.100.29] Trying to verify authenticity of KDC using principal
HTTP/servername.domain.com@
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(609): [client
10.10.100.29] krb5_get_credentials() failed when verifying KDC
[Mon Jun 15 13:08:52 2009] [error] [client 10.10.100.29] failed to
verify krb5 credentials: Server not found in Kerberos database
[Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(1019): [client
10.10.100.29] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)
authtype=(NULL)
I am wondering if anyone has seen this where the principal is
cutoff....I have regenerated the keytab several times and re-checked the
windows accounts we are using for the auth.... Shouldn't the principal
be HTTP/servername.domain.com@domain.com
Apache config is:
<VirtualHost 10.10.10.14:80>
ServerName servername.domain.com
ServerAlias servername.domain.com
ServerAlias servername
DocumentRoot /usr/local/nagios/share
ErrorLog /var/log/apache2/nagios_error.log
TransferLog /var/log/apache2/nagios_access.log
LogLevel Debug
ScriptAlias /nagios/cgi-bin/ "/usr/local/nagios/sbin/"
<Directory "/usr/local/nagios/sbin/">
Options ExecCGI
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Nagios"
Krb5Keytab /etc/apache2/keytabs/HTTP.servername.keytab
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
KrbVerifyKDC on
KrbMethodNegotiate off
KrbMethodK5Passwd on
AuthGroupFile /usr/local/nagios/web_groups
Require group nagios
</Directory>
<Directory "/usr/local/nagios/share">
Options FollowSymLinks
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Nagios"
Krb5Keytab /etc/apache2/keytabs/HTTP.servername.keytab
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
KrbVerifyKDC on
KrbMethodNegotiate off
KrbMethodK5Passwd on
AuthGroupFile /usr/local/nagios/web_groups
Require group nagios
</Directory>
I am fairly new to Kerberos so I apologize if I am not seeing something
that I should be....
Thanks!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
