[32790] in Kerberos
Re: What are the issues with dns_lookup_realm ?
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Mon Oct 11 09:55:04 2010
Message-ID: <7D7825AE41E846799071B10540E9E54A@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: "Brian Candler" <B.Candler@pobox.com>
Date: Mon, 11 Oct 2010 08:54:50 -0500
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Brian Candler <B.Candler@pobox.com> wrote:
> The error message from /var/log/http/ssl_error_log was unhelpful:
>
> [Mon Oct 11 11:20:17 2010] [error] [client 172.31.131.185]
> krb5_verify_init_creds() failed: Key table entry not found
>
> What was even more odd, if I did a 'su' to the apache user, I was able to
> 'kinit' using one of the usernames/passwords which apache was rejecting as
> Basic Auth credentials. Surely mod_auth_kerb should be doing the same??
There is more to it than just a kinit, unless you have KrbVerifyKDC off
which you shouldn't b/c it can be a security problem. Mod_auth_kerb is just
blindly trusting that ANY successful Kerberos reply comes from your KDC with
this turned off. When it is on, it uses its keytab to verify that the KDC
that responded is legit and not one an attacher setup.
> [snip]
> The fact that adding the DNS record fixed things suggests that it was a
> hostname-to-realm mapping issue. But I'd really like to know what
> principal
> it was looking for when I got the "Key table entry not found" error
> message.
The requested service principal name would likely be logged on the KDC when
apache tries to authenticate users and produces this message.
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
