[32939] in Kerberos
Re: mod_auth_kerb roblem
daemon@ATHENA.MIT.EDU (Andreas Ntaflos)
Mon Nov 29 18:44:07 2010
From: Andreas Ntaflos <daff@pseudoterminal.org>
To: kerberos@mit.edu
Date: Tue, 30 Nov 2010 00:43:57 +0100
In-Reply-To: <29317584-7d58-45f3-adaa-3f341d417c62@z9g2000yqz.googlegroups.com>
MIME-Version: 1.0
Message-Id: <201011300043.58050.daff@pseudoterminal.org>
Cc: Ben Kwint <benkwint@gmail.com>
Content-Type: multipart/mixed; boundary="===============1506425490=="
Errors-To: kerberos-bounces@mit.edu
--===============1506425490==
Content-Type: multipart/signed; boundary="nextPart1446533.KD9lh0GF2b";
protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
--nextPart1446533.KD9lh0GF2b
Content-Type: Text/Plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
On Thursday 25 November 2010 09:03:49 Ben Kwint wrote:
=20
> After that I installed apache on the same machine to test
> mod_auth_kerb. Installed mod_auth_kerb module on the apache machine
> and set up the following .htaccess file
>=20
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbVerifyKDC off
> KrbMethodK5Passwd off
> #KrbServiceName server
> ### Krb5Keytab /etc/krb5.keytab.apache
> KrbAuthRealms LOCAL.NETWORK
> require valid-user
>=20
> I tested all kinds of different setups of my .htaccess file
Did you correctly create an HTTP service principal and add it to a=20
keytab file Apache has permissions to read? The following (all from=20
memory) assumes two different servers, one for the KDC, one for the=20
webserver, but it shouldn't really matter. Replace the "kadmin -p ..."=20
call with "kadmin.local" if it is all one machine:
KDC# kadmin.local -q "ank -randkey HTTP/web.local.network@LOCAL.NETWORK"
web# kadmin -p your-admin-account -q "ktadd \
-k /etc/apache2/http.keytab HTTP/web.local.network@LOCAL.NETWORK"
web# chown root:www-data /etc/apache2/http.keytab
web# chmod 640 /etc/apache2/http.keytab
Then tell Apache where to find it. In the .htaccess file:
KrbServiceName HTTP
Krb5KeyTab /etc/apache2/http.keytab
You should also keep "KrbVerifyKDC on".=20
Restart Apache. The mod_auth_kerb homepage might also help you=20
understand this procedure:=20
http://modauthkerb.sourceforge.net/configure.html
> My apache server does not show any errors but when I look at the
> mozilla error log I see this:
Does your KDC log anything useful?=20
=20
> -1216447824[b7517060]: using REQ_DELEGATE
> -1216447824[b7517060]: service =3D local.network
> -1216447824[b7517060]: using negotiate-gss
> -1216447824[b7517060]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1216447824[b7517060]: Attempting to load gss functions
> -1216447824[b7517060]: entering nsAuthGSSAPI::Init()
> -1216447824[b7517060]:
> nsHttpNegotiateAuth::GenerateCredentials_1_9_2()
> [challenge=3DNegotiate] -1216447824[b7517060]: entering
> nsAuthGSSAPI::GetNextToken() -1216447824[b7517060]:
> gss_init_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information
> -1216447824[b7517060]: leaving nsAuthGSSAPI::GetNextToken
> [rv=3D80004005]
>=20
> Any idea what might be causing this error?
I can't really tell from this log output but did you set up Firefox to=20
do the whole "negotiate-auth" dance for the webserver in question? I.e.=20
set "network.negotiate-auth.trusted-uris" in "about:config" to, in your=20
case, "local.network"?
> Any help would be greatly appreciated. If someone knows any public
> kdc which you can use to test stuff it would be even better, Then I
> could forget all about installing my own kdc.
I don't know of any public KDCs to test this against. And how would it=20
be even possible? You need a service principal for the webserver as I=20
explained above which is something the KDC administrator must create and=20
distribute to your webserver.=20
> So what I basically want is to be able to install an entire test
> setup on 1 machine. Is this possible?
I don't see why not, provided that your DNS works. This could really=20
make or break any Kerberos setup. Be sure that both the KDC and the=20
webserver can be resolved correctly forwards and backwards.
HTH=20
Andreas
--nextPart1446533.KD9lh0GF2b
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEABECAAYFAkz0Or0ACgkQOXziqAkMqbQFTACguAJX/9459Q8a42YcKEcogHkh
om4AoMi0P1WI5zKKhrm+M+Fj57zPvvgD
=Z9CZ
-----END PGP SIGNATURE-----
--nextPart1446533.KD9lh0GF2b--
--===============1506425490==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1506425490==--
