Hi

I'm trying to get the Apache my RHEL 4 AS server to authenticate from
a Windows 2003 AD.

I've configured the /etc/krb5.conf as follows :
[root@test ~]# cat /etc/krb5.conf
.....
[libdefaults]
default_realm = FOO.BAR
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
FOO.BAR = {
kdc = DC.FOO.BAR:88
admin_server = DC.FOO.BAR:749
default_domain = FOO.BAR
}

[domain_realm]
.FOO.BAR = FOO.BAR
FOO.BAR = FOO.BAR

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


The AD is dc.foo.bar and there's no firewall issue between apache and
the AD. NTP sync from the AD also works fine.
[root@test ~]# ntpdate -u dc.foo.bar
19 Nov 09:42:35 ntpdate[3440]: adjust time server 172.31.100.165
offset -0.048116 sec

When I try kinit apache1 it works fine.

[root@test ~]# kinit apache1
Password for apache1@FOO.BAR:
[root@test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: apache1@FOO.BAR
Valid starting Expires Service principal
11/19/07 08:17:26 11/19/07 18:13:38 krbtgt/FOO.BARA@FOO.BAR
renew until 11/20/07 08:17:26
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Now I've configured Apache as follows :
[root@test ~]# cat /etc/httpd/conf/httpd.conf | grep Realm -B 8 -A 10
# features.
#

Options FollowSymLinks
AllowOverride None
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm foo.bar
KrbServiceName HTTP
KrbMethodNegotiate on
Krb5KeyTab /etc/krb5.keytab
KrbVerifyKDC off
#require user apache1@FOO.BAR
require valid-user



My keytab file is as follows

[root@test ~]# cat /var/www/krb5.keytab
HTTP/test.foo.bar@FOO.BAR
[root@test ~]# ll /var/www/krb5.keytab
-rw-r--r-- 1 apache apache 36 Nov 19 10:08 /var/www/krb5.keytab
[root@test ~]#

When I try to login as apache1 from the browser,
[Mon Nov 19 09:25:33 2007] [error] [client 172.31.32.52]
krb5_get_init_creds_password() failed: KDC reply did not match
expectations

If the username is wrong or the password is wrong , I get errors
saying client not in database or preauthentication failed. Its only
when the password is correct that I get this error. On the browser
side, the server just prompts for password again.

Suggestions anybody ?

Thanks in advance
Nabeel