failed to verify krb5 credentials - Kerberos

This is a discussion on failed to verify krb5 credentials - Kerberos ; Hello, I am running the kerberos module with apache 1.3.34 on a ubuntu linux box. When i try to access the website hosted by apache, i get the username and password prompt box, but on entering the correct credentials, the ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: failed to verify krb5 credentials

  1. failed to verify krb5 credentials

    Hello,
    I am running the kerberos module with apache 1.3.34 on a ubuntu linux
    box.

    When i try to access the website hosted by apache, i get the username
    and password prompt box, but on entering the correct credentials, the
    box stays there and keeps on asking for username and password.

    On checking the error_log file in apache i found this:

    failed to verify krb5 credentials: Server not found in Kerberos
    database

    On entering some wrong username and password this is what i get
    krb5_get_init_creds_password() failed: Client not found in Kerberos
    database

    what am i doing wrong?

    keytab file? wrong realm?

    my kinit works fine.


  2. Re: failed to verify krb5 credentials

    You need to determine which Kerberos principal Apache is trying
    to lookup, and that will help you troubleshoot the problem.

    We've seen this error when using virtual hosts. If you have the
    following service principal in your keytab:

    HTTP/www.example.com@EXAMPLE.COM

    and you are accessing the following URL:

    http://not-www.example.com/

    the Kerberos module will attempt to get a service ticket for the
    service principal HTTP/not-www.example.com@EXAMPLE.COM

    What we ended up doing was using mod_rewrite so that all of our
    urls mapped into the http://www.example.com/... namespace, and
    then we only had to set up a service principal for
    HTTP/www.example.com, rathern than one for every virtual host.

    -- Tom

    Thomas A. La Porte, DreamWorks Animation


    On Thu, 16 Mar 2006, abbas.attarwala@gmail.com wrote:

    > Hello,
    > I am running the kerberos module with apache 1.3.34 on a ubuntu linux
    > box.
    >
    > When i try to access the website hosted by apache, i get the username
    > and password prompt box, but on entering the correct credentials, the
    > box stays there and keeps on asking for username and password.
    >
    > On checking the error_log file in apache i found this:
    >
    > failed to verify krb5 credentials: Server not found in Kerberos
    > database
    >
    > On entering some wrong username and password this is what i get
    > krb5_get_init_creds_password() failed: Client not found in Kerberos
    > database
    >
    > what am i doing wrong?
    >
    > keytab file? wrong realm?
    >
    > my kinit works fine.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: failed to verify krb5 credentials

    Thanks Thomas, for your suggestions.

    Yes, I was having problem with my keytab file. My keytab file for some
    reason could not be accessed from the .htaccess file.

    What I did was, to copy the contents of the .htaccess file and paste them in
    the directory attribute of the httpd.conf file of apache. ( and get rid of
    ..htaccess)

    This worked perfectly fine for me and my kerberos authentication works great
    with apache!

    thanks again!
    Abbas Attarwala
    Computer Engineering
    University of Waterloo
    Performance is Temporary, Class is Permanent

    On 3/16/06, Thomas A. La Porte wrote:
    >
    > You need to determine which Kerberos principal Apache is trying
    > to lookup, and that will help you troubleshoot the problem.
    >
    > We've seen this error when using virtual hosts. If you have the
    > following service principal in your keytab:
    >
    > HTTP/www.example.com@EXAMPLE.COM
    >
    > and you are accessing the following URL:
    >
    > http://not-www.example.com/
    >
    > the Kerberos module will attempt to get a service ticket for the
    > service principal HTTP/not-www.example.com@EXAMPLE.COM
    >
    > What we ended up doing was using mod_rewrite so that all of our
    > urls mapped into the http://www.example.com/... namespace, and
    > then we only had to set up a service principal for
    > HTTP/www.example.com, rathern than one for every virtual host.
    >
    > -- Tom
    >
    > Thomas A. La Porte, DreamWorks Animation
    >
    >
    > On Thu, 16 Mar 2006, abbas.attarwala@gmail.com wrote:
    >
    > > Hello,
    > > I am running the kerberos module with apache 1.3.34 on a ubuntu linux
    > > box.
    > >
    > > When i try to access the website hosted by apache, i get the username
    > > and password prompt box, but on entering the correct credentials, the
    > > box stays there and keeps on asking for username and password.
    > >
    > > On checking the error_log file in apache i found this:
    > >
    > > failed to verify krb5 credentials: Server not found in Kerberos
    > > database
    > >
    > > On entering some wrong username and password this is what i get
    > > krb5_get_init_creds_password() failed: Client not found in Kerberos
    > > database
    > >
    > > what am i doing wrong?
    > >
    > > keytab file? wrong realm?
    > >
    > > my kinit works fine.
    > >
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >




    --
    Abbas Attarwala
    Computer Engineering
    University of Waterloo
    Performance is Temporary, Class is Permanent
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: failed to verify krb5 credentials

    i may have run into some problems...

    i have mod_ssl running and my httpd.conf file is configured for
    kerberos authentication.

    but when i check my httpd header response, this is what i am getting:

    WWW-Authenticate: Basic realm="Kerberos Login"

    It is basic, and not kerberos.

    why is this?

    thanks,
    abbas


  5. Re: failed to verify krb5 credentials

    ok i am getting this now:

    WWW-Authenticate: Negotiate
    WWW-Authenticate: Basic realm="Kerberos Login"

    ticket is still issued to any user who logs on to apache and all works
    fine. Only thing that worries me, is why am i still getting that
    WWW-Authenticate: Basic

    on using a sniffer tool, I can see the password of my test user. this
    is bad.

    where am i going wrong?

    thanks


  6. Re: failed to verify krb5 credentials

    I really need SPNEGO Kerberos authentication with mod_auth_kerb.

    I have followed the excellent tutorial on how to set this at
    http://www.grolmsnet.de/kerbtut/

    but still, the HTTP header file has

    WWW-Authenticate negotiate
    WWW-Authenticate Basic realm="Kerberos Login"

    and asks the user to enter his username and password.

    my httpd.conf file is:

    LoadModule auth_kerb_module /usr/lib/apache/1.3/mod_auth_kerb.so

    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate off
    KrbAuthoritative on
    KrbVerifyKDC off
    KrbAuthRealm MYDOMAIN.COM
    Krb5Keytab /etc/apache/apache.keypad
    KrbSaveCredentials off
    require valid-user


    I believe I need to set:
    KrbMethodNegotiate on
    KrbMethodK5Passwd off

    and place my webserver in the intranet zone in IE.

    Please let me know, so that when i go to work tomorrow i can implement
    these changes.
    thanks.


  7. Re: failed to verify krb5 credentials

    Dear Abbas,

    > I really need SPNEGO Kerberos authentication with mod_auth_kerb.
    >
    > I have followed the excellent tutorial on how to set this at
    > http://www.grolmsnet.de/kerbtut/


    Very good link, thanks.

    >
    > but still, the HTTP header file has
    >
    > WWW-Authenticate negotiate
    > WWW-Authenticate Basic realm="Kerberos Login"
    >
    > and asks the user to enter his username and password.
    >


    >From my experience (using IIS/IE only, YMMV) if the server proposes both

    Negotiate and Basic, the browser will use Negotiate if possible. If it
    can't use Negotiate then the client will fall back to Basic and prompt
    for user and password.

    >


    > I believe I need to set:
    > KrbMethodNegotiate on
    > KrbMethodK5Passwd off
    >
    > and place my webserver in the intranet zone in IE.


    This is correct, as per the link you sent:
    "KrbMethodNegotiate controls if your webserver uses SPNEGO Kerberos.
    KrbMethodK5Passwd controls if your webserver uses BasicAuth with KDC as
    userdatabase"

    Set KrbMethodK5Passwd to off to avoid being prompted for user and
    password. Of course that this will make impossible for users not
    authenticated on Kerberos to access the resources.

    > Please let me know, so that when i go to work tomorrow i can implement
    > these changes.
    > thanks.


    Hope that helps.

    Regards,

    Silvio Gissi

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread