Apache error log

Printable View

10-02-2007, 02:03 PM
unix

Apache error log

Hi,

I was setting up Kerberos enviroment using this guide
[url]http://www.grolmsnet.de/kerbtut[/url]. Done all described steps, but
authorization not working! Please see error messages. Where I should
look? I can do kinit or kvno all are working. I totaly confused after
many days fight with this thing! Can anyone help??
Thank you!
-------------------------------------------------------------------------------------------------
[debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
10.196.5.113] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
10.196.5.113] Acquiring creds for [email]HTTP@testsd.vsaa.lv[/email]
[Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
provide more information (No principal in keytab matches desired name)

Aigars
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
10-02-2007, 02:03 PM
unix

Re: Apache error log

>[color=blue]
> Hi,
> I was setting up Kerberos enviroment using this guide
> [url]http://www.grolmsnet.de/kerbtut[/url]. Done all described steps, but
> authorization not working! Please see error messages. Where I should
> look? I can do kinit or kvno all are working. I totaly confused after
> many days fight with this thing! Can anyone help??
> Thank you!
> -------------------------------------------------------------------------------------------------
> [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
> 10.196.5.113] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
> 10.196.5.113] Acquiring creds for [email]HTTP@testsd.vsaa.lv[/email][/color]

What is KrbServiceName set to? This looks wrong; "HTTP@testsd.vsaa.lv"
should be HTTP/<hostname>@TESTSD.VSAA.LV (realms are traditionally upper
case).
[color=blue]
> [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
> gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
> provide more information (No principal in keytab matches desired name)
>
>
>
> Aigars
> ________________________________________________
> Kerberos mailing list [email]Kerberos@mit.edu[/email]
> [url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url][/color]

--
Richard Silverman
[email]res@qoxp.net[/email]
10-02-2007, 02:03 PM
unix

Re: Apache error log

On Mon, Jul 17, 2006 at 11:27:32AM -0400, Richard E. Silverman wrote:[color=blue][color=green]
> >
> > Hi,
> > I was setting up Kerberos enviroment using this guide
> > [url]http://www.grolmsnet.de/kerbtut[/url]. Done all described steps, but
> > authorization not working! Please see error messages. Where I should
> > look? I can do kinit or kvno all are working. I totaly confused after
> > many days fight with this thing! Can anyone help??
> > Thank you!
> > -------------------------------------------------------------------------------------------------
> > [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
> > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
> > 10.196.5.113] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
> > 10.196.5.113] Acquiring creds for [email]HTTP@testsd.vsaa.lv[/email][/color]
>
> What is KrbServiceName set to? This looks wrong; "HTTP@testsd.vsaa.lv"
> should be HTTP/<hostname>@TESTSD.VSAA.LV (realms are traditionally upper
> case).[/color]

If the logging is outputting the GSS principal then [email]HTTP@testsd.vsaa.lv[/email]
may be okay as a GSS_C_NT_HOSTBASED_SERVICE name.
[color=blue][color=green]
> > [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
> > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
> > provide more information (No principal in keytab matches desired name)[/color][/color]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I bet the Kerberos service key for HTTP/testsd.vsaa.lv@<Kerberos Realm>
is missing in the keytab however. The admin needs to create this
kerberos principal then do a kadmin ktadd of this service principal to
the local keytab file.

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
10-02-2007, 02:03 PM
unix

Re: Apache error log

There was misunderstood with DNS configuration at AD side. Fixing that
was resolved problem. Right now I have working enviroment with FEDORA
4+ WIN AD 2003+mod_auth_kerb.

Next my step is set up all this to may test enviroment with SUSE Linux
enterprise server 8.0. First problem is mod_auth_kerb installation
show up some errors and I can't find ready module from
[url]http://rpmfind.net[/url] for suse 8.0.
Little bit tricky, but finally get installed mod_auth_kerb on SUSE. I
was setted up kerberos enviroment and start testing. There I get
errors at apache log file:
-------------------------------------------------------------------------------------------------
[notice] child pid 2075 exit signal Segmentation fault (11)
----------------------------------------------------------------------------------------------------
Consulting with collegues I was realized so apache module was falling
out with abnormal end. Maybe somone was hit on same problem? I suppose
so mod_auth_kerb is not correctly installed and running. Can anyone
was setted up mod_auth_kerb with SUSE?
Thank you!

best regards,
Aigars

On 7/17/06, Will Fiveash <William.Fiveash@sun.com> wrote:[color=blue]
> On Mon, Jul 17, 2006 at 11:27:32AM -0400, Richard E. Silverman wrote:[color=green][color=darkred]
> > >
> > > Hi,
> > > I was setting up Kerberos enviroment using this guide
> > > [url]http://www.grolmsnet.de/kerbtut[/url]. Done all described steps, but
> > > authorization not working! Please see error messages. Where I should
> > > look? I can do kinit or kvno all are working. I totaly confused after
> > > many days fight with this thing! Can anyone help??
> > > Thank you!
> > > -------------------------------------------------------------------------------------------------
> > > [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
> > > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
> > > 10.196.5.113] kerb_authenticate_user entered with user (NULL) and
> > > auth_type Kerberos
> > > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
> > > 10.196.5.113] Acquiring creds for [email]HTTP@testsd.vsaa.lv[/email][/color]
> >
> > What is KrbServiceName set to? This looks wrong; "HTTP@testsd.vsaa.lv"
> > should be HTTP/<hostname>@TESTSD.VSAA.LV (realms are traditionally upper
> > case).[/color]
>
> If the logging is outputting the GSS principal then [email]HTTP@testsd.vsaa.lv[/email]
> may be okay as a GSS_C_NT_HOSTBASED_SERVICE name.
>[color=green][color=darkred]
> > > [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
> > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
> > > provide more information (No principal in keytab matches desired name)[/color][/color]
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I bet the Kerberos service key for HTTP/testsd.vsaa.lv@<Kerberos Realm>
> is missing in the keytab however. The admin needs to create this
> kerberos principal then do a kadmin ktadd of this service principal to
> the local keytab file.
>
> --
> Will Fiveash
> Sun Microsystems Inc.
> Austin, TX, USA (TZ=CST6CDT)
> ________________________________________________
> Kerberos mailing list [email]Kerberos@mit.edu[/email]
> [url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
>[/color]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]