Apache error log - Kerberos

This is a discussion on Apache error log - Kerberos ; Hi, I was setting up Kerberos enviroment using this guide http://www.grolmsnet.de/kerbtut . Done all described steps, but authorization not working! Please see error messages. Where I should look? I can do kinit or kvno all are working. I totaly confused ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Apache error log

  1. Apache error log

    Hi,

    I was setting up Kerberos enviroment using this guide
    http://www.grolmsnet.de/kerbtut. Done all described steps, but
    authorization not working! Please see error messages. Where I should
    look? I can do kinit or kvno all are working. I totaly confused after
    many days fight with this thing! Can anyone help??
    Thank you!
    -------------------------------------------------------------------------------------------------
    [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
    kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
    10.196.5.113] kerb_authenticate_user entered with user (NULL) and
    auth_type Kerberos
    [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
    10.196.5.113] Acquiring creds for HTTP@testsd.vsaa.lv
    [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
    gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
    provide more information (No principal in keytab matches desired name)



    Aigars
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Apache error log

    >
    > Hi,
    > I was setting up Kerberos enviroment using this guide
    > http://www.grolmsnet.de/kerbtut. Done all described steps, but
    > authorization not working! Please see error messages. Where I should
    > look? I can do kinit or kvno all are working. I totaly confused after
    > many days fight with this thing! Can anyone help??
    > Thank you!
    > -------------------------------------------------------------------------------------------------
    > [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
    > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
    > 10.196.5.113] kerb_authenticate_user entered with user (NULL) and
    > auth_type Kerberos
    > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
    > 10.196.5.113] Acquiring creds for HTTP@testsd.vsaa.lv


    What is KrbServiceName set to? This looks wrong; "HTTP@testsd.vsaa.lv"
    should be HTTP/@TESTSD.VSAA.LV (realms are traditionally upper
    case).

    > [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
    > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
    > provide more information (No principal in keytab matches desired name)
    >
    >
    >
    > Aigars
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos



    --
    Richard Silverman
    res@qoxp.net


  3. Re: Apache error log

    On Mon, Jul 17, 2006 at 11:27:32AM -0400, Richard E. Silverman wrote:
    > >
    > > Hi,
    > > I was setting up Kerberos enviroment using this guide
    > > http://www.grolmsnet.de/kerbtut. Done all described steps, but
    > > authorization not working! Please see error messages. Where I should
    > > look? I can do kinit or kvno all are working. I totaly confused after
    > > many days fight with this thing! Can anyone help??
    > > Thank you!
    > > -------------------------------------------------------------------------------------------------
    > > [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
    > > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    > > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
    > > 10.196.5.113] kerb_authenticate_user entered with user (NULL) and
    > > auth_type Kerberos
    > > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
    > > 10.196.5.113] Acquiring creds for HTTP@testsd.vsaa.lv

    >
    > What is KrbServiceName set to? This looks wrong; "HTTP@testsd.vsaa.lv"
    > should be HTTP/@TESTSD.VSAA.LV (realms are traditionally upper
    > case).


    If the logging is outputting the GSS principal then HTTP@testsd.vsaa.lv
    may be okay as a GSS_C_NT_HOSTBASED_SERVICE name.

    > > [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
    > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
    > > provide more information (No principal in keytab matches desired name)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    I bet the Kerberos service key for HTTP/testsd.vsaa.lv@
    is missing in the keytab however. The admin needs to create this
    kerberos principal then do a kadmin ktadd of this service principal to
    the local keytab file.

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Apache error log

    There was misunderstood with DNS configuration at AD side. Fixing that
    was resolved problem. Right now I have working enviroment with FEDORA
    4+ WIN AD 2003+mod_auth_kerb.

    Next my step is set up all this to may test enviroment with SUSE Linux
    enterprise server 8.0. First problem is mod_auth_kerb installation
    show up some errors and I can't find ready module from
    http://rpmfind.net for suse 8.0.
    Little bit tricky, but finally get installed mod_auth_kerb on SUSE. I
    was setted up kerberos enviroment and start testing. There I get
    errors at apache log file:
    -------------------------------------------------------------------------------------------------
    [notice] child pid 2075 exit signal Segmentation fault (11)
    ----------------------------------------------------------------------------------------------------
    Consulting with collegues I was realized so apache module was falling
    out with abnormal end. Maybe somone was hit on same problem? I suppose
    so mod_auth_kerb is not correctly installed and running. Can anyone
    was setted up mod_auth_kerb with SUSE?
    Thank you!

    best regards,
    Aigars




    On 7/17/06, Will Fiveash wrote:
    > On Mon, Jul 17, 2006 at 11:27:32AM -0400, Richard E. Silverman wrote:
    > > >
    > > > Hi,
    > > > I was setting up Kerberos enviroment using this guide
    > > > http://www.grolmsnet.de/kerbtut. Done all described steps, but
    > > > authorization not working! Please see error messages. Where I should
    > > > look? I can do kinit or kvno all are working. I totaly confused after
    > > > many days fight with this thing! Can anyone help??
    > > > Thank you!
    > > > -------------------------------------------------------------------------------------------------
    > > > [debug] src/mod_auth_kerb.c(1483): [client 10.196.5.113]
    > > > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    > > > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1483): [client
    > > > 10.196.5.113] kerb_authenticate_user entered with user (NULL) and
    > > > auth_type Kerberos
    > > > [Mon Jul 17 12:47:19 2006] [debug] src/mod_auth_kerb.c(1174): [client
    > > > 10.196.5.113] Acquiring creds for HTTP@testsd.vsaa.lv

    > >
    > > What is KrbServiceName set to? This looks wrong; "HTTP@testsd.vsaa.lv"
    > > should be HTTP/@TESTSD.VSAA.LV (realms are traditionally upper
    > > case).

    >
    > If the logging is outputting the GSS principal then HTTP@testsd.vsaa.lv
    > may be okay as a GSS_C_NT_HOSTBASED_SERVICE name.
    >
    > > > [Mon Jul 17 12:47:19 2006] [error] [client 10.196.5.113]
    > > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
    > > > provide more information (No principal in keytab matches desired name)

    > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    >
    > I bet the Kerberos service key for HTTP/testsd.vsaa.lv@
    > is missing in the keytab however. The admin needs to create this
    > kerberos principal then do a kadmin ktadd of this service principal to
    > the local keytab file.
    >
    > --
    > Will Fiveash
    > Sun Microsystems Inc.
    > Austin, TX, USA (TZ=CST6CDT)
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread