mod_auth_kerb credential error for principal - Kerberos

This is a discussion on mod_auth_kerb credential error for principal - Kerberos ; Hello, I'm facing serious problem with Kerberos ticket I'm trying authenticate Windows users to the Linux apache webserver using Kerberos authenticate method, and for apache mod_auth_kerb. Having problems with keytab. Targeting domain controller: DCserver.domain.com Successfully mapped HTTP/LinuxServer.domain.com to myuser. Type ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: mod_auth_kerb credential error for principal

  1. mod_auth_kerb credential error for principal

    Hello,

    I'm facing serious problem with Kerberos ticket

    I'm trying authenticate Windows users to the Linux apache webserver using Kerberos authenticate method, and for apache mod_auth_kerb.

    Having problems with keytab.



    Targeting domain controller: DCserver.domain.com

    Successfully mapped HTTP/LinuxServer.domain.com to myuser.

    Type the password for HTTP/LinuxServer.domain.com:

    Type the password again to confirm:

    Key created.

    Output keytab to c:\temp\apache.keytab:

    Keytab version: 0x502

    keysize 56 HTTP/LinuxServer.weg.net@WEG.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp

    e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)

    Account myuser has been set for DES-only encryption.



    > I'm trying use this keytab at the linux apache server with


    > mod_auth_kerb; and if put the apache.keytab that was just created at windows side, into linux side, it


    > doesn't work. I got the error when I run the kinit command:


    >


    > #kinit -k -t /usr/local/apache2/conf/apache.keytab


    > kinit(v5): Client not found in Kerberos database while getting initial


    > credentials




    If I run kinit myuser and put my passwd, it works fine, and after run this, if I run klist it bring me the cached ticket fine.

    Also, if I run kutil and check kvno into the keytab, it give me the right number (same as the one created at windows site through the ktpass).





    > May someone help me please,


    > I'm stuck on this, almost one week, and don't know what else to do.




    Edson Habowsky
    Departamento de Sistemas de Informação
    Sc Data Center - Tecnologia
    Analista de Infra - Servidores/Storage
    Fone: 55 (47) 3276 4619 - edsonh@weg.net
    WEG Equipamentos Elétricos S.A. - Corporativo
    "TRANSFORMANDO ENERGIA EM SOLUÇÕES"



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: mod_auth_kerb credential error for principal

    A couple of things.
    AD is case insenitive, but Kerberos is not.
    the principal should have lowercase host name.
    fix it now before it causes more problems.


    kinit requires a principal as a parameter.
    kinit -k \
    -t /usr/local/apache2/conf/apache.keytab \
    HTTP/linuxserver.domain.com@WEG.NET

    Thae account name myuser, should relate tothe
    principal name, aseach principal will need an account.
    (MS called it a user account, it isnot a real user, it is
    forthe service.)

    Edson Habowsky wrote:
    > Hello,
    >
    > I'm facing serious problem with Kerberos ticket
    >
    > I'm trying authenticate Windows users to the Linux apache webserver using Kerberos authenticate method, and for apache mod_auth_kerb.
    >
    > Having problems with keytab.
    >
    >
    >
    > Targeting domain controller: DCserver.domain.com
    >
    > Successfully mapped HTTP/LinuxServer.domain.com to myuser.
    >
    > Type the password for HTTP/LinuxServer.domain.com:
    >
    > Type the password again to confirm:
    >
    > Key created.
    >
    > Output keytab to c:\temp\apache.keytab:
    >
    > Keytab version: 0x502
    >
    > keysize 56 HTTP/LinuxServer.weg.net@WEG.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp
    >
    > e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)
    >
    > Account myuser has been set for DES-only encryption.
    >
    >
    >
    >> I'm trying use this keytab at the linux apache server with

    >
    >> mod_auth_kerb; and if put the apache.keytab that was just created at windows side, into linux side, it

    >
    >> doesn't work. I got the error when I run the kinit command:

    >
    >
    >> #kinit -k -t /usr/local/apache2/conf/apache.keytab

    >
    >> kinit(v5): Client not found in Kerberos database while getting initial

    >
    >> credentials

    >
    >
    >
    > If I run kinit myuser and put my passwd, it works fine, and after run this, if I run klist it bring me the cached ticket fine.
    >
    > Also, if I run kutil and check kvno into the keytab, it give me the right number (same as the one created at windows site through the ktpass).
    >
    >
    >
    >
    >
    >> May someone help me please,

    >
    >> I'm stuck on this, almost one week, and don't know what else to do.

    >
    >
    >
    > Edson Habowsky
    > Departamento de Sistemas de Informação
    > Sc Data Center - Tecnologia
    > Analista de Infra - Servidores/Storage
    > Fone: 55 (47) 3276 4619 - edsonh@weg.net
    > WEG Equipamentos Elétricos S.A. - Corporativo
    > "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. RES: RES: RES: mod_auth_kerb credential error for principal

    It's solved! (a bit)
    I put the parameter into httpd.conf:
    KrbVerifyKDC off
    KrbServiceName HTTP

    and it started working!!

    Tkx a lot,



    Edson Habowsky
    Departamento de Sistemas de Informação
    Sc Data Center - Tecnologia
    Analista de Infra - Servidores/Storage
    Fone: 55 (47) 3276 4619 - edsonh@weg.net
    WEG Equipamentos Elétricos S.A. - Corporativo
    "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
    -----Mensagem original-----
    De: Douglas E. Engert [mailto:deengert@anl.gov]
    Enviada em: sexta-feira, 23 de março de 2007 15:59
    Para: Edson Habowsky
    Assunto: Re: RES: RES: mod_auth_kerb credential error for principal

    Ask your question on the mod_auth_kerb list.


    Edson Habowsky wrote:
    > Yupeeee..
    >
    > I got something.
    > I reset the pwd of the user, and started over all thing and now I'm able to do the kinit -kt ../../apache.keytab HTTP/linuxserver.domain.com@DOMAIN.COM
    >
    > And if I run klist.. I got the default Principal ticket OK in the cache. NICE...
    > But,
    > Now if I try access the webserver I'm not able to authenticate, and if I see the /usr/local/apache2/logs/error_log I see this:
    >
    > failed to verify krb5 credentials: Server not found in Kerberos database
    >
    > Do you know what is this? I'm still with same problem?
    >
    > Edson Habowsky
    > Departamento de Sistemas de Informação
    > Sc Data Center - Tecnologia
    > Analista de Infra - Servidores/Storage
    > Fone: 55 (47) 3276 4619 - edsonh@weg.net
    > WEG Equipamentos Elétricos S.A. - Corporativo
    > "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
    >
    > -----Mensagem original-----
    > De: Edson Habowsky
    > Enviada em: sexta-feira, 23 de março de 2007 14:42
    > Para: 'Douglas E. Engert'
    > Assunto: RES: RES: mod_auth_kerb credential error for principal
    >
    > Man, this is driving me crazy already..
    > I'm using a tool called adsiedit from M$ in order to edit the user properties and the principal properties. What I do is delete from both, the information that indicates who is the PrincipalService and the user mapped to it.
    >
    > Then I run ktpass again with -mapuser myuser (the mapuser:myuser doesn't work) in order to generate the keytab again. This works!.
    > Then I put this file into the linux box, wich is the principal, and run kinit program over the key, and I get the msg already related here.
    > " kinit(v5): Client not found in Kerberos database while getting initial credentials"
    >
    > I already tested with other user to this principal and also I reset the account for this principal at M$ AD side, and I'm still having same msg.
    >
    > Edson Habowsky
    > Departamento de Sistemas de Informação
    > Sc Data Center - Tecnologia
    > Analista de Infra - Servidores/Storage
    > Fone: 55 (47) 3276 4619 - edsonh@weg.net
    > WEG Equipamentos Elétricos S.A. - Corporativo
    > "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
    >
    > -----Mensagem original-----
    > De: Douglas E. Engert [mailto:deengert@anl.gov]
    > Enviada em: sexta-feira, 23 de março de 2007 13:16
    > Para: Edson Habowsky
    > Assunto: Re: RES: mod_auth_kerb credential error for principal
    >
    >
    >
    > Edson Habowsky wrote:
    >> I did it with the lowercase:
    >>
    >> [root@linuxserver ~]# kinit -k -t /usr/local/apache2/conf/apache.keytab HTTP/linuxserver.domain.com@DOMAIN.COM
    >> kinit(v5): Preauthentication failed while getting initial credentials
    >>
    >> before I do this above, I ran adsiedit and deledte de userprincipal from linuxserver and the principal associated to the the useraccount. Then I generate the keytab.
    >>

    >
    > It is not clear what you did. Did you start over?
    >
    >
    > The password used with the service account, (what you have been calling myuser)
    > has to be the same password used with the ktpass command to create the
    > keytab.
    >
    > I would stat over, by deleting the "myuser" account.
    > Then have your AD create an account with the name HTTP-linuxserver
    > It can not have a "/"must be 20 characters or less and unique name
    > with in the AD forest. It is the samAccountName.
    > The run the ktpass using /mapuser:HTTP-linuxserver
    >
    >
    >> Edson Habowsky
    >> Departamento de Sistemas de Informação
    >> Sc Data Center - Tecnologia
    >> Analista de Infra - Servidores/Storage
    >> Fone: 55 (47) 3276 4619 - edsonh@weg.net
    >> WEG Equipamentos Elétricos S.A. - Corporativo
    >> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
    >> -----Mensagem original-----
    >> De: Douglas E. Engert [mailto:deengert@anl.gov]
    >> Enviada em: quinta-feira, 22 de março de 2007 16:57
    >> Para: Edson Habowsky
    >> Cc: kerberos@mit.edu
    >> Assunto: Re: mod_auth_kerb credential error for principal
    >>
    >> A couple of things.
    >> AD is case insenitive, but Kerberos is not.
    >> the principal should have lowercase host name.
    >> fix it now before it causes more problems.
    >>
    >>
    >> kinit requires a principal as a parameter.
    >> kinit -k \
    >> -t /usr/local/apache2/conf/apache.keytab \
    >> HTTP/linuxserver.domain.com@WEG.NET
    >>
    >> Thae account name myuser, should relate tothe
    >> principal name, aseach principal will need an account.
    >> (MS called it a user account, it isnot a real user, it is
    >> forthe service.)
    >>
    >> Edson Habowsky wrote:
    >>> Hello,
    >>>
    >>> I'm facing serious problem with Kerberos ticket
    >>>
    >>> I'm trying authenticate Windows users to the Linux apache webserver using Kerberos authenticate method, and for apache mod_auth_kerb.
    >>>
    >>> Having problems with keytab.
    >>>
    >>>
    >>>
    >>> Targeting domain controller: DCserver.domain.com
    >>>
    >>> Successfully mapped HTTP/LinuxServer.domain.com to myuser.
    >>>
    >>> Type the password for HTTP/LinuxServer.domain.com:
    >>>
    >>> Type the password again to confirm:
    >>>
    >>> Key created.
    >>>
    >>> Output keytab to c:\temp\apache.keytab:
    >>>
    >>> Keytab version: 0x502
    >>>
    >>> keysize 56 HTTP/LinuxServer.weg.net@WEG.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp
    >>>
    >>> e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)
    >>>
    >>> Account myuser has been set for DES-only encryption.
    >>>
    >>>
    >>>
    >>>> I'm trying use this keytab at the linux apache server with
    >>>> mod_auth_kerb; and if put the apache.keytab that was just created at windows side, into linux side, it
    >>>> doesn't work. I got the error when I run the kinit command:
    >>>> #kinit -k -t /usr/local/apache2/conf/apache.keytab
    >>>> kinit(v5): Client not found in Kerberos database while getting initial
    >>>> credentials
    >>>
    >>>
    >>> If I run kinit myuser and put my passwd, it works fine, and after run this, if I run klist it bring me the cached ticket fine.
    >>>
    >>> Also, if I run kutil and check kvno into the keytab, it give me the right number (same as the one created at windows site through the ktpass).
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>> May someone help me please,
    >>>> I'm stuck on this, almost one week, and don't know what else to do.
    >>>
    >>>
    >>> Edson Habowsky
    >>> Departamento de Sistemas de Informação
    >>> Sc Data Center - Tecnologia
    >>> Analista de Infra - Servidores/Storage
    >>> Fone: 55 (47) 3276 4619 - edsonh@weg.net
    >>> WEG Equipamentos Elétricos S.A. - Corporativo
    >>> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
    >>>
    >>>
    >>>
    >>> ________________________________________________
    >>> Kerberos mailing list Kerberos@mit.edu
    >>> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>
    >>>

    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread