headers
Steinar Bang | 1 Jul 2004 09:17
Picon
Picon
Favicon

Re: [modauthkerb] No principal in keytab matches desired name

>>>>> Daniel Kouril <kouril <at> ics.muni.cz>:

> Using the ktutil command for looking at the keytab is certainly more
> convenient and gives more detailed information (e.g. enctypes of the
> keys stored there).

OK.  Thanx!  (Note BTW that the problem has been fixed.  The problem
was a wrong ServerName setting in the httpd.conf file)

>> I've also verified that mod_auth_kerb actually is reading the keytab,
>> by removing it and trying to access the server.

> Actualy, what's removed by the module?

Nothing was removed by the module.  I manually removed the keytab, to
see if it made any difference in the module's behaviour.  

It did, as you can see below:

>> What was written to
>> the apache error_log then, was:
>> 	gss_acquire_cred() failed: Miscellaneous failure (No such file or directory)

> This error indicates that the module tryies to read a non-existing file.

Well, yes...:-)

> Please check the Krb5Keytab directive.

>> Does it look like my keytab doesn't have the right principal in it?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hartmaier Alexander | 1 Jul 2004 19:11
Picon
Favicon

AW: [modauthkerb] RE: Error: gss_accept_sec_context() failed

Hi again!

Now I created a new service principal file with the real fqdn.
When I access the page a get the following error in the server log:

gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)

The problem seems that the dns name of the virtual host and the real one are different!

kerbtray.exe shows me the ticket so the use of the real fqdn seems the right way.

What can be done to link the real fqdn (which is in the service principal file) and the virtual one???

THX Alex

-----Ursprüngliche Nachricht-----
Von: Jari Ahonen [mailto:jah <at> progress.com] 
Gesendet: Dienstag, 29. Juni 2004 13:36
An: Hartmaier Alexander; Daniel Kouril
Cc: modauthkerb-help <at> lists.sourceforge.net
Betreff: RE: [modauthkerb] RE: Error: gss_accept_sec_context() failed

> I think I know what the problem is:
> The fqdn of my webserver is nac1.mon.dsh.at. The virtualhost 
> is firewall.mon.dsh.at.
> I used firewall.mon.dsh.at for creating the service principal file.
> To avoid the 'matching principal not found' message I edited 
> my /etc/hosts file.
> Should the service principal file always use the real fqdn?
(Continue reading)

Permalink | Reply | 1 comment |
headers
Douglas E. Engert | 1 Jul 2004 20:25
Favicon

Re: AW: [modauthkerb] RE: Error: gss_accept_sec_context() failed


Hartmaier Alexander wrote:
> 
> Hi again!
> 
> Now I created a new service principal file with the real fqdn.
> When I access the page a get the following error in the server log:
> 
> gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)
> 
> The problem seems that the dns name of the virtual host and the real one are different!
> 
> kerbtray.exe shows me the ticket so the use of the real fqdn seems the right way.
> 
> What can be done to link the real fqdn (which is in the service principal file) and the virtual one???

It looks like mod_auth_kerb.c is passing ap_get_server_name(r) as the server name
to gss_acquire_creds. So can you add a principal for the virtual host to the keytab?
The point is the principal name has to match what the client is expecting it to be,
not to match the host name of the real host. 

> 
> THX Alex
> 
> -----Ursprüngliche Nachricht-----
> Von: Jari Ahonen [mailto:jah <at> progress.com]
> Gesendet: Dienstag, 29. Juni 2004 13:36
> An: Hartmaier Alexander; Daniel Kouril
> Cc: modauthkerb-help <at> lists.sourceforge.net
> Betreff: RE: [modauthkerb] RE: Error: gss_accept_sec_context() failed
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hartmaier Alexander | 2 Jul 2004 10:06
Picon
Favicon

AW: [modauthkerb] RE: Error: gss_accept_sec_context() failed

Hi!

As you can see below I used the name of the virtualhost servername before and it didn't work!
The client doesn't get a ticket from the domain controller when using the virtual dns name (but the server
finds the right principal because the name matches as you wrote...).
What should I do now???

THX Alex

-----Ursprüngliche Nachricht-----
Von: Douglas E. Engert [mailto:deengert <at> anl.gov] 
Gesendet: Donnerstag, 1. Juli 2004 20:26
An: Hartmaier Alexander
Cc: Jari Ahonen; Daniel Kouril; modauthkerb-help <at> lists.sourceforge.net
Betreff: Re: AW: [modauthkerb] RE: Error: gss_accept_sec_context() failed

Hartmaier Alexander wrote:
> 
> Hi again!
> 
> Now I created a new service principal file with the real fqdn.
> When I access the page a get the following error in the server log:
> 
> gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)
> 
> The problem seems that the dns name of the virtual host and the real one are different!
> 
> kerbtray.exe shows me the ticket so the use of the real fqdn seems the right way.
> 
> What can be done to link the real fqdn (which is in the service principal file) and the virtual one???
(Continue reading)

Permalink | Reply | 2 comments |
headers
Daniel Kouril | 2 Jul 2004 10:30
Picon

Re: [modauthkerb] RE: Error: gss_accept_sec_context() failed

On Fri, Jul 02, 2004 at 10:06:41AM +0200, Hartmaier Alexander wrote:
> As you can see below I used the name of the virtualhost servername before
> and it didn't work!  The client doesn't get a ticket from the domain
> controller when using the virtual dns name (but the server finds the right
> principal because the name matches as you wrote...).

Could you please summarize what tickets does your browser receive when
accessing various virtualhosts and the FQDN (i.e. when these names are in the
URL inserted in the browser)?

Also please try using current CVS code, it contains a better (fixed :-)
logging of the server name looked for in the keytab.

--
Dan

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
Permalink | Reply | 0 comments |
headers
Hartmaier Alexander | 2 Jul 2004 11:18
Picon
Favicon

AW: [modauthkerb] RE: Error: gss_accept_sec_context() failed

Re!

real fqdn: nac1.mon.dsh.at
virtual host dn: firewall.mon.dsh.at

try #1:
- service principal with 'firewall.mon.dsh.at'
- NO ticket listed by kerbtray.exe (WinXP IE6.0 with all patches from windowsupdate...maybe that matters too)
- apache finds the service principal because the url string and the dns name in the service principal match
but client doesn't get a ticket from the dc and apache logs 'gss_accept_sec_context() failed: A token was
invalid (Token header is malformed or corrupt)'

try #2:
- service principal with 'nac1.mon.dsh.at'
- ticket 'HTTP/nac1.mon.dsh.at <at> INT.NEONET.AT is listed by kerbtray.exe
- apache doesn't find the service principal and logs 'gss_acquire_cred() failed: Miscellaneous failure
(No principal in keytab matches desired name)'

Is there a daily cvs snapshot for download available?
If no how do I get the latest cvs version?

Thanks, Alex

-----Ursprüngliche Nachricht-----
Von: Daniel Kouril [mailto:kouril <at> ics.muni.cz] 
Gesendet: Freitag, 2. Juli 2004 10:31
An: Hartmaier Alexander
Cc: Douglas E. Engert; Jari Ahonen; Daniel Kouril; modauthkerb-help <at> lists.sourceforge.net
Betreff: Re: [modauthkerb] RE: Error: gss_accept_sec_context() failed
(Continue reading)

Permalink | Reply | 1 comment |
headers
Daniel Kouril | 2 Jul 2004 12:32
Picon

Re: [modauthkerb] RE: Error: gss_accept_sec_context() failed

On Fri, Jul 02, 2004 at 11:18:58AM +0200, Hartmaier Alexander wrote:
> try #1:
> - service principal with 'firewall.mon.dsh.at'
> - NO ticket listed by kerbtray.exe (WinXP IE6.0 with all patches from windowsupdate...maybe that
matters too)
> - apache finds the service principal because the url string and the dns name in the service principal match
but client doesn't get a ticket from the dc and apache logs 'gss_accept_sec_context() failed: A token was
invalid (Token header is malformed or corrupt)'

Seems that the IE isn't able to get a ticket for the service from the AD and
still sends a NTLM authenticator the the apache. Unfortunately I can't say
where the problem can be. Try checking some logs on the KDC and/or sniff
network communication between the workstation and KDC. Someone also advised
this Windows tool for debugging:
http://www.develop.com/kbrown/security/sample_sspibench.htm

> try #2:
> - service principal with 'nac1.mon.dsh.at'
> - ticket 'HTTP/nac1.mon.dsh.at <at> INT.NEONET.AT is listed by kerbtray.exe
> - apache doesn't find the service principal and logs 'gss_acquire_cred() failed: Miscellaneous
failure (No principal in keytab matches desired name)'

Compile the new module, turn on debugging in Apache and look at the log
files for the principal name that the module wants to use. And please let us
know the results.

> 
> Is there a daily cvs snapshot for download available?

no
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hartmaier Alexander | 2 Jul 2004 13:24
Picon
Favicon

AW: [modauthkerb] RE: Error: gss_accept_sec_context() failed

In the tarball and the cvs version is the configure script missing...

MfG Alex

-----Ursprüngliche Nachricht-----
Von: Daniel Kouril [mailto:kouril <at> ics.muni.cz] 
Gesendet: Freitag, 2. Juli 2004 12:33
An: Hartmaier Alexander
Cc: Daniel Kouril; Douglas E. Engert; Jari Ahonen; modauthkerb-help <at> lists.sourceforge.net
Betreff: Re: [modauthkerb] RE: Error: gss_accept_sec_context() failed

On Fri, Jul 02, 2004 at 11:18:58AM +0200, Hartmaier Alexander wrote:
> try #1:
> - service principal with 'firewall.mon.dsh.at'
> - NO ticket listed by kerbtray.exe (WinXP IE6.0 with all patches from windowsupdate...maybe that
matters too)
> - apache finds the service principal because the url string and the dns name in the service principal match
but client doesn't get a ticket from the dc and apache logs 'gss_accept_sec_context() failed: A token was
invalid (Token header is malformed or corrupt)'

Seems that the IE isn't able to get a ticket for the service from the AD and
still sends a NTLM authenticator the the apache. Unfortunately I can't say
where the problem can be. Try checking some logs on the KDC and/or sniff
network communication between the workstation and KDC. Someone also advised
this Windows tool for debugging:
http://www.develop.com/kbrown/security/sample_sspibench.htm

> try #2:
> - service principal with 'nac1.mon.dsh.at'
> - ticket 'HTTP/nac1.mon.dsh.at <at> INT.NEONET.AT is listed by kerbtray.exe
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jari Ahonen | 2 Jul 2004 13:29

RE: [modauthkerb] RE: Error: gss_accept_sec_context() failed


> 
> In the tarball and the cvs version is the configure script missing...

That's something I've been meaning to report to Daniel but forgot. The
Makefile
removes the configure script when doing "make distclean". This is
probably not
a good idea for those of us who don't have automake installed so they
could
generate the configure script with it.

You can use the configure script from the RC5 release, it works just
fine with
the CVS code.

- Jari

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
Permalink | Reply | 501 comments |
headers
Hartmaier Alexander | 2 Jul 2004 13:56
Picon
Favicon

RE: [modauthkerb] RE: Error: gss_accept_sec_context() failed

Ok that worked...but how to enable debugging in apache for mod_auth_kerb???

THX Alex

-----Ursprüngliche Nachricht-----
Von: Jari Ahonen [mailto:jah <at> progress.com] 
Gesendet: Freitag, 2. Juli 2004 13:30
An: Hartmaier Alexander; Daniel Kouril
Cc: modauthkerb-help <at> lists.sourceforge.net
Betreff: RE: [modauthkerb] RE: Error: gss_accept_sec_context() failed

> 
> In the tarball and the cvs version is the configure script missing...

That's something I've been meaning to report to Daniel but forgot. The
Makefile
removes the configure script when doing "make distclean". This is
probably not
a good idea for those of us who don't have automake installed so they
could
generate the configure script with it.

You can use the configure script from the RC5 release, it works just
fine with
the CVS code.

- Jari

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Hinweis: Dieses E-mail kann vertrauliche und geschützte Informationen enthalten.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane