headers
Tim | 1 Dec 2004 17:54

Re: 500 error for unknown username?

Hi Daniel,

Sorry, for the late reply, I've been away from this for a while
but I'm back on it now.  I'm now using the latest version from CVS:

[Wed Dec  1 16:50:20 2004] [debug] src/mod_auth_kerb.c(1415): [client
10.128.56.114] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Dec  1 16:50:20 2004] [debug] src/mod_auth_kerb.c(647): [client
10.128.56.114] Trying to get TGT for user gollti <at> dbg.xx.xx.xx
[Wed Dec  1 16:50:21 2004] [error] [client 10.128.56.114]
krb5_get_init_creds_password() failed: KDC reply did not match expectations
[Wed Dec  1 16:50:21 2004] [debug] src/mod_auth_kerb.c(964): [client
10.128.56.114] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)

Do I use the fully qualified domains in KrbAuthRealms ?

If I put in a bad password, I get "Preauthentication failed" as you
would expect.  But when I get it right, I get didn't match expectation.

Also, I'm trying to get my hands in the KDC logs.  I'll let you know.

Thanks for your help,

Timbo.

Quoting Daniel Kouril <kouril <at> ics.muni.cz>:

> On Thu, Oct 28, 2004 at 11:29:57AM +0100, Timbo wrote:
> > Hi Jari,
(Continue reading)

Permalink | Reply | 3 comments |
headers
Timbo | 2 Dec 2004 14:43

Re: 500 error for unknown username?

Hi again,

OK, I've got my hands on the logs on the PDC.  This is what gets logged
when I get the "did not match expectations" error:

672,AUDIT SUCCESS,Security,Thu Dec 02 12:31:48 2004,NT
AUTHORITY\SYSTEM,Authentication Ticket Request:     User Name:  gollti    
Supplied Realm Name: dbg.xx.xx.xx     User ID:  
dbg.xx.xx.xx/Europe/LON/Users/gollti}     Service Name:  krbtgt     Service ID:
 dbg.xx.xx.xx/Users/krbtgt}     Ticket Options:  0x10     Result Code:  -    
Ticket Encryption Type: 0x3     Pre-Authentication Type: 2     Client Address: 
10.140.84.124     Certificate Issuer Name:      Certificate Serial Number:     
Certificate Thumbprint:     
672,AUDIT SUCCESS,Security,Thu Dec 02 12:31:48 2004,NT
AUTHORITY\SYSTEM,Authentication Ticket Request:     User Name:  gollti    
Supplied Realm Name: dbg.xx.xx.xx     User ID:  
dbg.xx.xx.xx/Europe/LON/Users/gollti}     Service Name:  krbtgt     Service ID:
 dbg.xx.xx.xx/Users/krbtgt}     Ticket Options:  0x10     Result Code:  -    
Ticket Encryption Type: 0x3     Pre-Authentication Type: 2     Client Address: 
10.140.84.124     Certificate Issuer Name:      Certificate Serial Number:     
Certificate Thumbprint:     

What do you think?

Tim.

Quoting Tim <modauthkerb_list <at> darkgate.net>:

> Hi Daniel,
>
(Continue reading)

Permalink | Reply | 2 comments |
headers
Achim Grolms | 3 Dec 2004 01:31
Picon

KDE Konqueror and SPNEGO

Hello,

I am using modauthkerb with Apache, Windows2000 KDC
and IE Browser.

As a KDE user I want to use SPNEGO with Konqueror, too.
I have read that Konqueror supports Kerberos, but it
does not work for me (that means Browser prompts for
Password instead of using Kerberos for authenitaction).

I am using Gentoo Linux with USE=kerberos,
mit-krb5, kde 3.3.1 with compiled-in Kerberos support.
/etc/krb5.conf works so I can get a TGT with kinit.

Anybody here who has a running Konqueror setup and
can help me?

Is there a Tutorial outside that answers my questions?

Thank you,
Achim
Permalink | Reply | 1 comment |
headers
Achim Grolms | 7 Dec 2004 23:30
Picon

Re: KDE Konqueror and SPNEGO

On Friday 03 December 2004 01:31, Achim Grolms wrote:

> I have read that Konqueror supports Kerberos, but it
> does not work for me 

OK,  Karsten Künne helped me to get that working,
i have made a typo in my /etc/krb5.conf (shame on me...)

1. I have added the Konqueror Information to 
<http://www.grolmsnet.de/kerbtut/>
and <http://www.grolmsnet.de/kerbtut/konqueror.html>

2. Daniel, i think it is a good idea to add the information
"Konqueror works with mod_auth_kerb" to
<http://modauthkerb.sourceforge.net/> and to the READMEs of RC7.
Do you agree?

3. Karsten told me, that he has added a patch to Lynx browser that
makes Lynx using Kerberos authentication, too...
Someone here interested in using Lynx with mod_auth_kerb?

Thank you,
Achim

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
(Continue reading)

Permalink | Reply | 0 comments |
headers
Florian Haid | 8 Dec 2004 11:35
Picon
Favicon

Compile problem on Solaris9 & Heimdal 0.6.3

Hi all,

I'm getting the following Error while compiling mod_auth_kerb-5.0-rc6 on Solaris.

Heimdal Version: 0.6.3

# gcc --version
gcc (GCC) 3.4.1

# uname -a
SunOS adncms01 5.9 Generic_117171-02 sun4u sparc SUNW,Sun-Fire-V210

do you need more information?

Florian

==========================================================================================

/opt/apache2/build/libtool --silent --mode=link /share/app/gnu/gcc/3.4.1/bin/gcc -o
src/mod_auth_kerb.la -I. -Ispnegokrb5 
-I/share/xpository/heimdal/kerberos/0.6.3/sparc-sun-solaris9-gcc3/dist-bin/include 
-L/share/xpository/heimdal/kerberos/0.6.3/sparc-sun-solaris9-gcc3/dist-bin/lib -lgssapi
-lkrb5 -lasn1 -ldes -lroken -lresolv -lnsl -lsocket -lresolv -rpath 
/opt/apache2/modules -module -avoid-version    spnegokrb5/external.lo spnegokrb5/decapsulate.lo
spnegokrb5/encapsulate.lo spnegokrb5/accept_sec_context.lo 
spnegokrb5/init_sec_context.lo spnegokrb5/timegm.lo spnegokrb5/der_copy.lo
spnegokrb5/der_length.lo spnegokrb5/der_free.lo spnegokrb5/der_put.lo 
spnegokrb5/der_get.lo spnegokrb5/asn1_NegTokenTarg.lo spnegokrb5/asn1_NegTokenInit.lo
spnegokrb5/asn1_ContextFlags.lo spnegokrb5/asn1_MechTypeList.lo 
spnegokrb5/asn1_MechType.lo src/mod_auth_kerb.lo
(Continue reading)

Permalink | Reply | 0 comments |
headers
OKUYAMA, Kouhei | 9 Dec 2004 23:35
Picon

gss_acquire_cred() error

Hi,
I want to run mod_auth_kerb but I'm troubled.
I use KDC and Apache1.3.33 on FreeBSD-5.2.1R.
After getting TGT by kinit, I accessed the protected page by Mozilla 1.7.3.
.htaccess is following:

AuthType KerberosV5
AuthName "Kerberos Password"
KrbAuthRealm HLLA.IS.TSUKUBA.AC.JP
KrbServiceName HTTP
Krb5Keytab /etc/krb5.conf
require valid-user

Then, returned 500 Internal Server Error.
When seeing error_log, there were the following messages.

[Fri Dec 10 06:37:55 2004] [error] [client 192.168.85.68] gss_acquire_cred() failed: Miscellaneous failure
(Unsupported key table format version number)

next, I checked the packet.
Although that the HTTP/... ticket is acquirable checked, the error was discovered by the Kerberos protocol.

TGS-REQ(krbtgt/...) -> KRB5KDC_ERR_BADOPTION

option in TGS-REQ is Forwardable and Forwarded.

What should I do to remove these options?
Is gss_acquire_cred() error solved if protocol error is solved?
Thanks.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Achim Grolms | 9 Dec 2004 23:39
Picon

Re: gss_acquire_cred() error

On Thursday 09 December 2004 23:35, OKUYAMA, Kouhei wrote:

> Krb5Keytab /etc/krb5.conf

> gss_acquire_cred() failed: Miscellaneous failure (Unsupported key table
> format version number)

Hi, you have mixed two things:
Krb5Keytab has to point to keytab of your Webservers
serviceprincipal's key, not to the
Kerberos *configuration* file /etc/krb5.conf.

HTH, Achim

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
Permalink | Reply | 1 comment |
headers
OKUYAMA, Kouhei | 9 Dec 2004 23:55
Picon

Re: gss_acquire_cred() error

> Hi, you have mixed two things:
> Krb5Keytab has to point to keytab of your Webservers
> serviceprincipal's key, not to the
> Kerberos *configuration* file /etc/krb5.conf.

Oh...I'm great mistaken.
I fixed Krb5Keytab field to /etc/krb5.keytab and I could get protected page.

but, protocol error is not solved.
May I ignore this?

Thanks!

-Kouhei, OKUYAMA

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
Permalink | Reply | 0 comments |
headers
Jari Ahonen | 10 Dec 2004 10:06

RE: gss_acquire_cred() error

> I fixed Krb5Keytab field to /etc/krb5.keytab and I could get 
> protected page.
> 
> but, protocol error is not solved.
> May I ignore this?

It would help if you sent your /etc/krb5.conf. Just in case there are
some options in it that could be confusing the krb5 library.

Which Kerberos is on your FreeBSD, Heimdal or MIT, and which version ?

Do you get a similar error if you acquire the ticket manually on the
command line (Use kvno on MIT Kerberos, don't remember the equivalent
for Heimdal) ?

- Jari

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
Permalink | Reply | 2 comments |
headers
Daniel Kouril | 10 Dec 2004 14:50
Picon

Re: [modauthkerb - Help] saving tickets for later use

PLEASE, don't use the discussion forum to ask new questions.

On Fri, Dec 10, 2004 at 02:46:52AM -0800, SourceForge.net wrote:
> reading the help out of the net, i found taht it is possible to save the
> tickets for later use. my problem is that every user that authenticate
> with IE+modauthkerb, the ticket file (/tmp/krb5cc_0) is overwrited. That
> looks normal because of the filename. 0 is the root uid. how can i tell
> the module or kerberos to save every ticket with the username or something
> specific to the user.

The module always generate a unique file where the delegated credentials are
stored. Name of the file is of the form "/tmp/krb5cc_apache_XXXXXX", where
last XXXXXX's are replaced by a random string.

Can you verify the tickets really get stored in the /tmp/krb5cc_0 (e.g. by
calling klist from a CGI script)?

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
Permalink | Reply | 4 comments |

Gmane