Discussing problems related to the Kerberos authentication module for Apache

Henrique Craveiro | 7 Feb 2006 19:25

Server not found in Kerberos database

Hi all,

I have a Windows 2000 Server running as a KDC and an Apache Server (2.0.55) in a Solaris 2.9. I installed the mod_auth_kerb module in Apache and followed the steps in http://modauthkerb.sourceforgenet/ I searched a lot the web and these archives but didn’t find the answer to my problem.

My krb5.conf:

[logging]

default = FILE:/var/krb5/kdc.log

kdc = FILE:/var/krb5/kdc.log

admin_server = FILE:/var/log/kadmin.log

[libdefaults]

default_realm = EFTESTE.COM

ticket_lifetime = 24000

[realms]

EFTESTE.COM = {

kdc = tarzan.efteste.com:88

admin_server = tarzan.efteste.com:749

default_domain = tarzan.efteste.com

}

[domain_realm]

efteste.com = EFTESTE.COM

The Windows 2000 Server is tarzan.efteste.com and the Apache Server is in solero.intranet.company.pt. I can’t have the Win 2000 Server and solero in the same domain, so I had to put in /etc/hosts the binding to solero.efteste.com and so I did it in Win 2000 Server to be able to reach solero.intranet.company.pt.

Part of my httpd.conf:

Options Indexes FollowSymLinks

AllowOverride All

Order allow,deny

Allow from all

AuthType Kerberos

AuthName solero

KrbAuthRealms EFTESTE.COM

KrbServiceName HTTP

Krb5Keytab /etc/krb5/solero.keytab

KrbMethodNegotiate on

KrbMethodK5Passwd on

require valid-user

</Directory>

The account I use in the AD of Win 2000 Server is solerokrb, so if I do a kinit solerokrb it works and I can see:

bash-2.05# klist -e

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: solerokrb <at> EFTESTE.COM

Valid starting Expires Service principal

02/07/06 18:10:13 02/08/06 00:50:13 krbtgt/EFTESTE.COM <at> EFTESTE.COM

Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

When I try to access http://solero.efteste.com from IE in the Windows 2000 Server it asks for username and password although I configured the browser in every aspect that it was supposed to be done. I don’t know exactly what I should write in the username and password, is it the account ‘solerokrb’? Anyway, when it asks for username and password the log in the Apache is:

[Tue Feb 07 18:18:33 2006] [debug] src/mod_auth_kerb.c(1322): [client 192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

[Tue Feb 07 18:18:39 2006] [debug] src/mod_auth_kerb.c(1322): [client 192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

[Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to verify krb5 credentials: Server not found in Kerberos database

[Tue Feb 07 18:18:40 2006] [debug] src/mod_auth_kerb.c(1322): [client 192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

[Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to verify krb5 credentials: Server not found in Kerberos database

[Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal Segmentation fault (11)

[Tue Feb 07 18:18:40 2006] [notice] child pid 17023 exit signal Segmentation fault (11)

Anybody have a clue of what the problem is?

Thanks,

Henrique Craveiro

headers

Achim Grolms | 7 Feb 2006 20:50

Re: Server not found in Kerberos database

On Tuesday 07 February 2006 19:25, Henrique Craveiro wrote:
> Hi all,
>
>
>
> I have a Windows 2000 Server running as a KDC and an Apache Server (2.0.55)
> in a Solaris 2.9. I installed the mod_auth_kerb module in Apache and
> followed the steps in http://modauthkerb.sourceforge.net/ . I searched a
> lot the web and these archives but didn't find the answer to my problem.
>
>
>
> My krb5.conf:
>
>
>
> [logging]
>
>         default = FILE:/var/krb5/kdc.log
>
>         kdc = FILE:/var/krb5/kdc.log
>
>         admin_server = FILE:/var/log/kadmin.log
>
>
>
> [libdefaults]
>
>         default_realm = EFTESTE.COM
>
>         ticket_lifetime = 24000
>
>
>
> [realms]
>
>         EFTESTE.COM = {
>
>                 kdc = tarzan.efteste.com:88
>
>                 admin_server = tarzan.efteste.com:749
>
>                 default_domain = tarzan.efteste.com
>
>         }
>
>
>
> [domain_realm]
>
>         efteste.com = EFTESTE.COM
>
>         .efteste.com = EFTESTE.COM
>
>
>
>
>
> The Windows 2000 Server is tarzan.efteste.com and the Apache Server is in
> solero.intranet.company.pt. I can't have the Win 2000 Server and solero in
> the same domain, so I had to put in /etc/hosts the binding to
> solero.efteste.com and so I did it in Win 2000 Server to be able to reach
> solero.intranet.company.pt.
>
>
>
>
>
> Part of my httpd.conf:
>
>
>
> <Directory "/usr/local/apache2/htdocs">
>
>     Options Indexes FollowSymLinks
>
>     AllowOverride All
>
>     Order allow,deny
>
>     Allow from all
>
>
>
>     AuthType Kerberos
>
>     AuthName solero
>
>     KrbAuthRealms EFTESTE.COM
>
>     KrbServiceName HTTP
>
>     Krb5Keytab /etc/krb5/solero.keytab
>
>     KrbMethodNegotiate on
>
>     KrbMethodK5Passwd on
>
>     require valid-user
>
> </Directory>
>
>
>
>
>
> The account I use in the AD of Win 2000 Server is solerokrb, so if I do a
> kinit solerokrb it works and I can see:
>
>
>
> bash-2.05# klist -e
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> Default principal: solerokrb <at> EFTESTE.COM
>
>
>
> Valid starting     Expires            Service principal
>
> 02/07/06 18:10:13  02/08/06 00:50:13  krbtgt/EFTESTE.COM <at> EFTESTE.COM
>
>         Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>
>
>
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
>
> klist: You have no tickets cached
>
>
>
>
>
> When I try to access http://solero.efteste.com <http://solero.efteste.com/>
> from IE in the Windows 2000 Server it asks for username and password
> although I configured the browser in every aspect that it was supposed to
> be done. I don't know exactly what I should write in the username and
> password, is it the account 'solerokrb'? Anyway, when it asks for username
> and password the log in the Apache is:
>
>
>
> [Tue Feb 07 18:18:33 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
>
> [Tue Feb 07 18:18:39 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
>
> [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to verify
> krb5 credentials: Server not found in Kerberos database
>
> [Tue Feb 07 18:18:40 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
>
> [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to verify
> krb5 credentials: Server not found in Kerberos database
>
> [Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal
> Segmentation fault (11)
>
> [Tue Feb 07 18:18:40 2006] [notice] child pid 17023 exit signal
> Segmentation fault (11)
>
>
>
>
>
> Anybody have a clue of what the problem is?
>
>
>
> Thanks,
>
>
>
> Henrique Craveiro

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

headers

Achim Grolms | 7 Feb 2006 20:53

Re: Server not found in Kerberos database

On Tuesday 07 February 2006 19:25, Henrique Craveiro wrote:

Hello Henrique, please

1. check all steps an possible errors described in 
<http://www.grolmsnet.de/kerbtut/>

2.

> [Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal
> Segmentation fault (11)

Try to use an Apache that produces no Segmentation faults.

Achim

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

headers

Henrique Craveiro | 8 Feb 2006 15:54

Re: Server not found in Kerberos database

Hi,

Thanks for the replies.

I did (also) follow the steps in http://www.grolmsnet.de/kerbtut/ . I think
that I found out what the error was. It was related to the Kerberos database
being somewhat corrupt. I destroyed and created it again and now the error I
mentioned before is gone. Now I have this error (it still asks for username
and password):

[Wed Feb 08 14:13:32 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
krb5_get_init_creds_password() failed: Cannot resolve network address for
KDC in requested realm
[Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
krb5_get_init_creds_password() failed: Cannot resolve network address for
KDC in requested realm

I tried to search for the error but couldn't find out why it is happening. I
know it is supposed to be related to DNS problems but the 2 machines can
reach each other (Windows 2000 Server and Solaris). One thing that got me
thinking is when I do the "klist -e" after doing kvno. It gives me:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: solerokrb <at> EFTESTE.COM

Valid starting     Expires            Service principal
02/08/06 14:12:07  02/09/06 00:12:07  krbtgt/EFTESTE.COM <at> EFTESTE.COM
        renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
02/08/06 14:12:16  02/09/06 00:12:07  xptest <at> EFTESTE.COM
        renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
02/08/06 14:12:25  02/09/06 00:12:07  solerokrb <at> EFTESTE.COM
        renew until 02/09/06 14:12:07, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

solerokrb seems ok, because of the -cryto option in ktpass, but what about
the other ones? I don't know if the results are ok, I'm getting a little
desperate here, seeing patterns everywhere ;)

Can anybody help me?

PS - Where can I get an Apache that doesn't give segmentation faults?

Regards,

Henrique Craveiro

-----Original Message-----
From: Yannick [mailto:yannick <at> smellyfrog.com] 
Sent: quarta-feira, 8 de Fevereiro de 2006 8:50
To: Henrique Craveiro
Subject: Re: [modauthkerb] Server not found in Kerberos database

Hi Henrique,

I'm not a specialist, but I walked the same road not so long ago. Check 
this thread out:
http://groups.google.ie/group/comp.protocols.kerberos/browse_thread/thread/d
ea39f5b55a82523/5a895b1308eb8d75?lnk=st&q=smellyfrog+kerberos&rnum=1&hl=en#5
a895b1308eb8d75

The one important thing is the way you generate the keytab. You really 
have to follow verbatim the way Achim describes it in his paper: 
http://www.grolmsnet.de/kerbtut/
The key solution for me was to make sure the keytab was generated for 
servername.domain and not just servername.

So in your case (Replacing solerokrb-password with the actual password):

C:\>ktpass -princ HTTP//tarzan.efteste.com/ <at> /EFTESTE.COM/
-mapuser solerokrb
-crypto DES-CBC-MD5
-ptype KRB5_NT_PRINCIPAL
-mapop set +desonly
-pass longlong solerokrb-password -out c:\temp\solerokeytab

Make sure you have done this exactly that way.

A sure way to make sure your keytab is correct is by checking that an 
http service kerberos ticket is created for the client machine when you 
request a connection to apache. You can do this by installing the MIT 
network identity manager or Microsoft kerbtray.exe.

Regards
Yannick

Henrique Craveiro wrote:

> Hi all,
>
> I have a Windows 2000 Server running as a KDC and an Apache Server 
> (2.0.55) in a Solaris 2.9. I installed the mod_auth_kerb module in 
> Apache and followed the steps in http://modauthkerb.sourceforgenet/ 
> <http://modauthkerb.sourceforge.net/> I searched a lot the web and 
> these archives but didn't find the answer to my problem.
>
> My krb5.conf:
>
> /[logging]/
>
> / default = FILE:/var/krb5/kdc.log/
>
> / kdc = FILE:/var/krb5/kdc.log/
>
> / admin_server = FILE:/var/log/kadmin.log/
>
> / /
>
> /[libdefaults]/
>
> / default_realm = EFTESTE.COM/
>
> / ticket_lifetime = 24000/
>
> / /
>
> /[realms]/
>
> / EFTESTE.COM = {/
>
> / kdc = tarzan.efteste.com:88/
>
> / //admin_server = tarzan.efteste.com:749/
>
> / default_domain = tarzan.efteste.com/
>
> / }/
>
> / /
>
> /[domain_realm]/
>
> / efteste.com = EFTESTE.COM/
>
> / efteste.com = EFTESTE.COM/
>
> The Windows 2000 Server is tarzan.efteste.com and the Apache Server is 
> in solero.intranet.company.pt. I can't have the Win 2000 Server and 
> solero in the same domain, so I had to put in /etc/hosts the binding 
> to solero.efteste.com and so I did it in Win 2000 Server to be able to 
> reach solero.intranet.company.pt.
>
> Part of my httpd.conf:
>
> /<Directory "/usr/local/apache2/htdocs">/
>
> / Options Indexes FollowSymLinks/
>
> / AllowOverride All/
>
> / Order allow,deny/
>
> / Allow from all/
>
> / /
>
> / AuthType Kerberos/
>
> / AuthName solero/
>
> / KrbAuthRealms EFTESTE.COM/
>
> / KrbServiceName HTTP/
>
> / Krb5Keytab /etc/krb5/solero.keytab/
>
> / KrbMethodNegotiate on/
>
> / KrbMethodK5Passwd on/
>
> / require valid-user/
>
> /</Directory>/
>
> The account I use in the AD of Win 2000 Server is solerokrb, so if I 
> do a kinit solerokrb it works and I can see:
>
> /bash-2.05# klist -e/
>
> /Ticket cache: FILE:/tmp/krb5cc_0/
>
> /Default principal: solerokrb <at> EFTESTE.COM/
>
> / /
>
> /Valid starting Expires Service principal/
>
> /02/07/06 18:10:13 02/08/06 00:50:13 krbtgt/EFTESTE.COM <at> EFTESTE.COM/
>
> / Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5/
>
> / /
>
> / /
>
> /Kerberos 4 ticket cache: /tmp/tkt0/
>
> /klist: You have no tickets cached/
>
> When I try to access http://solero.efteste.com 
> <http://solero.efteste.com/> from IE in the Windows 2000 Server it 
> asks for username and password although I configured the browser in 
> every aspect that it was supposed to be done. I don't know exactly 
> what I should write in the username and password, is it the account 
> 'solerokrb'? Anyway, when it asks for username and password the log in 
> the Apache is:
>
> [Tue Feb 07 18:18:33 2006] [debug] src/mod_auth_kerb.c(1322): [client 
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
> auth_type Kerberos
>
> [Tue Feb 07 18:18:39 2006] [debug] src/mod_auth_kerb.c(1322): [client 
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
> auth_type Kerberos
>
> [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to 
> verify krb5 credentials: Server not found in Kerberos database
>
> [Tue Feb 07 18:18:40 2006] [debug] src/mod_auth_kerb.c(1322): [client 
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
> auth_type Kerberos
>
> [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to 
> verify krb5 credentials: Server not found in Kerberos database
>
> [Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal 
> Segmentation fault (11)
>
> [Tue Feb 07 18:18:40 2006] [notice] child pid 17023 exit signal 
> Segmentation fault (11)
>
> Anybody have a clue of what the problem is?
>
> Thanks,
>
> Henrique Craveiro
>

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

headers

Henrique Craveiro | 8 Feb 2006 15:58

RE: Server not found in Kerberos database

Hi again,

Until now I have been testing using a Internet Explorer 5.5 right in the
Windows 2000 Server. I created a user account in the EFTESTE.COM domain,
logged in a PC with that account, using IE 6.0 and the result was different:

[Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.35] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.35] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:52:52 2006] [error] [client 192.168.42.35] gss_import_name()
failed: An invalid name was supplied (Configuration file does not specify
default realm)

Now, I have no clue...

Somebody?

Regards,

Henrique Craveiro

-----Original Message-----
From: Henrique Craveiro [mailto:henrique.craveiro <at> ef.pt] 
Sent: quarta-feira, 8 de Fevereiro de 2006 14:54
To: 'modauthkerb-help <at> lists.sourceforge.net'
Subject: Re: [modauthkerb] Server not found in Kerberos database

Hi,

Thanks for the replies.

I did (also) follow the steps in http://www.grolmsnet.de/kerbtut/ . I think
that I found out what the error was. It was related to the Kerberos database
being somewhat corrupt. I destroyed and created it again and now the error I
mentioned before is gone. Now I have this error (it still asks for username
and password):

[Wed Feb 08 14:13:32 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
krb5_get_init_creds_password() failed: Cannot resolve network address for
KDC in requested realm
[Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.32] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
krb5_get_init_creds_password() failed: Cannot resolve network address for
KDC in requested realm

I tried to search for the error but couldn't find out why it is happening. I
know it is supposed to be related to DNS problems but the 2 machines can
reach each other (Windows 2000 Server and Solaris). One thing that got me
thinking is when I do the "klist -e" after doing kvno. It gives me:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: solerokrb <at> EFTESTE.COM

Valid starting     Expires            Service principal
02/08/06 14:12:07  02/09/06 00:12:07  krbtgt/EFTESTE.COM <at> EFTESTE.COM
        renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
02/08/06 14:12:16  02/09/06 00:12:07  xptest <at> EFTESTE.COM
        renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
02/08/06 14:12:25  02/09/06 00:12:07  solerokrb <at> EFTESTE.COM
        renew until 02/09/06 14:12:07, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

solerokrb seems ok, because of the -cryto option in ktpass, but what about
the other ones? I don't know if the results are ok, I'm getting a little
desperate here, seeing patterns everywhere ;)

Can anybody help me?

PS - Where can I get an Apache that doesn't give segmentation faults?

Regards,

Henrique Craveiro

-----Original Message-----
From: Yannick [mailto:yannick <at> smellyfrog.com] 
Sent: quarta-feira, 8 de Fevereiro de 2006 8:50
To: Henrique Craveiro
Subject: Re: [modauthkerb] Server not found in Kerberos database

Hi Henrique,

I'm not a specialist, but I walked the same road not so long ago. Check 
this thread out:
http://groups.google.ie/group/comp.protocols.kerberos/browse_thread/thread/d
ea39f5b55a82523/5a895b1308eb8d75?lnk=st&q=smellyfrog+kerberos&rnum=1&hl=en#5
a895b1308eb8d75

The one important thing is the way you generate the keytab. You really 
have to follow verbatim the way Achim describes it in his paper: 
http://www.grolmsnet.de/kerbtut/
The key solution for me was to make sure the keytab was generated for 
servername.domain and not just servername.

So in your case (Replacing solerokrb-password with the actual password):

C:\>ktpass -princ HTTP//tarzan.efteste.com/ <at> /EFTESTE.COM/
-mapuser solerokrb
-crypto DES-CBC-MD5
-ptype KRB5_NT_PRINCIPAL
-mapop set +desonly
-pass longlong solerokrb-password -out c:\temp\solerokeytab

Make sure you have done this exactly that way.

A sure way to make sure your keytab is correct is by checking that an 
http service kerberos ticket is created for the client machine when you 
request a connection to apache. You can do this by installing the MIT 
network identity manager or Microsoft kerbtray.exe.

Regards
Yannick

Henrique Craveiro wrote:

> Hi all,
>
> I have a Windows 2000 Server running as a KDC and an Apache Server 
> (2.0.55) in a Solaris 2.9. I installed the mod_auth_kerb module in 
> Apache and followed the steps in http://modauthkerb.sourceforgenet/ 
> <http://modauthkerb.sourceforge.net/> I searched a lot the web and 
> these archives but didn't find the answer to my problem.
>
> My krb5.conf:
>
> /[logging]/
>
> / default = FILE:/var/krb5/kdc.log/
>
> / kdc = FILE:/var/krb5/kdc.log/
>
> / admin_server = FILE:/var/log/kadmin.log/
>
> / /
>
> /[libdefaults]/
>
> / default_realm = EFTESTE.COM/
>
> / ticket_lifetime = 24000/
>
> / /
>
> /[realms]/
>
> / EFTESTE.COM = {/
>
> / kdc = tarzan.efteste.com:88/
>
> / //admin_server = tarzan.efteste.com:749/
>
> / default_domain = tarzan.efteste.com/
>
> / }/
>
> / /
>
> /[domain_realm]/
>
> / efteste.com = EFTESTE.COM/
>
> / efteste.com = EFTESTE.COM/
>
> The Windows 2000 Server is tarzan.efteste.com and the Apache Server is 
> in solero.intranet.company.pt. I can't have the Win 2000 Server and 
> solero in the same domain, so I had to put in /etc/hosts the binding 
> to solero.efteste.com and so I did it in Win 2000 Server to be able to 
> reach solero.intranet.company.pt.
>
> Part of my httpd.conf:
>
> /<Directory "/usr/local/apache2/htdocs">/
>
> / Options Indexes FollowSymLinks/
>
> / AllowOverride All/
>
> / Order allow,deny/
>
> / Allow from all/
>
> / /
>
> / AuthType Kerberos/
>
> / AuthName solero/
>
> / KrbAuthRealms EFTESTE.COM/
>
> / KrbServiceName HTTP/
>
> / Krb5Keytab /etc/krb5/solero.keytab/
>
> / KrbMethodNegotiate on/
>
> / KrbMethodK5Passwd on/
>
> / require valid-user/
>
> /</Directory>/
>
> The account I use in the AD of Win 2000 Server is solerokrb, so if I 
> do a kinit solerokrb it works and I can see:
>
> /bash-2.05# klist -e/
>
> /Ticket cache: FILE:/tmp/krb5cc_0/
>
> /Default principal: solerokrb <at> EFTESTE.COM/
>
> / /
>
> /Valid starting Expires Service principal/
>
> /02/07/06 18:10:13 02/08/06 00:50:13 krbtgt/EFTESTE.COM <at> EFTESTE.COM/
>
> / Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5/
>
> / /
>
> / /
>
> /Kerberos 4 ticket cache: /tmp/tkt0/
>
> /klist: You have no tickets cached/
>
> When I try to access http://solero.efteste.com 
> <http://solero.efteste.com/> from IE in the Windows 2000 Server it 
> asks for username and password although I configured the browser in 
> every aspect that it was supposed to be done. I don't know exactly 
> what I should write in the username and password, is it the account 
> 'solerokrb'? Anyway, when it asks for username and password the log in 
> the Apache is:
>
> [Tue Feb 07 18:18:33 2006] [debug] src/mod_auth_kerb.c(1322): [client 
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
> auth_type Kerberos
>
> [Tue Feb 07 18:18:39 2006] [debug] src/mod_auth_kerb.c(1322): [client 
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
> auth_type Kerberos
>
> [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to 
> verify krb5 credentials: Server not found in Kerberos database
>
> [Tue Feb 07 18:18:40 2006] [debug] src/mod_auth_kerb.c(1322): [client 
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
> auth_type Kerberos
>
> [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to 
> verify krb5 credentials: Server not found in Kerberos database
>
> [Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal 
> Segmentation fault (11)
>
> [Tue Feb 07 18:18:40 2006] [notice] child pid 17023 exit signal 
> Segmentation fault (11)
>
> Anybody have a clue of what the problem is?
>
> Thanks,
>
> Henrique Craveiro
>

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

headers

Stéphane Konstantaropoulos | 8 Feb 2006 16:50

Re: Server not found in Kerberos database

Hi there,

I'll write the reply inline.

But first:

Check that kerberos is properly configured on the box where Apache is running!

Just IM mail me personally, I am willing to help since I set that up a week 
ago here and it was pretty tough too.

Le Mercredi 8 Février 2006 14:58, Henrique Craveiro a écrit :
> Hi again,
>
> Until now I have been testing using a Internet Explorer 5.5 right in the
> Windows 2000 Server. I created a user account in the EFTESTE.COM domain,
> logged in a PC with that account, using IE 6.0 and the result was
> different:
>
> [Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.35] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.35] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:52:52 2006] [error] [client 192.168.42.35] gss_import_name()
> failed: An invalid name was supplied (Configuration file does not specify
> default realm)

Well, this is clear enough, is your apache kerberos module configured 
properly?

<Location /test>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms EFTESTE.COM   <<<------ this is what's missing
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>

> -----Original Message-----
> From: Henrique Craveiro [mailto:henrique.craveiro <at> ef.pt]
> Sent: quarta-feira, 8 de Fevereiro de 2006 14:54
> To: 'modauthkerb-help <at> lists.sourceforge.net'
> Subject: Re: [modauthkerb] Server not found in Kerberos database
>
> Hi,
>
> Thanks for the replies.
>
> I did (also) follow the steps in http://www.grolmsnet.de/kerbtut/ . I think
> that I found out what the error was. It was related to the Kerberos
> database being somewhat corrupt. I destroyed and created it again and now
> the error I mentioned before is gone. Now I have this error (it still asks
> for username and password):
>
>
> [Wed Feb 08 14:13:32 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
> krb5_get_init_creds_password() failed: Cannot resolve network address for
> KDC in requested realm
> [Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
> krb5_get_init_creds_password() failed: Cannot resolve network address for
> KDC in requested realm

This is pretty clear too, the apache box cannot fin dthe kerberos KDC.

You do not need the KDC to be resolvable, you need to configure you krb5.conf 
(/etc/krb5.conf on a Unix machine) to map a kdc to a realm like this:

[realms]
EFTESTE.COM = {
   default_domain = efteste.com
   kdc = yourkdc.efteste.com:88
}

>
>
> I tried to search for the error but couldn't find out why it is happening.
> I know it is supposed to be related to DNS problems but the 2 machines can
> reach each other (Windows 2000 Server and Solaris). One thing that got me
> thinking is when I do the "klist -e" after doing kvno. It gives me:
>

Where did you do klist -e ?

Try to do kinit youusername on the Apache box, if it works then kerberos is 
properly configured on that box. If it doesn't, you need to configure it 
properly first (mostly only the /etc/krb5.conf file.

> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: solerokrb <at> EFTESTE.COM
>
> Valid starting     Expires            Service principal
> 02/08/06 14:12:07  02/09/06 00:12:07  krbtgt/EFTESTE.COM <at> EFTESTE.COM
>         renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
> 02/08/06 14:12:16  02/09/06 00:12:07  xptest <at> EFTESTE.COM
>         renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
> 02/08/06 14:12:25  02/09/06 00:12:07  solerokrb <at> EFTESTE.COM
>         renew until 02/09/06 14:12:07, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
>
> solerokrb seems ok, because of the -cryto option in ktpass, but what about
> the other ones? I don't know if the results are ok, I'm getting a little
> desperate here, seeing patterns everywhere ;)
>
> Can anybody help me?

Relax, it's not that hard...

>
> PS - Where can I get an Apache that doesn't give segmentation faults?
>

What are you talking about?

>
> Regards,
>
> Henrique Craveiro
>
> -----Original Message-----
> From: Yannick [mailto:yannick <at> smellyfrog.com]
> Sent: quarta-feira, 8 de Fevereiro de 2006 8:50
> To: Henrique Craveiro
> Subject: Re: [modauthkerb] Server not found in Kerberos database
>
> Hi Henrique,
>
> I'm not a specialist, but I walked the same road not so long ago. Check
> this thread out:
> http://groups.google.ie/group/comp.protocols.kerberos/browse_thread/thread/
>d
> ea39f5b55a82523/5a895b1308eb8d75?lnk=st&q=smellyfrog+kerberos&rnum=1&hl=en#
>5 a895b1308eb8d75
>
> The one important thing is the way you generate the keytab. You really
> have to follow verbatim the way Achim describes it in his paper:
> http://www.grolmsnet.de/kerbtut/
> The key solution for me was to make sure the keytab was generated for
> servername.domain and not just servername.
>
> So in your case (Replacing solerokrb-password with the actual password):
>
> C:\>ktpass -princ HTTP//tarzan.efteste.com/ <at> /EFTESTE.COM/
> -mapuser solerokrb
> -crypto DES-CBC-MD5
> -ptype KRB5_NT_PRINCIPAL
> -mapop set +desonly
> -pass longlong solerokrb-password -out c:\temp\solerokeytab
>
> Make sure you have done this exactly that way.
>
> A sure way to make sure your keytab is correct is by checking that an
> http service kerberos ticket is created for the client machine when you
> request a connection to apache. You can do this by installing the MIT
> network identity manager or Microsoft kerbtray.exe.
>
> Regards
> Yannick
>
> Henrique Craveiro wrote:
> > Hi all,
> >
> > I have a Windows 2000 Server running as a KDC and an Apache Server
> > (2.0.55) in a Solaris 2.9. I installed the mod_auth_kerb module in
> > Apache and followed the steps in http://modauthkerb.sourceforgenet/
> > <http://modauthkerb.sourceforge.net/> I searched a lot the web and
> > these archives but didn't find the answer to my problem.
> >
> > My krb5.conf:
> >
> > /[logging]/
> >
> > / default = FILE:/var/krb5/kdc.log/
> >
> > / kdc = FILE:/var/krb5/kdc.log/
> >
> > / admin_server = FILE:/var/log/kadmin.log/
> >
> > / /
> >
> > /[libdefaults]/
> >
> > / default_realm = EFTESTE.COM/
> >
> > / ticket_lifetime = 24000/
> >
> > / /
> >
> > /[realms]/
> >
> > / EFTESTE.COM = {/
> >
> > / kdc = tarzan.efteste.com:88/
> >
> > / //admin_server = tarzan.efteste.com:749/
> >
> > / default_domain = tarzan.efteste.com/
> >
> > / }/
> >
> > / /
> >
> > /[domain_realm]/
> >
> > / efteste.com = EFTESTE.COM/
> >
> > / efteste.com = EFTESTE.COM/
> >
> > The Windows 2000 Server is tarzan.efteste.com and the Apache Server is
> > in solero.intranet.company.pt. I can't have the Win 2000 Server and
> > solero in the same domain, so I had to put in /etc/hosts the binding
> > to solero.efteste.com and so I did it in Win 2000 Server to be able to
> > reach solero.intranet.company.pt.
> >
> > Part of my httpd.conf:
> >
> > /<Directory "/usr/local/apache2/htdocs">/
> >
> > / Options Indexes FollowSymLinks/
> >
> > / AllowOverride All/
> >
> > / Order allow,deny/
> >
> > / Allow from all/
> >
> > / /
> >
> > / AuthType Kerberos/
> >
> > / AuthName solero/
> >
> > / KrbAuthRealms EFTESTE.COM/
> >
> > / KrbServiceName HTTP/
> >
> > / Krb5Keytab /etc/krb5/solero.keytab/
> >
> > / KrbMethodNegotiate on/
> >
> > / KrbMethodK5Passwd on/
> >
> > / require valid-user/
> >
> > /</Directory>/
> >
> > The account I use in the AD of Win 2000 Server is solerokrb, so if I
> > do a kinit solerokrb it works and I can see:
> >
> > /bash-2.05# klist -e/
> >
> > /Ticket cache: FILE:/tmp/krb5cc_0/
> >
> > /Default principal: solerokrb <at> EFTESTE.COM/
> >
> > / /
> >
> > /Valid starting Expires Service principal/
> >
> > /02/07/06 18:10:13 02/08/06 00:50:13 krbtgt/EFTESTE.COM <at> EFTESTE.COM/
> >
> > / Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5/
> >
> > / /
> >
> > / /
> >
> > /Kerberos 4 ticket cache: /tmp/tkt0/
> >
> > /klist: You have no tickets cached/
> >
> > When I try to access http://solero.efteste.com
> > <http://solero.efteste.com/> from IE in the Windows 2000 Server it
> > asks for username and password although I configured the browser in
> > every aspect that it was supposed to be done. I don't know exactly
> > what I should write in the username and password, is it the account
> > 'solerokrb'? Anyway, when it asks for username and password the log in
> > the Apache is:
> >
> > [Tue Feb 07 18:18:33 2006] [debug] src/mod_auth_kerb.c(1322): [client
> > 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> >
> > [Tue Feb 07 18:18:39 2006] [debug] src/mod_auth_kerb.c(1322): [client
> > 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> >
> > [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to
> > verify krb5 credentials: Server not found in Kerberos database
> >
> > [Tue Feb 07 18:18:40 2006] [debug] src/mod_auth_kerb.c(1322): [client
> > 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> >
> > [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to
> > verify krb5 credentials: Server not found in Kerberos database
> >
> > [Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal
> > Segmentation fault (11)
> >
> > [Tue Feb 07 18:18:40 2006] [notice] child pid 17023 exit signal
> > Segmentation fault (11)
> >
> > Anybody have a clue of what the problem is?
> >
> > Thanks,
> >
> > Henrique Craveiro
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

--

-- 
Stephane Konstantaropoulos <skonstant <at> sgul.ac.uk>
St George's University of London

headers

Nathan Strange | 8 Feb 2006 17:36

Bad Password Error Messages

Has anyone had a problem with mod_auth_kerb giving the incorrect  
error message to the browser when it gets a bad password.  We have a  
problem when the institutional kerberos password changes, our server  
gives a bad error message to the browser which means the browser then  
doesn't prompt for a different password...  since most people have  
their browsers remember passwords this can be a big problem.

I did some monkeying with mod_auth_kerb to get it to run on OS X...  
and I might have inadvertantly caused this.  So my first question is  
if anyone else has seen this problem... and my second is it anyone  
has a solution :)

- Nathan 

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

headers

Stéphane Konstantaropoulos | 8 Feb 2006 17:52

Re: Bad Password Error Messages

Hi,

What's the message sent by the server?

Kerberos is a solution to client caching passwords, why use kerberos 
authentication in apache if you don't use kerberos fully?

If the server asks for authentication then denies it, the browser should promt 
for a new password even if it was cached previously. The error is somewhere 
else.

Can you be more descriptive about
1 your kerberos setup on the server box (does it work at all)
2 the configuration of apache mod_authkerb you are using
3 any logs that appear when authentication is denied.

Cheers

Le Mercredi 8 Février 2006 16:36, Nathan Strange a écrit :
> Has anyone had a problem with mod_auth_kerb giving the incorrect
> error message to the browser when it gets a bad password.  We have a
> problem when the institutional kerberos password changes, our server
> gives a bad error message to the browser which means the browser then
> doesn't prompt for a different password...  since most people have
> their browsers remember passwords this can be a big problem.
>
> I did some monkeying with mod_auth_kerb to get it to run on OS X...
> and I might have inadvertantly caused this.  So my first question is
> if anyone else has seen this problem... and my second is it anyone
> has a solution :)
>
> - Nathan
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

--

-- 
Stephane Konstantaropoulos <skonstant <at> sgul.ac.uk>
St George's University of London

headers

Henrique Craveiro | 9 Feb 2006 13:31

RE: Server not found in Kerberos database

Hi again,

My krb5.conf is in /etc as advised and I tried those configs. It didn't
work. I heard that Solaris is a little problematic, so I'm going to try
Fedora to see if I can manage to get this working.

Last but not the least, my current situation is:

[Thu Feb 09 10:53:43 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.30] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Thu Feb 09 10:53:43 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.30] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Thu Feb 09 10:53:43 2006] [debug] src/mod_auth_kerb.c(1023): [client
192.168.42.30] Acquiring creds for HTTP/solero.efteste.com <at> EFTESTE.COM
[Thu Feb 09 10:53:43 2006] [debug] src/mod_auth_kerb.c(1322): [client
192.168.42.30] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Thu Feb 09 10:53:43 2006] [debug] src/mod_auth_kerb.c(1023): [client
192.168.42.30] Acquiring creds for HTTP/solero.efteste.com <at> EFTESTE.COM
[Thu Feb 09 10:53:44 2006] [notice] child pid 5204 exit signal Segmentation
fault (11)
[Thu Feb 09 10:53:44 2006] [notice] child pid 5201 exit signal Segmentation
fault (11)

I checked mod_auth_kerb and noticed that line 1023 is:

log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
token.value);
gss_release_buffer(&minor_status, &token);

I added some code to know where exactly Apache exits with Segmentation
Fault, and it's in the 'gss_release_buffer'. Why does it happen there? I
don't know ;)

Also, if I comment those 'gss_release_buffer' the there's another
Segmentation Fault in:

if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
          gss_creds->rcache->ops->type &&
          memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)

Anyway, before trying Fedora I'm going to try different versions of Apache
(I'm using 2.0.55, going to try 2.0.47 like is mentioned in the README file
from the mod_auth_kerb).

-----Original Message-----
From: Yannick [mailto:yannick <at> smellyfrog.com] 
Sent: quinta-feira, 9 de Fevereiro de 2006 8:02
To: Henrique Craveiro
Subject: Re: [modauthkerb] Server not found in Kerberos database

Hi Henrique,

Where is your krb5.conf file? Mine is at the following location 
/etc/krb5.conf on my fedora environment.

The way I have it working is with the following settings (Transposed to 
your case):

/[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        admin_server = FILE:/var/log/kadmin.log/

/ /

/[libdefaults]
        default_realm = EFTESTE.COM
        #ticket_lifetime = 24000/

/ [realms]/

/        EFTESTE.COM = {
                kdc = tarzan.efteste.com:88
                //admin_server = tarzan.efteste.com:749
                #default_domain = tarzan.efteste.com
        }/

/ [domain_realm]
        efteste.com = EFTESTE.COM
//        .efteste.com = EFTESTE.COM/

After that, I'm afraid I'll have to let the specialists talk because we 
are reaching the end of my knowledge. :)

Regards
Yannick

Henrique Craveiro wrote:

>Hi again,
>
>Until now I have been testing using a Internet Explorer 5.5 right in the
>Windows 2000 Server. I created a user account in the EFTESTE.COM domain,
>logged in a PC with that account, using IE 6.0 and the result was
different:
>
>[Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
>192.168.42.35] kerb_authenticate_user entered with user (NULL) and
auth_type
>Kerberos
>[Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
>192.168.42.35] kerb_authenticate_user entered with user (NULL) and
auth_type
>Kerberos
>[Wed Feb 08 14:52:52 2006] [error] [client 192.168.42.35] gss_import_name()
>failed: An invalid name was supplied (Configuration file does not specify
>default realm)
>
>
>Now, I have no clue...
>
>Somebody?
>
>Regards,
>
>Henrique Craveiro
>
>-----Original Message-----
>From: Henrique Craveiro [mailto:henrique.craveiro <at> ef.pt] 
>Sent: quarta-feira, 8 de Fevereiro de 2006 14:54
>To: 'modauthkerb-help <at> lists.sourceforge.net'
>Subject: Re: [modauthkerb] Server not found in Kerberos database
>
>Hi,
>
>Thanks for the replies.
>
>I did (also) follow the steps in http://www.grolmsnet.de/kerbtut/ . I think
>that I found out what the error was. It was related to the Kerberos
database
>being somewhat corrupt. I destroyed and created it again and now the error
I
>mentioned before is gone. Now I have this error (it still asks for username
>and password):
>
>
>[Wed Feb 08 14:13:32 2006] [debug] src/mod_auth_kerb.c(1322): [client
>192.168.42.32] kerb_authenticate_user entered with user (NULL) and
auth_type
>Kerberos
>[Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
>192.168.42.32] kerb_authenticate_user entered with user (NULL) and
auth_type
>Kerberos
>[Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
>krb5_get_init_creds_password() failed: Cannot resolve network address for
>KDC in requested realm
>[Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
>192.168.42.32] kerb_authenticate_user entered with user (NULL) and
auth_type
>Kerberos
>[Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
>krb5_get_init_creds_password() failed: Cannot resolve network address for
>KDC in requested realm
>
>
>I tried to search for the error but couldn't find out why it is happening.
I
>know it is supposed to be related to DNS problems but the 2 machines can
>reach each other (Windows 2000 Server and Solaris). One thing that got me
>thinking is when I do the "klist -e" after doing kvno. It gives me:
>
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: solerokrb <at> EFTESTE.COM
>
>Valid starting     Expires            Service principal
>02/08/06 14:12:07  02/09/06 00:12:07  krbtgt/EFTESTE.COM <at> EFTESTE.COM
>        renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
>HMAC/md5, ArcFour with HMAC/md5
>02/08/06 14:12:16  02/09/06 00:12:07  xptest <at> EFTESTE.COM
>        renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
>HMAC/md5, ArcFour with HMAC/md5
>02/08/06 14:12:25  02/09/06 00:12:07  solerokrb <at> EFTESTE.COM
>        renew until 02/09/06 14:12:07, Etype (skey, tkt): DES cbc mode with
>CRC-32, DES cbc mode with CRC-32
>
>
>Kerberos 4 ticket cache: /tmp/tkt0
>klist: You have no tickets cached
>
>
>
>solerokrb seems ok, because of the -cryto option in ktpass, but what about
>the other ones? I don't know if the results are ok, I'm getting a little
>desperate here, seeing patterns everywhere ;)
>
>Can anybody help me?
>
>
>PS - Where can I get an Apache that doesn't give segmentation faults?
>
>
>Regards,
>
>Henrique Craveiro
>
>-----Original Message-----
>From: Yannick [mailto:yannick <at> smellyfrog.com] 
>Sent: quarta-feira, 8 de Fevereiro de 2006 8:50
>To: Henrique Craveiro
>Subject: Re: [modauthkerb] Server not found in Kerberos database
>
>Hi Henrique,
>
>I'm not a specialist, but I walked the same road not so long ago. Check 
>this thread out:
>http://groups.google.ie/group/comp.protocols.kerberos/browse_thread/thread/
d
>ea39f5b55a82523/5a895b1308eb8d75?lnk=st&q=smellyfrog+kerberos&rnum=1&hl=en#
5
>a895b1308eb8d75
>
>The one important thing is the way you generate the keytab. You really 
>have to follow verbatim the way Achim describes it in his paper: 
>http://www.grolmsnet.de/kerbtut/
>The key solution for me was to make sure the keytab was generated for 
>servername.domain and not just servername.
>
>So in your case (Replacing solerokrb-password with the actual password):
>
>C:\>ktpass -princ HTTP//tarzan.efteste.com/ <at> /EFTESTE.COM/
>-mapuser solerokrb
>-crypto DES-CBC-MD5
>-ptype KRB5_NT_PRINCIPAL
>-mapop set +desonly
>-pass longlong solerokrb-password -out c:\temp\solerokeytab
>
>Make sure you have done this exactly that way.
>
>A sure way to make sure your keytab is correct is by checking that an 
>http service kerberos ticket is created for the client machine when you 
>request a connection to apache. You can do this by installing the MIT 
>network identity manager or Microsoft kerbtray.exe.
>
>Regards
>Yannick
>
>Henrique Craveiro wrote:
>
>  
>
>>Hi all,
>>
>>I have a Windows 2000 Server running as a KDC and an Apache Server 
>>(2.0.55) in a Solaris 2.9. I installed the mod_auth_kerb module in 
>>Apache and followed the steps in http://modauthkerb.sourceforgenet/ 
>><http://modauthkerb.sourceforge.net/> I searched a lot the web and 
>>these archives but didn't find the answer to my problem.
>>
>>My krb5.conf:
>>
>>/[logging]/
>>
>>/ default = FILE:/var/krb5/kdc.log/
>>
>>/ kdc = FILE:/var/krb5/kdc.log/
>>
>>/ admin_server = FILE:/var/log/kadmin.log/
>>
>>/ /
>>
>>/[libdefaults]/
>>
>>/ default_realm = EFTESTE.COM/
>>
>>/ ticket_lifetime = 24000/
>>
>>/ /
>>
>>/[realms]/
>>
>>/ EFTESTE.COM = {/
>>
>>/ kdc = tarzan.efteste.com:88/
>>
>>/ //admin_server = tarzan.efteste.com:749/
>>
>>/ default_domain = tarzan.efteste.com/
>>
>>/ }/
>>
>>/ /
>>
>>/[domain_realm]/
>>
>>/ efteste.com = EFTESTE.COM/
>>
>>/ efteste.com = EFTESTE.COM/
>>
>>The Windows 2000 Server is tarzan.efteste.com and the Apache Server is 
>>in solero.intranet.company.pt. I can't have the Win 2000 Server and 
>>solero in the same domain, so I had to put in /etc/hosts the binding 
>>to solero.efteste.com and so I did it in Win 2000 Server to be able to 
>>reach solero.intranet.company.pt.
>>
>>Part of my httpd.conf:
>>
>>/<Directory "/usr/local/apache2/htdocs">/
>>
>>/ Options Indexes FollowSymLinks/
>>
>>/ AllowOverride All/
>>
>>/ Order allow,deny/
>>
>>/ Allow from all/
>>
>>/ /
>>
>>/ AuthType Kerberos/
>>
>>/ AuthName solero/
>>
>>/ KrbAuthRealms EFTESTE.COM/
>>
>>/ KrbServiceName HTTP/
>>
>>/ Krb5Keytab /etc/krb5/solero.keytab/
>>
>>/ KrbMethodNegotiate on/
>>
>>/ KrbMethodK5Passwd on/
>>
>>/ require valid-user/
>>
>>/</Directory>/
>>
>>The account I use in the AD of Win 2000 Server is solerokrb, so if I 
>>do a kinit solerokrb it works and I can see:
>>
>>/bash-2.05# klist -e/
>>
>>/Ticket cache: FILE:/tmp/krb5cc_0/
>>
>>/Default principal: solerokrb <at> EFTESTE.COM/
>>
>>/ /
>>
>>/Valid starting Expires Service principal/
>>
>>/02/07/06 18:10:13 02/08/06 00:50:13 krbtgt/EFTESTE.COM <at> EFTESTE.COM/
>>
>>/ Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5/
>>
>>/ /
>>
>>/ /
>>
>>/Kerberos 4 ticket cache: /tmp/tkt0/
>>
>>/klist: You have no tickets cached/
>>
>>When I try to access http://solero.efteste.com 
>><http://solero.efteste.com/> from IE in the Windows 2000 Server it 
>>asks for username and password although I configured the browser in 
>>every aspect that it was supposed to be done. I don't know exactly 
>>what I should write in the username and password, is it the account 
>>'solerokrb'? Anyway, when it asks for username and password the log in 
>>the Apache is:
>>
>>[Tue Feb 07 18:18:33 2006] [debug] src/mod_auth_kerb.c(1322): [client 
>>192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
>>auth_type Kerberos
>>
>>[Tue Feb 07 18:18:39 2006] [debug] src/mod_auth_kerb.c(1322): [client 
>>192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
>>auth_type Kerberos
>>
>>[Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to 
>>verify krb5 credentials: Server not found in Kerberos database
>>
>>[Tue Feb 07 18:18:40 2006] [debug] src/mod_auth_kerb.c(1322): [client 
>>192.168.42.32] kerb_authenticate_user entered with user (NULL) and 
>>auth_type Kerberos
>>
>>[Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to 
>>verify krb5 credentials: Server not found in Kerberos database
>>
>>[Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal 
>>Segmentation fault (11)
>>
>>[Tue Feb 07 18:18:40 2006] [notice] child pid 17023 exit signal 
>>Segmentation fault (11)
>>
>>Anybody have a clue of what the problem is?
>>
>>Thanks,
>>
>>Henrique Craveiro
>>
>>    
>>
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>_______________________________________________
>modauthkerb-help mailing list
>modauthkerb-help <at> lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>
>  
>

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

headers

Marc Boorshtein | 9 Feb 2006 18:52

mod_auth_kerb failing when kinit works

Hello,

I've setup mod_auth_kerb on a fedora core 4 system on which kinit runs
perfectly.  When I try to log onto a web server with the error:

[Thu Feb 09 11:07:13 2006] [error] [client 10.2.97.82]
gss_import_name() failed: An invalid name was supplied (Cannot
determine realm for numeric host address)

What does this error mean?

Thanks
Marc

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642

1	April 2013
1	March 2013
3	February 2013
2	November 2012
1	October 2012
13	September 2012
6	August 2012
7	June 2012
7	April 2012
29	March 2012
13	February 2012
20	January 2012
4	December 2011
7	November 2011
1	October 2011
4	September 2011
30	August 2011
11	July 2011
23	June 2011
21	May 2011
1	March 2011
19	February 2011
4	November 2010
57	September 2010
34	August 2010
3	July 2010
4	June 2010
4	May 2010
36	April 2010
14	March 2010
3	January 2010
20	December 2009
20	November 2009
2	October 2009
2	August 2009
10	July 2009
11	June 2009
14	May 2009
7	April 2009
19	March 2009
16	February 2009
29	January 2009
24	December 2008
4	November 2008
24	October 2008
4	September 2008
9	August 2008
23	July 2008
18	June 2008
19	May 2008
9	April 2008
9	March 2008
41	February 2008
15	January 2008
36	December 2007
23	November 2007
57	October 2007
41	September 2007
29	August 2007
112	July 2007
5	June 2007
46	May 2007
5	April 2007
15	March 2007
29	February 2007
134	January 2007
30	December 2006
77	November 2006
17	October 2006
22	September 2006
58	August 2006
26	July 2006
57	June 2006
64	May 2006
36	April 2006
50	March 2006
63	February 2006
7	January 2006
5	December 2005
17	November 2005
26	October 2005
14	September 2005
24	August 2005
14	July 2005
1	June 2005
35	May 2005
19	April 2005
51	March 2005
43	February 2005
27	January 2005
41	December 2004
29	November 2004
32	October 2004
28	September 2004
82	August 2004
50	July 2004
189	June 2004
1	January 2003

Mon	Tue	Wed	Thu	Fri	Sat	Sun

		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28