Bug#550606: (no subject)

Tue, 20 Oct 2009 12:40:12 -0700 

I do not understand what the problem until now. Advise how to find the bug?
I see the message in a loop a few minutes in apache log:

src/mod_auth_kerb.c(691): [client 192.168.1.75] Trying to get TGT for user 
t...@h-----g.com

then KDC gives TGT and message repeats...

After few minutes then browser enter to the site and shows pages. If the 
password is incorrect
then this shall be reported almost immediately.


debug enabled in apache2 config
KDC verifying disabled to reduce the size of the log

apache virtual host config:

<VirtualHost *:80>
        Servername www.h-----g.com
        DocumentRoot /var/www/www.h-----g.com
        <Directory /var/www/www.h-----g.com/profile>

            AuthGROUP_Enabled on

            AuthType Kerberos
            KrbServiceName "webinterface/webserver"
            Krb5Keytab /etc/apache2/krb5.keytab
#           KrbMethodK5Passwd off
            KrbMethodNegotiate off
            KrbSaveCredentials on
#           Require group dhcs
            Require valid-user
            KrbVerifyKDC off
        </Directory>
</VirtualHost>

        
I try to enter to the site, user "t...@h-----g.com":

tail -f /var/log/apache2/error.log /var/log/heimdal-kdc.log 
/var/log/apache2/other_vhosts_access.log:

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:07:53 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:07:53 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:07:53 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:07:53 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:07:53 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:07:53 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:07:53 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:08:01 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:01 Client sent patypes: encrypted-timestamp
2009-10-21T03:08:01 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:08:01 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:08:01 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:08:01 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:08:01 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:08:01 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:08:01 AS-REQ authtime: 2009-10-21T03:08:01 starttime: unset 
endtime: 2009-10-22T03:07:53 renew till: unset
2009-10-21T03:08:01 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:08:09 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:08:09 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:08:09 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:08:09 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:08:09 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:09 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:08:09 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:08:17 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:17 Client sent patypes: encrypted-timestamp
2009-10-21T03:08:17 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:08:17 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:08:17 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:08:17 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:08:17 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:08:17 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:08:17 AS-REQ authtime: 2009-10-21T03:08:17 starttime: unset 
endtime: 2009-10-22T03:08:09 renew till: unset
2009-10-21T03:08:17 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:08:25 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:08:25 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:08:25 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:08:25 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:08:25 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:25 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:08:25 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:08:33 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:33 Client sent patypes: encrypted-timestamp
2009-10-21T03:08:33 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:08:33 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:08:33 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:08:33 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:08:33 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:08:33 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:08:33 AS-REQ authtime: 2009-10-21T03:08:33 starttime: unset 
endtime: 2009-10-22T03:08:25 renew till: unset
2009-10-21T03:08:33 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:08:41 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:08:42 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:08:42 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:08:42 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:08:42 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:42 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:08:42 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:08:50 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:50 Client sent patypes: encrypted-timestamp
2009-10-21T03:08:50 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:08:50 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:08:50 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:08:50 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:08:50 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:08:50 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:08:50 AS-REQ authtime: 2009-10-21T03:08:50 starttime: unset 
endtime: 2009-10-22T03:08:42 renew till: unset
2009-10-21T03:08:50 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:08:58 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:08:58 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:08:58 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:08:58 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:08:58 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:08:58 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:08:58 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:09:06 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:09:06 Client sent patypes: encrypted-timestamp
2009-10-21T03:09:06 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:09:06 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:09:06 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:09:06 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:09:06 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:09:06 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:09:06 AS-REQ authtime: 2009-10-21T03:09:06 starttime: unset 
endtime: 2009-10-22T03:08:58 renew till: unset
2009-10-21T03:09:06 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:09:15 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:09:15 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:09:15 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:09:15 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:09:15 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:09:15 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:09:15 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:09:23 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:09:23 Client sent patypes: encrypted-timestamp
2009-10-21T03:09:23 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:09:23 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:09:23 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:09:23 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:09:23 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:09:23 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:09:23 AS-REQ authtime: 2009-10-21T03:09:23 starttime: unset 
endtime: 2009-10-22T03:09:15 renew till: unset
2009-10-21T03:09:23 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:09:31 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:09:31 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:09:31 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:09:31 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:09:31 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:09:31 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:09:31 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:09:39 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:09:39 Client sent patypes: encrypted-timestamp
2009-10-21T03:09:39 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:09:39 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:09:39 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:09:39 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:09:39 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:09:39 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:09:39 AS-REQ authtime: 2009-10-21T03:09:39 starttime: unset 
endtime: 2009-10-22T03:09:31 renew till: unset
2009-10-21T03:09:39 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:09:47 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:09:47 2009] [debug] src/mod_auth_kerb.c(1579): [client 
192.168.1.75] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Wed Oct 21 03:09:47 2009] [debug] src/mod_auth_kerb.c(1023): [client 
192.168.1.75] Using webinterface/webser...@h-----g.com as server principal for 
password verification
[Wed Oct 21 03:09:47 2009] [debug] src/mod_auth_kerb.c(691): [client 
192.168.1.75] Trying to get TGT for user t...@h-----g.com

==> /var/log/heimdal-kdc.log <==
2009-10-21T03:09:47 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:09:47 No preauth found, returning PREAUTH-REQUIRED -- 
t...@h-----g.com
2009-10-21T03:09:47 sending 400 bytes to IPv4:192.168.1.75
2009-10-21T03:09:55 AS-REQ t...@h-----g.com from IPv4:192.168.1.75 for 
krbtgt/h-----g....@h-----g.com
2009-10-21T03:09:55 Client sent patypes: encrypted-timestamp
2009-10-21T03:09:55 Looking for PKINIT pa-data -- t...@h-----g.com
2009-10-21T03:09:55 Looking for ENC-TS pa-data -- t...@h-----g.com
2009-10-21T03:09:55 ENC-TS Pre-authentication succeeded -- t...@h-----g.com 
using aes256-cts-hmac-sha1-96
2009-10-21T03:09:55 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4
2009-10-21T03:09:55 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2009-10-21T03:09:55 Requested flags: renewable_ok, proxiable, forwardable
2009-10-21T03:09:55 AS-REQ authtime: 2009-10-21T03:09:55 starttime: unset 
endtime: 2009-10-22T03:09:47 renew till: unset
2009-10-21T03:09:55 sending 638 bytes to IPv4:192.168.1.75

==> /var/log/apache2/error.log <==
[Wed Oct 21 03:10:03 2009] [debug] src/mod_auth_kerb.c(1105): [client 
192.168.1.75] kerb_authenticate_user_krb5pwd ret=0 user=t...@h-----g.com 
authtype=Basic
[Wed Oct 21 03:10:03 2009] [debug] mod_deflate.c(632): [client 192.168.1.75] 
Zlib: Compressed 937 to 463 : URL /profile/

==> /var/log/apache2/other_vhosts_access.log <==
www.h-----g.com:80 192.168.1.75 - t...@h-----g.com [21/Oct/2009:03:07:37 +0800] 
"GET /profile/ HTTP/1.1" 200 481 "-" "Mozilla/5.0 (X11; U; Linux i686; ru; 
rv:1.9.0.13) Gecko/2009082121 Iceweasel/3.0.6 (Debian-3.0.6-3)"

Attachment: signature.asc
Description: PGP signature

Reply via email to