HI List, I'm having problems with the authentication through mod_auth_kerb. The used solution had worked forfour months without any problems. Ever since 16 Aug 2007 that solution hasn't been functional.
Nothing has been changed in our system (Apache 2.0.55 with mod_auth_kerb). The service provider who administrates the ADS confirmed that there were no changes made or any patches installed. The same applies to clients who are administrated by an external service provider; no changes resp. installation of patches were supposed to be done. However, I cannot confirm the external service provider's statements. The following error messages appear in the VHost's apache error log: --<apache error log>-- [Wed Aug 22 15:17:04 2007] [debug] src/mod_auth_kerb.c(1485): [client 127.0.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://intern.customer.com/index.html [Wed Aug 22 15:17:26 2007] [debug] src/mod_auth_kerb.c(1485): [client 127.0.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://intern.customer.com/index.html [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1485): [client 127.0.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://intern.customer.com/index.html [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1172): [client 127.0.0.2] Acquiring creds for [EMAIL PROTECTED], referer: http://intern.customer.com/index.html [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1316): [client 127.0.0.2] Verifying client data using KRB5 GSS-API, referer: http://intern.customer.com/index.html [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1332): [client 127.0.0.2] Verification returned code 589824, referer: http://intern.customer.com/index.html [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1359): [client 127.0.0.2] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration., referer: http://intern.customer.com/index.html --</apache error log>-- I get the following message when requesting the Kerberos commands: [EMAIL PROTECTED]:/opt/krb5/bin]$ ./klist -e -f -a -nTicket cache: FILE:/tmp/krb5cc_2022Default principal: HTTP/[EMAIL PROTECTED] Valid starting Expires Service principal 08/22/07 17:07:36 08/23/07 03:08:07 krbtgt/[EMAIL PROTECTED] renew until 08/23/07 17:07:36, Flags: RIA Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Addresses: (none) [EMAIL PROTECTED]:/opt/krb5/bin]# ./kvno HTTP/[EMAIL PROTECTED] kvno: Server not found in Kerberos database while getting credentials for HTTP/[EMAIL PROTECTED] After consultation with the service provider, a new keytab file has already been exported and transfered to the Apache System. ktpass -princ HTTP/intern.customer.com -mapuser [EMAIL PROTECTED] -crypto DES-CBC-MD5 -ptype KRB_NT_PRINCIPAL -mapop set +desonly -pass ******** -out c:\temp\keytab -rw-r--r-- 1 httpd httpd 77 Aug 23 10:16 intern.keytab Do you have any advice what else to check or even a solution proposal? Thanks for your help, Thorsten ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
