|
List Info
Thread: mod_auth_kerb credential error for principal
|
|
| mod_auth_kerb credential error for
principal |
 
Brazil |
2007-03-22 12:47:15 |
Hello,
I'm facing serious problem with Kerberos ticket
I'm trying authenticate Windows users to the Linux apache
webserver using Kerberos authenticate method, and for apache
mod_auth_kerb.
Having problems with keytab.
Targeting domain controller: DCserver.domain.com
Successfully mapped HTTP/LinuxServer.domain.com to myuser.
Type the password for HTTP/LinuxServer.domain.com:
Type the password again to confirm:
Key created.
Output keytab to c:tempapache.keytab:
Keytab version: 0x502
keysize 56 HTTP/LinuxServer.weg.net WEG.NET ptype 1
(KRB5_NT_PRINCIPAL) vno 23 etyp
e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)
Account myuser has been set for DES-only encryption.
> I'm trying use this keytab at the linux apache server
with
> mod_auth_kerb; and if put the apache.keytab that was
just created at windows side, into linux side, it
> doesn't work. I got the error when I run the kinit
command:
>
> #kinit -k -t /usr/local/apache2/conf/apache.keytab
> kinit(v5): Client not found in Kerberos database while
getting initial
> credentials
If I run kinit myuser and put my passwd, it works fine, and
after run this, if I run klist it bring me the cached ticket
fine.
Also, if I run kutil and check kvno into the keytab, it give
me the right number (same as the one created at windows site
through the ktpass).
> May someone help me please,
> I'm stuck on this, almost one week, and don't know what
else to do.
Edson Habowsky
Departamento de Sistemas de Informação
Sc Data Center - Tecnologia
Analista de Infra - Servidores/Storage
Fone: 55 (47) 3276 4619 - edsonhweg.net
<mailto:edsonhweg.net>
WEG Equipamentos Elétricos S.A. - Corporativo
"TRANSFORMANDO ENERGIA EM SOLUÇÕES"
________________________________________________
Kerberos mailing list Kerberosmit.edu
htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
|
|
| Re: mod_auth_kerb credential error for
principal |
 
United States |
2007-03-22 14:56:43 |
A couple of things.
AD is case insenitive, but Kerberos is not.
the principal should have lowercase host name.
fix it now before it causes more problems.
kinit requires a principal as a parameter.
kinit -k
-t /usr/local/apache2/conf/apache.keytab
HTTP/linuxserver.domain.comWEG.NET
Thae account name myuser, should relate tothe
principal name, aseach principal will need an account.
(MS called it a user account, it isnot a real user, it
is
forthe service.)
Edson Habowsky wrote:
> Hello,
>
> I'm facing serious problem with Kerberos ticket
>
> I'm trying authenticate Windows users to the Linux
apache webserver using Kerberos authenticate method, and for
apache mod_auth_kerb.
>
> Having problems with keytab.
>
>
>
> Targeting domain controller: DCserver.domain.com
>
> Successfully mapped HTTP/LinuxServer.domain.com to
myuser.
>
> Type the password for HTTP/LinuxServer.domain.com:
>
> Type the password again to confirm:
>
> Key created.
>
> Output keytab to c:tempapache.keytab:
>
> Keytab version: 0x502
>
> keysize 56 HTTP/LinuxServer.weg.netWEG.NET
ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp
>
> e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)
>
> Account myuser has been set for DES-only encryption.
>
>
>
>> I'm trying use this keytab at the linux apache
server with
>
>> mod_auth_kerb; and if put the apache.keytab that
was just created at windows side, into linux side, it
>
>> doesn't work. I got the error when I run the kinit
command:
>
>
>> #kinit -k -t /usr/local/apache2/conf/apache.keytab
>
>> kinit(v5): Client not found in Kerberos database
while getting initial
>
>> credentials
>
>
>
> If I run kinit myuser and put my passwd, it works fine,
and after run this, if I run klist it bring me the cached
ticket fine.
>
> Also, if I run kutil and check kvno into the keytab, it
give me the right number (same as the one created at windows
site through the ktpass).
>
>
>
>
>
>> May someone help me please,
>
>> I'm stuck on this, almost one week, and don't know
what else to do.
>
>
>
> Edson Habowsky
> Departamento de Sistemas de Informação
> Sc Data Center - Tecnologia
> Analista de Infra - Servidores/Storage
> Fone: 55 (47) 3276 4619 - edsonhweg.net
<mailto:edsonhweg.net>
> WEG Equipamentos Elétricos S.A. - Corporativo
> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberosmit.edu
> htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngertanl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberosmit.edu
htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
|
|
| RES: RES: RES: mod_auth_kerb credential
error for principal |
Brazil |
2007-03-28 05:52:39 |
It's solved! (a bit)
I put the parameter into httpd.conf:
KrbVerifyKDC off
KrbServiceName HTTP
and it started working!!
Tkx a lot,
Edson Habowsky
Departamento de Sistemas de Informação
Sc Data Center - Tecnologia
Analista de Infra - Servidores/Storage
Fone: 55 (47) 3276 4619 - edsonhweg.net
WEG Equipamentos Elétricos S.A. - Corporativo
"TRANSFORMANDO ENERGIA EM SOLUÇÕES"
-----Mensagem original-----
De: Douglas E. Engert [mailto:deengertanl.gov]
Enviada em: sexta-feira, 23 de março de 2007 15:59
Para: Edson Habowsky
Assunto: Re: RES: RES: mod_auth_kerb credential error for
principal
Ask your question on the mod_auth_kerb list.
Edson Habowsky wrote:
> Yupeeee..
>
> I got something.
> I reset the pwd of the user, and started over all thing
and now I'm able to do the kinit -kt ../../apache.keytab
HTTP/linuxserver.domain.comDOMAIN.COM
>
> And if I run klist.. I got the default Principal ticket
OK in the cache. NICE...
> But,
> Now if I try access the webserver I'm not able to
authenticate, and if I see the
/usr/local/apache2/logs/error_log I see this:
>
> failed to verify krb5 credentials: Server not found in
Kerberos database
>
> Do you know what is this? I'm still with same problem?
>
> Edson Habowsky
> Departamento de Sistemas de Informação
> Sc Data Center - Tecnologia
> Analista de Infra - Servidores/Storage
> Fone: 55 (47) 3276 4619 - edsonhweg.net
> WEG Equipamentos Elétricos S.A. - Corporativo
> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
>
> -----Mensagem original-----
> De: Edson Habowsky
> Enviada em: sexta-feira, 23 de março de 2007 14:42
> Para: 'Douglas E. Engert'
> Assunto: RES: RES: mod_auth_kerb credential error for
principal
>
> Man, this is driving me crazy already..
> I'm using a tool called adsiedit from M$ in order to
edit the user properties and the principal properties. What
I do is delete from both, the information that indicates who
is the PrincipalService and the user mapped to it.
>
> Then I run ktpass again with -mapuser myuser (the
mapuser:myuser doesn't work) in order to generate the keytab
again. This works!.
> Then I put this file into the linux box, wich is the
principal, and run kinit program over the key, and I get the
msg already related here.
> " kinit(v5): Client not found in Kerberos database
while getting initial credentials"
>
> I already tested with other user to this principal and
also I reset the account for this principal at M$ AD side,
and I'm still having same msg.
>
> Edson Habowsky
> Departamento de Sistemas de Informação
> Sc Data Center - Tecnologia
> Analista de Infra - Servidores/Storage
> Fone: 55 (47) 3276 4619 - edsonhweg.net
> WEG Equipamentos Elétricos S.A. - Corporativo
> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
>
> -----Mensagem original-----
> De: Douglas E. Engert [mailto:deengertanl.gov]
> Enviada em: sexta-feira, 23 de março de 2007 13:16
> Para: Edson Habowsky
> Assunto: Re: RES: mod_auth_kerb credential error for
principal
>
>
>
> Edson Habowsky wrote:
>> I did it with the lowercase:
>>
>> [rootlinuxserver ~]# kinit -k -t
/usr/local/apache2/conf/apache.keytab
HTTP/linuxserver.domain.comDOMAIN.COM
>> kinit(v5): Preauthentication failed while getting
initial credentials
>>
>> before I do this above, I ran adsiedit and deledte
de userprincipal from linuxserver and the principal
associated to the the useraccount. Then I generate the
keytab.
>>
>
> It is not clear what you did. Did you start over?
>
>
> The password used with the service account, (what you
have been calling myuser)
> has to be the same password used with the ktpass
command to create the
> keytab.
>
> I would stat over, by deleting the "myuser"
account.
> Then have your AD create an account with the name
HTTP-linuxserver
> It can not have a "/"must be 20 characters or
less and unique name
> with in the AD forest. It is the samAccountName.
> The run the ktpass using /mapuser:HTTP-linuxserver
>
>
>> Edson Habowsky
>> Departamento de Sistemas de Informação
>> Sc Data Center - Tecnologia
>> Analista de Infra - Servidores/Storage
>> Fone: 55 (47) 3276 4619 - edsonhweg.net
>> WEG Equipamentos Elétricos S.A. - Corporativo
>> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
>> -----Mensagem original-----
>> De: Douglas E. Engert [mailto:deengertanl.gov]
>> Enviada em: quinta-feira, 22 de março de 2007
16:57
>> Para: Edson Habowsky
>> Cc: kerberosmit.edu
>> Assunto: Re: mod_auth_kerb credential error for
principal
>>
>> A couple of things.
>> AD is case insenitive, but Kerberos is not.
>> the principal should have lowercase host name.
>> fix it now before it causes more problems.
>>
>>
>> kinit requires a principal as a parameter.
>> kinit -k
>> -t /usr/local/apache2/conf/apache.keytab
>> HTTP/linuxserver.domain.comWEG.NET
>>
>> Thae account name myuser, should relate tothe
>> principal name, aseach principal will need an
account.
>> (MS called it a user account, it isnot a real
user, it is
>> forthe service.)
>>
>> Edson Habowsky wrote:
>>> Hello,
>>>
>>> I'm facing serious problem with Kerberos ticket
>>>
>>> I'm trying authenticate Windows users to the
Linux apache webserver using Kerberos authenticate method,
and for apache mod_auth_kerb.
>>>
>>> Having problems with keytab.
>>>
>>>
>>>
>>> Targeting domain controller:
DCserver.domain.com
>>>
>>> Successfully mapped HTTP/LinuxServer.domain.com
to myuser.
>>>
>>> Type the password for
HTTP/LinuxServer.domain.com:
>>>
>>> Type the password again to confirm:
>>>
>>> Key created.
>>>
>>> Output keytab to c:tempapache.keytab:
>>>
>>> Keytab version: 0x502
>>>
>>> keysize 56 HTTP/LinuxServer.weg.netWEG.NET
ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp
>>>
>>> e 0x3 (DES-CBC-MD5) keylength 8
(0x2f342c51891c1c68)
>>>
>>> Account myuser has been set for DES-only
encryption.
>>>
>>>
>>>
>>>> I'm trying use this keytab at the linux
apache server with
>>>> mod_auth_kerb; and if put the apache.keytab
that was just created at windows side, into linux side, it
>>>> doesn't work. I got the error when I run
the kinit command:
>>>> #kinit -k -t
/usr/local/apache2/conf/apache.keytab
>>>> kinit(v5): Client not found in Kerberos
database while getting initial
>>>> credentials
>>>
>>>
>>> If I run kinit myuser and put my passwd, it
works fine, and after run this, if I run klist it bring me
the cached ticket fine.
>>>
>>> Also, if I run kutil and check kvno into the
keytab, it give me the right number (same as the one created
at windows site through the ktpass).
>>>
>>>
>>>
>>>
>>>
>>>> May someone help me please,
>>>> I'm stuck on this, almost one week, and
don't know what else to do.
>>>
>>>
>>> Edson Habowsky
>>> Departamento de Sistemas de Informação
>>> Sc Data Center - Tecnologia
>>> Analista de Infra - Servidores/Storage
>>> Fone: 55 (47) 3276 4619 - edsonhweg.net
<mailto:edsonhweg.net>
>>> WEG Equipamentos Elétricos S.A. - Corporativo
>>> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
>>>
>>>
>>>
>>>
________________________________________________
>>> Kerberos mailing list Kerberosmit.edu
>>> htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>
--
Douglas E. Engert <DEEngertanl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberosmit.edu
htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
|
|
[1-3]
|
|