[30642] in Kerberos
Re: mod_auth_kerb: gss_accept_sec_context() failed
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Tue Jan 20 08:50:12 2009
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Date: Mon, 19 Jan 2009 17:32:28 +0100
Message-ID: <thme46-guu.ln1@nb2.stroeder.com>
Mime-Version: 1.0
X-Complaints-To: usenet-abuse@t-online.de
In-Reply-To: <mailman.26.1232138965.4529.kerberos@mit.edu>
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Andrew Cobaugh wrote:
> On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder <michael@stroeder.com> wrote:
>> HI!
>>
>> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
>> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
>> receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
>> SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
>> initialized.
>>
>> The web browser is Seamonkey and it already sends the
>> Authorization: Negotiate YIIE0AYGKwYBBQ[..]
>> in the HTTP request.
>>
>> But it does not work. I don't get authorized HTTP access.
>> In Apache's error_log I find:
>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor
>> code may provide more information (, Decrypt integrity check failed)
>
> Are you sure that the keytab specified by Krb5Keytab is consistent
> with the HTTP service principal that is in AD? That message is the
> same as saying "your password is wrong."
Yes, I'm pretty sure. Krb5Keytab points to the file I've extracted with
ktpass.exe and the command-line tool 'strings' extracts the right
Kerberos realm, "HTTP" and fully-qualified domain name of the server.
How can I gather more debug log messages?
> Also, if you're going to use mod_auth_kerb to do GSS, you'll need a
> patch so that mod_auth_kerb sets up the GSS environment correclty, so
> that your application will use the correct KRB5CCNAME:
>
> http://users.bx.psu.edu/~phalenor/code/mod_auth_kerb-5.4-set_gss_ccache_name.patch
Many thanks for this information!
Ciao, Michael.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
