[30644] in Kerberos
Re: mod_auth_kerb: gss_accept_sec_context() failed
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Tue Jan 20 20:37:58 2009
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Date: Tue, 20 Jan 2009 21:20:49 +0100
Message-ID: <2aoh46-bq5.ln1@nb2.stroeder.com>
Mime-Version: 1.0
X-Complaints-To: usenet-abuse@t-online.de
In-Reply-To: <thme46-guu.ln1@nb2.stroeder.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Michael Ströder wrote:
> Andrew Cobaugh wrote:
>> On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder <michael@stroeder.com> wrote:
>>> HI!
>>>
>>> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
>>> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
>>> receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
>>> SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
>>> initialized.
>>>
>>> The web browser is Seamonkey and it already sends the
>>> Authorization: Negotiate YIIE0AYGKwYBBQ[..]
>>> in the HTTP request.
>>>
>>> But it does not work. I don't get authorized HTTP access.
>>> In Apache's error_log I find:
>>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor
>>> code may provide more information (, Decrypt integrity check failed)
>> Are you sure that the keytab specified by Krb5Keytab is consistent
>> with the HTTP service principal that is in AD? That message is the
>> same as saying "your password is wrong."
>
> Yes, I'm pretty sure. Krb5Keytab points to the file I've extracted with
> ktpass.exe and the command-line tool 'strings' extracts the right
> Kerberos realm, "HTTP" and fully-qualified domain name of the server.
>
> How can I gather more debug log messages?
Well, I set LogLevel debug in httpd.conf now and got the following
messages in Apache's error_log:
------------------------------ snip ------------------------------
[debug] src/mod_auth_kerb.c(1635): [client 10.1.1.5]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1635): [client 10.1.1.5]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1247): [client 10.1.1.5] Acquiring creds for
HTTP/nb2.stroeder.local@DOM2.ADTEST.LOCAL
[debug] src/mod_auth_kerb.c(1392): [client 10.1.1.5] Verifying client
data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1408): [client 10.1.1.5] Client didn't
delegate us their credential
[debug] src/mod_auth_kerb.c(1108): [client 10.1.1.5] GSS-API
major_status:000d0000, minor_status:96c73a1f
[error] [client 10.1.1.5] gss_accept_sec_context() failed: Unspecified
GSS failure. Minor code may provide more information (, Decrypt
integrity check failed)
------------------------------ snip ------------------------------
Hmm...
>> Also, if you're going to use mod_auth_kerb to do GSS, you'll need a
>> patch so that mod_auth_kerb sets up the GSS environment correclty, so
>> that your application will use the correct KRB5CCNAME:
>>
>> http://users.bx.psu.edu/~phalenor/code/mod_auth_kerb-5.4-set_gss_ccache_name.patch
>
> Many thanks for this information!
I've applied this patch.
Ciao, Michael.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
