[30676] in Kerberos
Re: Help: gss_accept_sec_context() failed: Unspecified GSS failure.
daemon@ATHENA.MIT.EDU (Omair Sajid)
Tue Feb 3 12:52:30 2009
MIME-Version: 1.0
In-Reply-To: <269894C2-952F-4D28-A906-5E0A52C1B52E@mit.edu>
Date: Tue, 3 Feb 2009 22:51:30 +0500
Message-ID: <54680ff20902030951w7997e8adkdf7da2c5d68b1437@mail.gmail.com>
From: Omair Sajid <omair@omairsajid.com>
To: kerberos@mit.edu
Cc: Ken Raeburn <raeburn@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Ken,
I have asked the domain admin to give me details on how the key was
generated will let you know once i have full details. Also can you point me
to the krb5 error table from where you got the mapping for Error 230.
Because when i google it i get something different.
Also if there is some problem with keytab file then i assume that kinit
using this keytab should not work. If i do
kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de
then it works fine. I only get error if when going through apache.
Also kinit user@*.* also works fine red hat machine.
I am new at this so please let me know if i am asking stupid questions
or am missing something basic :)
On Tue, Feb 3, 2009 at 9:29 PM, Ken Raeburn <raeburn@mit.edu> wrote:
> On Feb 3, 2009, at 11:15, Omair Sajid wrote:
>
>> Detailed error message from apache error log, we are on red hat enterprise
>> 5
>>
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
>> *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
>> Kerberos
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432):
>> [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and
>> auth_type Kerberos
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147):
>> [client *.*.*.*] Acquiring creds for HTTP@*.*.*.*
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266):
>> [client *.*.*.*] Verifying client data using KRB5 GSS-API
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282):
>> [client *.*.*.*] Verification returned code 851968
>> [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*]
>> gss_accept_sec_context()
>> failed: Unspecified GSS failure. Minor code may provide more information
>> (Unknown code krb5 230)
>>
>
> There may be some problem with initialization causing the error strings not
> to be accessible. Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, "Key
> version number for principal in key table is incorrect". How did you set up
> the keytab file on the server? And, is the KDC for this realm an MIT KDC or
> Windows AD? (If it's AD, I'm not familiar with the proper procedure for
> setting up a keytab for an application server running MIT code, but I'm sure
> others on this list are.)
>
> Note that in the MIT code, the kadmin option for generating a keytab
> changes the key in the process, so if you ran it more than once (maybe on
> different machines?), then only the last one generated is going to be
> useful.
>
> Also, check in case the client showing the problem has old credentials for
> the service cached using an earlier key version number and maybe the server
> only has a newer key; logging out and back in on the Windows box should
> avoid that problem.
>
> Ken
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
