[23586] in Kerberos
Problems with Service Key
daemon@ATHENA.MIT.EDU (Matt Joyce)
Thu Mar 24 15:58:50 2005
Message-ID: <424329B8.6020507@vtsystems.com>
Date: Thu, 24 Mar 2005 15:57:28 -0500
From: Matt Joyce <syslists@vtsystems.com>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All.... Here's a hopefully easy one to be fielded.
So I have a KDC... lets call him kdc.fqdn-example.com for a realm
suitably named realm.non-fqdn-example.com
And lets say i have a box called smellybox.fqdn-example.com.
Now I generated principals for smellybox on the kdc.... as follows.
host/smellybox.fqdn-example.com@realm.non-fqdn-example.com
HTTP/smellybox.fqdn-example.com@realm.non-fqdn-example.com
so I kinit... these guys work... swell....
hop into ktutil...
rkt /etc/example.keytab
list (looks good to me)
wkt /home/user/shiptosmellybox.keytab
then i scp that keytab to smellybox....
hop onto smellybox...
ktutil
rkt /home/user/shiptosmellybox.keytab
list (still there yay!)
wkt /etc/example.keytab
Sweet.
kinit... works... pimp.
Try to auth to mod_auth_kerb... and....
/var/log/krb5kdc.log reports
Mar 24 15:36:26 kdc.fqdn-example.com krb5kdc[2367](info): DISPATCH:
repeated (retransmitted?) request from 10.0.0.234 port 88, resending
previous response
Mar 24 15:36:26 kdc.fqdn-example.com krb5kdc[2367](info): TGS_REQ (3
etypes {16 3 1}) 10.0.0.234(88): ISSUE: authtime 1111696586, etypes
{rep=1 tkt=1 ses=1}, valid-principal@realm.non-fqdn-example.com for
HTTP/smellybox.fqdn-example.com@realm.non-fqdn-example.com
Looks good ...But...
/var/log/httpd/error.log-smellybox.fqdn-example.com
reads....
[Thu Mar 24 15:51:36 2005] [error] [client 10.0.0.107]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
* This is probably SPNEGO related Bunk.
[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify
krb5 credentials: Key version number for principal in key table is incorrect
[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify
krb5 credentials: Key version number for principal in key table is incorrect
[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify
krb5 credentials: Key version number for principal in key table is incorrect
Now someone want to tell me how something in this setup managed to fail
to verify a key version?
Anyone at all.... I am thinking I made a stupid mistake... I am just not
seeing it.
-Matt Joyce
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos