[33187] in Kerberos
Re: Kerberos cross-realm with AD
daemon@ATHENA.MIT.EDU (Jean-Yves Avenard)
Mon Feb 7 18:03:41 2011
MIME-Version: 1.0
In-Reply-To: <AANLkTimBaoHt0_31EBgGUPOeyUxmVnm5bQ2L-kOy9JFK@mail.gmail.com>
Date: Tue, 8 Feb 2011 10:03:35 +1100
Message-ID: <AANLkTinaBJFddB+UZU74HJKCqOqnDVVH15pXz4kuViqm@mail.gmail.com>
From: Jean-Yves Avenard <jyavenard@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 8 February 2011 09:36, Jean-Yves Avenard <jyavenard@gmail.com> wrote:
> Now if fails somewhere else ; and on the web server I see:
> [Tue Feb 08 09:13:29 2011] [error] [client 1.2.3.4] gss_acquire_cred()
> failed: Unspecified GSS failure. Minor code may provide more
> information (, No key table entry found for
> HTTP/server4-2.mel.domain.com@MEL.DOMAIN.COM)
>
> So it would seem the keytab on the web server running mod_auth_kerb
> will also need a realm created on the new MEL.DOMAIN.COM kdc ..
I found the reasoning behind this one.
In the /etc/krb5.conf I had:
Ah , as I was writing this I came with another idea ;
in /etc/krb5.conf I had:
[domain_realm]
.domain.com = M.DOMAIN.COM
domain.com = M.DOMAIN.COM
.mel.domain.com = MEL.DOMAIN.COM
And sure enough, removing that last line ; error in apache logs are
gone, and it doesn't try to use
HTTP/server4-2.mel.domain.com@MEL.DOMAIN.COM anymore.
It still fails (with either Unspecified GSS failure. Minor code may
provide more information (, Decrypt integrity check failed) ; or
Unspecified GSS failure. Minor code may provide more information (,
Wrong principal in request)
; but I'm progressing. I'm now unsure if the remaining error is only
related to mod_auth_kerb or kerberos in general.
Thank you all for your help.. Made lots of progress today
Jean-Yves
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
