Hello Everybody, Just little question. Do I need to have the principal HOST/[EMAIL PROTECTED] for my web server machine or it is enough to have only HTTP/[EMAIL PROTECTED] one? Because this issue is not desribed in the manual ( http://www.grolmsnet.de/kerbtut/). I`m constantly having the error : "configuration error: couldn't check access. No groups file?: /" And I just think that this error means that modauthkerb does not try to authorize a user with KDC as userdatabase on the web server (in my case it is gvepl100.test.epo). And it tries to find some file as userdatabase. And reason might be that I do not have principal HOST/[EMAIL PROTECTED] for my web server, but only this one: HTTP/[EMAIL PROTECTED] Is it right suggestion? -- Thanks, Siarhei Baidun
On 10/5/05, Siarhei Baidun <[EMAIL PROTECTED]> wrote: > > Hi again Everybody, > Second week I have been batling with the problem... > A lot of problems a have already solved on the way thanks to your advises. > Now I have done everything in compliance with the manual ( > http://www.grolmsnet.de/kerbtut/) > I have created a fresh domain account in the test domain (because I > cannot use production one) , have mapped principal to it, etc. > And I'm getting now the error (in the Apache's error_log file) : > --------------------- Apache's LOG > in case > KrbMethodK5Passwd on > KrbMethodNegotiate off > ------------------------ > > [Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client > 10.3.103.154 <http://10.3.103.154/>] kerb_authenticate_user entered with > user (NULL) and auth_type Kerberos > [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client > 10.3.103.154 <http://10.3.103.154/>] kerb_authenticate_user entered with > user (NULL) and auth_type Kerberos > [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client > 10.3.103.154 <http://10.3.103.154/>] kerb_authenticate_user_krb5pwd ret=0 > [EMAIL PROTECTED] authtype=Basic > [Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154<http://10.3.103.154/>] > configuration error: couldn't check access. No groups file?: / > --------------------- Apache's LOG > in case > KrbMethodK5Passwd off > KrbMethodNegotiate on > ------------------------ > > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client > 10.3.103.194 <http://10.3.103.194/>] kerb_authenticate_user entered with > user (NULL) and auth_type Kerberos > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client > 10.3.103.194 <http://10.3.103.194/>] kerb_authenticate_user entered with > user (NULL) and auth_type Kerberos > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client > 10.3.103.194 <http://10.3.103.194/>] Acquiring creds for > HTTP/[EMAIL PROTECTED] > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client > 10.3.103.194 <http://10.3.103.194/>] Verifying client data using SPNEGO > GSS-API > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client > 10.3.103.194 <http://10.3.103.194/>] Verification returned code 0 > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client > 10.3.103.194 <http://10.3.103.194/>] GSS-API token of length 0 bytes will > be sent back > [Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194<http://10.3.103.194/>] > configuration error: couldn't check access. No groups file?: / > > What does it mean? Which groups file I do not have? > I'm very, very appreciated for any help! > Below are my httpd.conf and krb5.conf > -- > Thank you very much in advance, > Siarhei Baidun > ------------------ > krb5.conf > ----------------- > > [libdefaults] > default_realm = TEST.EPO > > [domain_realm] > gvepl100.test.epo = TEST.EPO > > [realms] > TEST.EPO = { > admin_server = odessa.test.epo > kdc = odessa.test.epo > } > > ----------------------------Apache's > httpd.conf---------------------------------- > > AuthType Kerberos > AuthName "Kerberos Login" > Krb5KeyTab /etc/wolfi2.keytab > > KrbAuthRealms TEST.EPO > > KrbMethodK5Passwd on > KrbMethodNegotiate off > KrbServiceName HTTP > require valid-user > > > ------------------ result of "ktutil -k /etc/wolfi3.keytab list" command > ------------------------------ > > Vno Type Principal > 1 des-cbc-md5 HTTP/[EMAIL PROTECTED] > > > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos