On Feb 3, 2009, at 11:15, Omair Sajid wrote: > Detailed error message from apache error log, we are on red hat > enterprise 5 > > [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client > *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type > Kerberos > [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): > [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147): > [client *.*.*.*] Acquiring creds for h...@*.*.*.* > [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266): > [client *.*.*.*] Verifying client data using KRB5 GSS-API > [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282): > [client *.*.*.*] Verification returned code 851968 > [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*] > gss_accept_sec_context() > failed: Unspecified GSS failure. Minor code may provide more > information > (Unknown code krb5 230)
There may be some problem with initialization causing the error strings not to be accessible. Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, "Key version number for principal in key table is incorrect". How did you set up the keytab file on the server? And, is the KDC for this realm an MIT KDC or Windows AD? (If it's AD, I'm not familiar with the proper procedure for setting up a keytab for an application server running MIT code, but I'm sure others on this list are.) Note that in the MIT code, the kadmin option for generating a keytab changes the key in the process, so if you ran it more than once (maybe on different machines?), then only the last one generated is going to be useful. Also, check in case the client showing the problem has old credentials for the service cached using an earlier key version number and maybe the server only has a newer key; logging out and back in on the Windows box should avoid that problem. Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos