Hi Ken, I have asked the domain admin to give me details on how the key was generated will let you know once i have full details. Also can you point me to the krb5 error table from where you got the mapping for Error 230. Because when i google it i get something different. Also if there is some problem with keytab file then i assume that kinit using this keytab should not work. If i do
kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de then it works fine. I only get error if when going through apache. Also kinit u...@*.* also works fine red hat machine. I am new at this so please let me know if i am asking stupid questions or am missing something basic :) On Tue, Feb 3, 2009 at 9:29 PM, Ken Raeburn <raeb...@mit.edu> wrote: > On Feb 3, 2009, at 11:15, Omair Sajid wrote: > >> Detailed error message from apache error log, we are on red hat enterprise >> 5 >> >> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client >> *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type >> Kerberos >> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): >> [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and >> auth_type Kerberos >> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147): >> [client *.*.*.*] Acquiring creds for h...@*.*.*.* >> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266): >> [client *.*.*.*] Verifying client data using KRB5 GSS-API >> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282): >> [client *.*.*.*] Verification returned code 851968 >> [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*] >> gss_accept_sec_context() >> failed: Unspecified GSS failure. Minor code may provide more information >> (Unknown code krb5 230) >> > > There may be some problem with initialization causing the error strings not > to be accessible. Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, "Key > version number for principal in key table is incorrect". How did you set up > the keytab file on the server? And, is the KDC for this realm an MIT KDC or > Windows AD? (If it's AD, I'm not familiar with the proper procedure for > setting up a keytab for an application server running MIT code, but I'm sure > others on this list are.) > > Note that in the MIT code, the kadmin option for generating a keytab > changes the key in the process, so if you ran it more than once (maybe on > different machines?), then only the last one generated is going to be > useful. > > Also, check in case the client showing the problem has old credentials for > the service cached using an earlier key version number and maybe the server > only has a newer key; logging out and back in on the Windows box should > avoid that problem. > > Ken > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos