Hello list. We use mod_auth_kerb 5.4 to protect nagios access. This application automatically refresh the screen every 30s.
By looking at the logs, we just discovered each refresh lead to multiple connections to the KDC, for forwarding tickets: 2009-05-27T15:34:18 TGS-REQ stefa...@saclay.inria.fr from IPv4:195.83.212.212 for krbtgt/saclay.inria...@saclay.inria.fr [forwarded] 2009-05-27T15:34:18 Request to forward non-forwardable ticket 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212 2009-05-27T15:34:18 TGS-REQ stefa...@saclay.inria.fr from IPv4:195.83.212.212 for krbtgt/saclay.inria...@saclay.inria.fr [forwarded] 2009-05-27T15:34:18 Request to forward non-forwardable ticket 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212 Using a forwardable TGT, this changes to: 2009-05-27T15:34:42 TGS-REQ rou...@saclay.inria.fr from IPv4:195.83.212.49 for krbtgt/saclay.inria...@saclay.inria.fr [proxiable, forwarded, forwardable] 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49 2009-05-27T15:34:42 TGS-REQ rou...@saclay.inria.fr from IPv4:195.83.212.49 for krbtgt/saclay.inria...@saclay.inria.fr [proxiable, forwarded, forwardable] 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49 The multiple attempts seems to result from the multiple resources fetched each time (html page, CSS stylesheets, icons...). However, why does the client (firefox here) apparently attempt to forward its ticket, or to renew it each time it attempts to reconnect ? Here is apache configuration: <Location /> AuthType Kerberos AuthName "Kerberos autentication required" KrbAuthRealm SACLAY.INRIA.FR Krb5Keytab /etc/krb5.keytab KrbMethodK5Passwd on KrbMethodNegotiate on KrbLocalUserMapping on Require valid-user </Location> -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - Île-de-France Parc Orsay Université, 4 rue J. Monod 91893 Orsay Cedex France Tel: 01 69 35 69 62 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos