On 9/27/2010 2:24 AM, Jon Bowes wrote: > Here is my setup... > > I have a Windows 2003 DC running active directory (dc.domain.com) > I have a Linux Apache web server that I wish to allow access to. > (apache.domain.com) > I have installed mod_auth_kerb > > I found an excellent tutorial here: http://www.grolmsnet.de/kerbtut/ which I > followed, but keep running into the same problem. > Here is my /etc/krb5.conf file: > [libdefaults] > default_realm = DOMAIN.COM > > [domain_realm] > apache.domain.com = DOMAIN.COM > > [realms] > DOMAIN.COM = { > admin_server = dc.domain.com > kdc = dc.domain.com > } > > Then, if I run kinit > [email protected]<mailto:[email protected]> I get asked > for my domain password which I enter. > > I then run klist and get: > Default principal: > [email protected]<mailto:[email protected]> > Service principal: > krbtgt/[email protected]<mailto:krbtgt/[email protected]> > > Is this correct?? > > I then generate my keytab: > C:\>ktpass -princ > HTTP/[email protected]<mailto:HTTP/[email protected]> > -mapuser apachea > -crypto rc4-hmac-nt > -ptype KRB5_NT_SRV_HST > -pass longlongpassword -out c:\temp\apache.keytab
I assume you created the AD account for apachea to represent the server before running this? There was a hot fix for ktpass on 2003: http://support.microsoft.com/kb/843071 http://support.microsoft.com/kb/919557 Google for ktpass hotfix > > This has been copied to apache at /etc/krb5.keytab. The file is world > readable, so apache should be able to read it no problem. > No, that could be a problem. The kerberos library may treat a world readable keytab as a security issue and not use it. > I then test my keytabfile: > > kinit -k -t /etc/krb5.keytab HTTP/apache.domain.com > and get > kinit(v5): Client not found in Kerberos database while getting initial > credentials klist -e -k -t /etc/krb5.keytab should also be helpful. Wireshark or other network packet traces can be very helpful, as Wireshark can print much of the Kerberos protocol, and show what princpals, kvnos, enctypes and servers are involved. http://www.wireshark.org/ > > I can't get past this bit! Any ideas where I can look? > Additionally, I have used kerbtray.exe to check my tickets when I logon. > I seem to get 2 as follows: > DOMAIN.COM > |_ host/dc.jackwills.com > |_ krbtgt/DOMAIN.COM > > I would appreciate any help that you guys can provide... > > Jon > > > This email and its attachments are confidential and are intended solely for > the use > of the individual(s) or entity to whom it is addressed. Any views or opinions > expressed are solely those of the author and do not necessarily represent > those of > "Jack Wills Ltd". If you are not the intended recipient of this email and its > attachments, you must take no action based upon them, nor must you copy or > show them > to anyone. Please contact the sender if you believe you have received this > email in > error. This footnote also confirms that this email message has been swept for > the > presence of computer viruses, but does not warrant that the message is virus > free. > > Jack Wills Ltd (3504842 England) > Registered Offices: > 22 Fore Street > Salcombe > TQ8 8ET > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
