Hi Ken,
I have asked the domain admin to give me details on how the key was
generated will let you know once i have full details. Also can you point me
to the krb5 error table from where you got the mapping for Error 230.
Because when i google it i get something different.
Also if there is some problem with keytab file then i assume that kinit
using this keytab should not work. If i do
kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de
then it works fine. I only get error if when going through apache.
Also kinit u...@*.* also works fine red hat machine.
I am new at this so please let me know if i am asking stupid questions
or am missing something basic :)
On Tue, Feb 3, 2009 at 9:29 PM, Ken Raeburn raeb...@mit.edu wrote:
On Feb 3, 2009, at 11:15, Omair Sajid wrote:
Detailed error message from apache error log, we are on red hat enterprise
5
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
*.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432):
[client *.*.*.*] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147):
[client *.*.*.*] Acquiring creds for h...@*.*.*.*
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266):
[client *.*.*.*] Verifying client data using KRB5 GSS-API
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282):
[client *.*.*.*] Verification returned code 851968
[Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*]
gss_accept_sec_context()
failed: Unspecified GSS failure. Minor code may provide more information
(Unknown code krb5 230)
There may be some problem with initialization causing the error strings not
to be accessible. Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, Key
version number for principal in key table is incorrect. How did you set up
the keytab file on the server? And, is the KDC for this realm an MIT KDC or
Windows AD? (If it's AD, I'm not familiar with the proper procedure for
setting up a keytab for an application server running MIT code, but I'm sure
others on this list are.)
Note that in the MIT code, the kadmin option for generating a keytab
changes the key in the process, so if you ran it more than once (maybe on
different machines?), then only the last one generated is going to be
useful.
Also, check in case the client showing the problem has old credentials for
the service cached using an earlier key version number and maybe the server
only has a newer key; logging out and back in on the Windows box should
avoid that problem.
Ken
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos