Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230
I have been trying to setup kerberos client on RedHat machine with Apache mod_auth_kerb. I have tested kerberos client configuration using kinit, klist etc. and its working and the Linux machine is getting tickets. But the problem is when I try to access the reousrce page from Windows (domain machine) using Internet explorer I get the following error gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230) Can somebody please help? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230
Detailed error message from apache error log, we are on red hat enterprise 5 [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147): [client *.*.*.*] Acquiring creds for h...@*.*.*.* [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266): [client *.*.*.*] Verifying client data using KRB5 GSS-API [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282): [client *.*.*.*] Verification returned code 851968 [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230) On Tue, Feb 3, 2009 at 8:50 PM, Omair Sajid om...@omairsajid.com wrote: I have been trying to setup kerberos client on RedHat machine with Apache mod_auth_kerb. I have tested kerberos client configuration using kinit, klist etc. and its working and the Linux machine is getting tickets. But the problem is when I try to access the reousrce page from Windows (domain machine) using Internet explorer I get the following error gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230) Can somebody please help? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230
On Feb 3, 2009, at 11:15, Omair Sajid wrote: Detailed error message from apache error log, we are on red hat enterprise 5 [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147): [client *.*.*.*] Acquiring creds for h...@*.*.*.* [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266): [client *.*.*.*] Verifying client data using KRB5 GSS-API [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282): [client *.*.*.*] Verification returned code 851968 [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230) There may be some problem with initialization causing the error strings not to be accessible. Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, Key version number for principal in key table is incorrect. How did you set up the keytab file on the server? And, is the KDC for this realm an MIT KDC or Windows AD? (If it's AD, I'm not familiar with the proper procedure for setting up a keytab for an application server running MIT code, but I'm sure others on this list are.) Note that in the MIT code, the kadmin option for generating a keytab changes the key in the process, so if you ran it more than once (maybe on different machines?), then only the last one generated is going to be useful. Also, check in case the client showing the problem has old credentials for the service cached using an earlier key version number and maybe the server only has a newer key; logging out and back in on the Windows box should avoid that problem. Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230
Hi Ken, I have asked the domain admin to give me details on how the key was generated will let you know once i have full details. Also can you point me to the krb5 error table from where you got the mapping for Error 230. Because when i google it i get something different. Also if there is some problem with keytab file then i assume that kinit using this keytab should not work. If i do kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de then it works fine. I only get error if when going through apache. Also kinit u...@*.* also works fine red hat machine. I am new at this so please let me know if i am asking stupid questions or am missing something basic :) On Tue, Feb 3, 2009 at 9:29 PM, Ken Raeburn raeb...@mit.edu wrote: On Feb 3, 2009, at 11:15, Omair Sajid wrote: Detailed error message from apache error log, we are on red hat enterprise 5 [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147): [client *.*.*.*] Acquiring creds for h...@*.*.*.* [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266): [client *.*.*.*] Verifying client data using KRB5 GSS-API [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282): [client *.*.*.*] Verification returned code 851968 [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230) There may be some problem with initialization causing the error strings not to be accessible. Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, Key version number for principal in key table is incorrect. How did you set up the keytab file on the server? And, is the KDC for this realm an MIT KDC or Windows AD? (If it's AD, I'm not familiar with the proper procedure for setting up a keytab for an application server running MIT code, but I'm sure others on this list are.) Note that in the MIT code, the kadmin option for generating a keytab changes the key in the process, so if you ran it more than once (maybe on different machines?), then only the last one generated is going to be useful. Also, check in case the client showing the problem has old credentials for the service cached using an earlier key version number and maybe the server only has a newer key; logging out and back in on the Windows box should avoid that problem. Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos