Re: [modauthkerb] OpenBSD chroot and hostname?
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] OpenBSD chroot and hostname?
|
From: Henry B. H. <ho...@jp...> - 2012-03-08 00:24:12
|
The second line is the cross realm tgt to get access to the HOST.NAME realm, so httpd can get a HTTP/new...@HO... service ticket. What do the logs for the HOST.NAME realm show? It may be educational to log into the httpd server, do a kinit be...@UC..., and then try a "kvno HTTP/new...@HO...". (If it's Heimdal, then it's kgetcred instead of kvno.) On Mar 7, 2012, at 1:45 PM, Steve Beaty wrote: > Greetings, > > I'm trying to get this to work under OpenBSD 5.0 and its httpd chroot environment. Looking at the logs, I see: > > ---- > authlog-2012-03-07-14:2012-03-07T14:22:40-0700 <auth.info> 0.1.2.3/0.1.2.3 kdc[28267]: AS-REQ be...@UC... from IPv4:128.117.64.2 for krbtgt/UCA...@UC... > > authlog-2012-03-07-14:2012-03-07T14:22:41-0700 <auth.info> 3.4.5.6/3.4.5.6 kdc[3891]: TGS-REQ be...@UC... from IPv4:128.117.64.2 for krbtgt/HOS...@UC... > ---- > > I'm guessing the second line is messed up by not finding the correct hostname. Here's the httpd log: > > ---- > [Wed Mar 7 14:22:31 2012] [notice] chrooted in /var/www > [Wed Mar 7 14:22:31 2012] [notice] changed to uid 67, gid 67 > [Wed Mar 7 14:22:35 2012] [debug] src/mod_auth_kerb.c(0): [client 128.117.9.79] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > [Wed Mar 7 14:22:40 2012] [debug] src/mod_auth_kerb.c(0): [client 128.117.9.79] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > [Wed Mar 7 14:22:41 2012] [debug] src/mod_auth_kerb.c(0): [client 128.117.9.79] Using HTTP/new...@HO... as server principal for password verification > [Wed Mar 7 14:22:41 2012] [debug] src/mod_auth_kerb.c(0): [client 128.117.9.79] Trying to get TGT for user be...@UC... > [Wed Mar 7 14:22:41 2012] [debug] src/mod_auth_kerb.c(0): [client 128.117.9.79] Trying to verify authenticity of KDC using principal HTTP/new...@HO... > [Wed Mar 7 14:22:41 2012] [debug] src/mod_auth_kerb.c(0): [client 128.117.9.79] krb5_get_credentials() failed when verifying KDC > [Wed Mar 7 14:22:41 2012] [error] [client 128.117.9.79] failed to verify krb5 credentials: Server not found in Kerberos database > [Wed Mar 7 14:22:41 2012] [debug] src/mod_auth_kerb.c(0): [client 128.117.9.79] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL) > ---- > > And my .htaccess: > > ---- > AuthType Kerberos > AuthName "UCAS password" > KrbAuthRealms UCAR.EDU > Krb5KeyTab /etc/kerberosV/krb5.keytab > require user be...@UC... > ---- > > Any pointers for me? Thanks much! > > -- > steve be...@uc... | http://www.cisl.ucar.edu/ > The National Center for Atmospheric Research > Computational and Information Systems Laboratory > > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Hen...@jp..., or hb...@ox... |
