Re: [modauthkerb] OpenBSD chroot and hostname?
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] OpenBSD chroot and hostname?
|
From: Henry B. H. <ho...@jp...> - 2012-03-16 02:53:52
|
You've got two different realms/servers to look at. I don't see the log entries for the HOST.NAME realm's server. Also you didn't try the kvno/kgetcred thing in your quick demo. Clearly the keytab file and the UCAR.EDU configuration are good. I assume *something* is in HOST.NAME. If that's *not* supposed to be a real DNS domain for you, then maybe you should search for occurrences of that string in your config files. sudo find /etc /var/www -type f -exec fgrep -iq host.name {} \; -print If anything shows up, look to see if it's wrong, or somehow related. Good luck. On Mar 15, 2012, at 12:18 PM, Steve Beaty wrote: > > On Mar 7, 2012, at 5:24 PM, Henry B. Hotz wrote: > >> The second line is the cross realm tgt to get access to the HOST.NAME realm, so httpd can get a HTTP/new...@HO... service ticket. What do the logs for the HOST.NAME realm show? > > That's the weird thing -- that's what literally shows up in the log, I didn't obfuscate the names. I've done a ktrace, and it appears all the correct libraries are loaded before the call the chroot, and that the /etc/kerberosV/krb5.conf is read, but the /etc/kerberosV/krb5.keytab file isn't being read. It doesn't matter whether apache is running chrooted or not. Apache 1.3.9 if that has any bearing. > > Here are kinits from the command line: > ---- > beaty@guestgw->~$ kinit be...@UC... > be...@UC...'s Password: > beaty@guestgw->~$ klist > Credentials cache: FILE:/tmp/krb5cc_1000 > Principal: be...@UC... > > Issued Expires Principal > Mar 15 13:16:25 Mar 15 23:16:25 krbtgt/UCA...@UC... > > beaty@guestgw->~$ kinit --keytab=/var/www/etc/kerberosV/krb5.keytab HTTP/guestgw.wireless.ucar.edu > beaty@guestgw->~$ klist > Credentials cache: FILE:/tmp/krb5cc_1000 > Principal: HTTP/gue...@UC... > > Issued Expires Principal > Mar 15 13:16:33 Mar 15 23:16:33 krbtgt/UCA...@UC... > ---- > > Any pointers? Thanks! > > -- > steve be...@uc... | http://www.cisl.ucar.edu/ > The National Center for Atmospheric Research > Computational and Information Systems Laboratory > ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Hen...@jp..., or hb...@ox... |
